ON APPEAL FROM ISLEWORTH CROWN COURT
Royal Courts of Justice
Strand, London, WC2A 2LL
Before :
LORD JUSTICE RICHARDS
MR JUSTICE SIMON
and
MR JUSTICE WILKIE
Between :
Regina | Respondent |
- and - | |
Paul Matthew Stubbs | Appellant |
(Transcript of the Handed Down Judgment of
WordWave International Ltd
A Merrill Communications Company
190 Fleet Street, London EC4A 2AG
Tel No: 020 7421 4040 Fax No: 020 7831 8838
Official Shorthand Writers to the Court)
Ian Winter and Selva Ramasamy (instructed by Cartwright King) for the Appellant
Robert Rhodes QC and Ben Compton (instructed by the Crown Prosecution Service) for the Respondent
Judgment
Lord Justice Richards :
On 27 July 2006 we dismissed the appellant’s appeal against conviction, stating that we would give our reasons in writing at a later date. These are the reasons for our decision.
The appellant’s conviction was for an offence of conspiracy to defraud. The conviction took place on 25 July 2005 after a trial before His Honour Judge Lowen and a jury at Isleworth Crown Court. A sentence of 5 years’ imprisonment was subsequently imposed. A co-accused by the name of Charanjit Purba was acquitted on the judge’s direction and was discharged.
Overview
The Crown’s case was that the appellant had been involved in fraudulent money transfers from the HSBC Bank totalling about £11.8 million pounds. The ultimate beneficiary was a Spanish registered company which traded as Vasat Importacion SL. The fraudulent transactions were carried out using an online banking system called ‘Hexagon’ which had been set up by HSBC for corporate clients.
Bank accounts of five HSBC corporate clients were targeted between 23 July and 27 July 2002. Four of the attacks failed but the fifth, against the account of AT&T Wireless, was successful. On 25 July three money transfers, each of about £1.9 million, were made from the AT&T account to an account held with Barclays Bank in Leicester in the name of Advanced New Technologies Corporation Ltd. That money was then converted into euros before being transferred to a Vasat account in Madrid. On 26 July a further transfer of about £6.1 million was made from the AT&T account to Vasat directly. None of the money removed from the AT&T account was recovered.
Upon investigation it became clear that someone had altered the secure password for AT&T and that the new password had then been used to gain access to AT&T’s account and to carry out the fraudulent transfers. The Crown alleged that the appellant, in his role as password reset clerk at HSBC, had altered the password and that, by the use of the new password provided by him, a third party had accessed the AT&T account and transferred the money.
The Hexagon system
Evidence concerning the operation of the Hexagon system was given in part through admissions and in part by the testimony of Mr Richard Roddy, an employee of HSBC. Objection was taken at the trial to the admissibility of important parts of Mr Roddy’s evidence. We will come back to the nature of that objection, which forms the central issue in this appeal.
The system was designed to give customers remote access to their accounts either by way of a read-only inquiry or so as to effect transfers to other bank accounts. An ‘installation key’ (in effect, a password) determined which of those functions were available. In order to use the system following installation a customer required, in addition to the installation key, three codes: (i) a customer delegate identification, which was a word of up to four characters; (ii) a customer delegate password, which was a six digit number; and (iii) a session password, which was a number that changed each time the user successfully logged on to the system: the user had to note the next session password before logging out of the system. The term ‘delegate’ referred to an authorised user of the system.
Hexagon staff consisted primarily of customer service representatives (CSRs), who took telephone calls from customers, answered general questions concerning accounts and offered advice on the use of the system. Technical issues were referred to a technical team. Each CSR had his own computer terminal and telephone, with his own user identification and password. In addition, to log on to what was called the ‘staff Hexagon application’ so as to make changes to the customer’s details, a CSR required a separate staff delegate identification and staff password. Every time a user logged on, a new session number was allocated by the system. Records of all activity were held on a central database.
There was, in addition, a small password reset team consisting of two clerks, of whom the appellant was one. The team had responsibility for resetting customer passwords through the staff Hexagon application, having specific rights of access for that purpose to the relevant password reset screens. A reset might happen, for example, where a customer had lost or forgotten his password.
The team was permitted to reset a customer’s password only after receiving and verifying a signed written request from one of the customer’s authorised signatories. When verification checks had been completed by the clerk, he would enter the customer’s account (using his staff delegate identification, staff password and staff session password) and make the necessary changes so that a new customer password could be issued. The changes were only effective, however, once they had been authorised by the team leader or deputy team leader, to whom a password reset coversheet would be submitted for that purpose. Once the changes were effective, the customer would be notified of the new password and the new session password.
The fraud
The Crown’s case against the appellant related to a number of actions that were carried out while he was on duty as a password reset clerk just after 17.00 hours on 24 July 2002.
Between 16.50.33 and 17.00.13, the system was accessed under the staff delegate identification PWRD and six legitimate password resets were carried out. It was not in dispute that PWRD was the appellant’s delegate identification or that he had carried out those resets. He had initialled the password reset sheets ‘PS’.
From 17.00.54 attempts were made, again under the delegate identification PWRD, to reset the passwords of five corporate clients. The companies all began with the letter ‘A’ and included AT&T. The attempts involved a number of errors and were unsuccessful in relation to three of the companies, but the customer delegate passwords for AT&T and Alsthom Power were successfully reset. The activity in relation to Alsthom Power, which was the last of these five attempts, was timed at 17.07.21. The relevant activity ceased no later than 17.07.53.
Between 17.08.03 and 17.10.07 further activity was carried out under the delegate identification PWRD, consisting of one password reset (for Bay Bournemouth Hotels) and one check following on from a customer query about a password. The Crown accepted that this was legitimate activity and the appellant accepted that it was carried out by him.
The Crown’s case was that the activity carried out between 17.00.54 and 17.07.53 under the delegate identification PWRD, in common with the activity either side of that seven minute period under the same identification, was all carried out by the appellant.
At 17.20.25 the delegate identification PWRD signed out of the system.
The appellant signed the attendance record as finishing work for the day at 17.20 and apparently left the building.
At 17.27, however, the bank’s ‘NEDAP’ electronic security system recorded him as re-entering the building. (This system only recorded entry to the building and not exits from it.)
At 17.28.25 a person using the staff delegate identification TIFI logged on to the system and authorised the last three password resets made by PWRD, comprising the AT&T reset and the two last resets which were accepted by the Crown as legitimate. TIFI then logged out at 17.29.35.
The TIFI identification was that of Timothy Fisher, the deputy team leader of the Operational Department. On 24 July 2002 he was deputising for the operations team leader and had authority to authorise passwords although he did not routinely do so. He gave evidence that at the end of the working day the appellant asked him to authorise some amendments to customer passwords. The appellant did not have any paperwork in support of the amendment requests but confirmed that the amendments had been carried out using the staff Hexagon application. The appellant asked him to authorise the last three password changes that appeared on the authorising screen. Mr Fisher recalled that two of the customers were AT&T and Bay Bournemouth. He logged onto the system and authorised the changes.
On the subject of authorisations there was also evidence that Cheryl Moncur, the duty team leader, had dome some password reset authorisations for the appellant just before 17.00 hours. He then asked for help to be arranged for call-backs to customers in respect of the new passwords. She referred him to Dina Mistry, a CSR, who collected a number of his reset sheets and took them back to her desk. Ms Mistry noticed that a number of signature checks had not been done and therefore returned the sheets to the appellant, informing him that she was not prepared to carry out the call backs without signature checks. He did not appear to be very pleased. It took about 15 to 20 minutes from the time she first collected the sheets to the time she returned them. The evidence of Ms Moncur and Ms Mistry was also relevant to the presence of the appellant around the area of his workstation during this period, though it did not exclude the possibility of a short absence from his workstation.
There was evidence that at about 18.20 on the same day someone telephoned HSBC to ask for the installation key which would enable a user to obtain remote access to the Hexagon system. The call was answered, however, by a cleaner.
On the following two days, 25 and 26 July, AT&T’s account was accessed on a number of occasions using the new password that had been set the previous afternoon, and the various transfers to which we have referred were made. Although Alsthom’s account was also accessed on one occasion, a further attempt to access it was unsuccessful. It is unnecessary to recite the details of the activity relating to the two accounts. The Crown accepted that none of the activity occurred within HSBC itself or was connected to the appellant, but contended that the activity could not have occurred had the appellant not made it possible by changing the passwords. To enable remote access to the Hexagon system, someone must have provided the fraudster with the installation key; but again it was accepted by the Crown that this person could not have been the appellant.
It was alleged that the appellant’s co-accused Mr Purba, who worked for AT&T, had been a party to the conspiracy by assisting the fraudsters to prevent the transfers from coming to light within AT&T. As stated, Mr Purba was acquitted upon the direction of the trial judge. There was no evidence that the appellant had ever met or had any links with Mr Purba, or that the appellant had any connection with any of the money that was obtained or with any of the persons who may have received it or with any other person who may have been involved in the fraud, or that he had received any benefit from the fraud.
The case against him depended on proof that he had altered the password for AT&T, from which it could be inferred that he had done so in furtherance of a conspiracy to defraud.
Internal investigations
By 30 July 2002 senior staff had been informed that AT&T had exceeded its overdraft limit as a result of money being paid out without its knowledge or consent, and an internal investigation was begun, headed by Mr Roddy. It became clear that four companies in addition to AT&T had been targeted although no money had left their accounts, and that unauthorised amendments had been made to customer passwords.
On 31 July 2002 the appellant attended a routine internal interview with Mrs King, the frontline service manager. He said that he could not recall resetting the AT&T password on 24 July 2002 and that he always left at 17.00. When shown the evidence from the electronic security system that he had returned at 17.27, he said that he had returned to collect his umbrella or something from his drawer. He was clear that neither Mr Fisher nor Ushi Praji, another member of operations, had authorised password changes for him.
On 5 August 2002 there was a further interview with Mrs King, this time in the presence of Mr Bolwell from the internal investigations department. On this occasion the appellant said that he could recall resetting the AT&T password and seeing a faxed instruction signed by one of the AT&T signatories. He confirmed that he always locked his workstation when leaving it unattended, although he occasionally allowed other members of staff to use it. He reiterated that he had returned to collect his umbrella at 17.27 and that it had been raining. When shown a still photograph from a CCTV camera outside an office a few minutes away which revealed that it was bright and sunny at the relevant time, he said that it could have been raining when he came to work the next day. He was suspended from duty on full pay.
At a third internal interview on 13 August 2002 the applicant was questioned by Mr Bolwell and another. He said that he had given a number of faxed instructions to Ms Moncur for authorisation. He denied talking to Mr Fisher on 24 July 2002. He did not like Mr Fisher and had only spoken to him on two or three occasions. He then accepted that he may have dealt with Mr Fisher, but said he must have had faxed instructions and that Mr Fisher was lying if he said otherwise.
Mrs King also interviewed Mr Fisher on two occasions on 5 August 2002. On the first occasion she noted that he recalled that two other employees had asked him to reset passwords but he could not recall authorising the resetting of the AT&T password at 17.29 on 24 July 2002. He named a number of employees who were in the vicinity at the relevant time. He said that resets could be explained by his having left his computer terminal unattended or allowing someone else to use it. In his second interview he said he now recalled the appellant giving him a number of passwords to authorise and he thought they included AT&T. He thought he had initialled the header to confirm authorisation. His explanation for his failure to mention all this in the first interview was that he had been on holiday and was interviewed on return with no advance indication of the subject matter. Since then he had thought of nothing else all day.
Arrest and police interviews
Police arrested the appellant at his home on 15 August 2002. In his initial police interview he accepted that it was probably he, using the identification PWRD, who had changed the password of AT&T, but said that he had done this on the strength of supporting documentation. Initially he said that Ms Moncur had carried out the authorisations, but he then accepted that it might have been Mr Fisher.
In a second interview on 10 March 2003 he said that someone else must have been using his delegate identification. He reiterated that he had returned to the building on 24 July to collect his umbrella. He was unsure whether he had asked Mr Fisher to make the reset changes, but said that if he did it must have been when he re-started work at 17.27.
The trial
At trial, objection was taken to the admissibility of important parts of Mr Roddy’s evidence on the basis that he lacked the expertise and independence to give the requisite expert opinion on the matters in question. Following a voir dire the judge ruled Mr Roddy’s evidence to be admissible and declined to exclude it under s.78 of the Police and Criminal Evidence Act 1984 or article 6 of the European Convention on Human Rights. That ruling is the subject of the first ground of appeal and is considered below.
Following the judge’s ruling, Mr Roddy gave evidence before the jury, covering inter alia the activity summarised above.
In relation to the operation of the Hexagon system, the Crown also adduced unchallenged evidence from Mr Alan Danbury, a computer expert who had been responsible for introducing the system into the United Kingdom in the early 1990s and who had managed the support team until his retirement in 2004. His evidence was that once a user was logged onto the system, the session remained live until that user logged off. Communication between the workstation and the mainframe was encrypted and the encryption code changed with each session. In addition, the session password changed after each log-off and the subsequent session password was known only to the delegate in question. The session data was a random number and could not be predicted; and to his knowledge the encryption code had never been broken in the 20 plus years it had been used. Targeting and hijacking a specific live staff session would in practical terms be impossible, because there were too many variables which could not be predicted and would need to be perfectly duplicated.
Other evidence for the Crown included that of Mr Fisher, Ms Moncur and Ms Martyn, together with the contents of the various interviews of the appellant. Reliance was placed on admissions made and lies allegedly told in those interviews.
It is also relevant to note that among a long list of formal admissions was a series of admissions relating to a previous fraud involving misuse of the Hexagon system. In early 2002 Mr Gurpreet Kareer, who worked as a CSR at the Hexagon call centre in Leicester, changed the passwords for four corporate clients of HSBC without the knowledge of the bank or the customers. He made those password changes on colleagues’ computers when they were left unattended, and the changes were left ‘pending authorisation’. An untraceable mobile telephone was then used to increase transaction limits and upload payments from those accounts. The total targeted was just under £5 million, though the sum actually obtained was only £64,000. In relation to those matters, Mr Kareer was suspended from his job in February 2002, pleaded guilty in January 2004 to conspiracy to defraud, and was later sentenced. He was at liberty between the date of his suspension and the date of his sentence. Moreover during that period, in August 2002, Mr Kareer requested another CSR with whom he had become friendly, Mr Ashish Patel, to provide him with the installation key and other information about the Hexagon system. Mr Patel, however, reported those matters to the police. There was no evidence of any connection between the appellant and either Mr Kareer or Mr Patel.
At the close of the prosecution case there was a defence submission that the evidence was such that it would not be safe for the matter to be left to the jury. The judge rejected that submission. That ruling is also the subject of a ground of appeal.
The appellant is a young man (now aged 25) of previous good character. He did not give evidence at the trial; and the judge gave a direction to the jury, about which no complaint is made, that it would be open to them to draw an adverse inference from his failure to give evidence. It is relevant to note, however, that there was some evidence that the appellant was of low intellect and vulnerable. There were concerns within HSBC that he might be dyslexic, and he had failed internal accreditation tests for employment as a CSR. Rather than dismiss him after he failed re-takes of the tests, the bank employed him in the lesser position of password reset clerk, a position for which he had asked to be considered.
The grounds of appeal
There are four grounds of appeal, which may be summarised as follows:
the judge erred in holding that the evidence of Mr Roddy concerning the activity carried out on the Hexagon system was admissible as expert evidence;
the judge wrongly failed to withdraw the case from the jury at the close of the prosecution case;
the judge erred in his directions to the jury in relation to the evidence of Mr Roddy, in that he wrongly passed the decision as to the admissibility of Mr Roddy as an expert witness from himself to the jury; and
there is a real and lurking doubt as to the safety of the conviction.
The admissibility of Mr Roddy’s evidence
The objection taken at trial to the admissibility of Mr Roddy’s evidence related to only a part, though a vital part, of that evidence. It was accepted that he could give evidence about the set-up within HSBC and the manner in which the Hexagon system was designed to operate. It was contended, however, that his detailed account of the actual activity within the system at the material times (the input and resetting of passwords, etc.) amounted to inadmissible opinion evidence. The topic required expert evidence and Mr Roddy lacked the necessary expertise: he had neither qualifications nor experience in relation to the technical aspects of the functioning of computers. It was further submitted that Mr Roddy lacked the necessary independence to be an expert witness, in particular because of the commercially catastrophic effect of one of HSBC’s employees conceding on oath that the system suffered weaknesses or was open to attack in various ways. It was argued that the court should not allow the opinion evidence of such a person in respect of the operation and reliability of a computer system that he was in effect paid to defend.
The objection advanced had further detailed facets to it, extending for example to what Mr Roddy said about the proper functioning of the computer system and of the NEDAP security system at the material times. In the light of the way in which the case was presented on appeal, however, we think it sufficient to concentrate on the central points to which we have already referred. In any event we are satisfied that any additional matters could not assist the appellant if he did not succeed on the central points.
The evidence about Mr Roddy’s qualifications and experience was as follows. He had completed an A level and a City & Guilds qualification in computing and had then gone to Stafford University to study computer science. After two years, he went to work for HSBC and did not complete his degree. By the time of the trial he had been at HSBC for seven years, involved in the technical support for various e-banking products, starting with Hexagon and then managing and training the technical support teams. In particular, he had been a member of the technical team trained on the Hexagon system. He had become manager of the technical support team and then the helpdesk manager dealing with customer account issues. He had overall responsibility for both the technical staff and customer service representatives for the HSBC e-banking system. Although the evidence given on the voir dire was not in precisely the same terms as that subsequently given before the jury, the nature and limitations of Mr Roddy’s relevant knowledge were summarised in this way in the judge’s summing up (tr.12A-B):
“… he conceded that he is not an IT specialist in any wider sense. He is not a programmer or a computer designer. And while technical problems would be solved by others, this is what he said really about his expertise, he said: ‘I’m good on how the system worked in practice’.”
The judge also heard on the voir dire from an acknowledged computer expert called by the defence, Mr Michael Turner, who said inter alia that he was unable to provide a report because of a lack of information: the appellant’s workstation had not been retained or imaged; there was no computer running the 2002 version of the Hexagon system which could be analysed; he had been provided with no information as to how the HSBC computers operated or produced the audit logs relied on by Mr Roddy; and he did not have the underlying data from which he could safely reach any conclusion.
In his ruling the judge pointed to the existence of a presumption as to the integrity of the computer system, in the absence of any evidence to raise the issue of reliability. He said that Mr Turner had assisted the court in appreciating what areas of evidence could not be addressed by Mr Roddy. He said that the test he was applying was that in R v Bonython [1984] SASR 45. On the first basis of objection, Mr Roddy’s expertise, he stated:
“I am satisfied that the operation of the Hexagon computer system is appropriate for expert testimony and could not be understood without it. And having heard Mr Roddy cross-examined on the voir dire, I am also satisfied that Richard Roddy has clearly demonstrated sufficient knowledge of the subject to render his opinion of value in resolving issues of fact which a jury in this case would have to decide.
Whether a jury in the light of questioning of Mr Roddy would feel able to accept any opinion he may express will, of course, be a matter for the jury ….”
As to the objection relating to independence, the judge ruled that that was a matter going to weight and that the jury would be well able to discern the presence or lack of the qualities of impartiality, objectivity and integrity to which the defence had referred.
In challenging the judge’s ruling, Mr Winter took us to the activity reports in relation to which Mr Roddy expressed the opinions to which objection is primarily taken. The judge heard evidence on the voir dire to the effect that the activity reports presented in a readable format the data that had been taken from the central computer in electronic form by the IT support teams. Mr Winter accepted before us that he could not have argued that the material was not a proper representation of the primary data, even though there were some points on continuity. His criticisms were directed not to the activity reports themselves but to the evidence that Mr Roddy gave in relation to them.
Of particular importance was Mr Roddy’s evidence that the activity reports all related to the same session, which had the reference number ‘CC000051’ and had been registered to the staff delegate identification PWRD on the morning of 24 July 2002. A session number would be allocated upon a user’s log-on at a particular terminal. If all the transactions took place within one continuous session and there were legitimate transactions admittedly carried out by the appellant during that session just before and just after the illegitimate transactions, the prosecution could argue with force that the illegitimate transactions must have been carried out from the same terminal; and this also provided strong support for the argument that they must have been carried out by the appellant.
Mr Winter submitted that Mr Roddy did not have the expertise to give such evidence that the activity reports all related to a single session. The fact that they had the same number did not mean that it was a single session. There was evidence from the admitted expert, Mr Danbury, that concurrent log-ons (so as to target and hijack a live session) were not possible; but that left open the possibility of non-concurrent log-ons to the system under the same session number. This was something that Mr Roddy had not investigated and did not have the technical qualifications to investigate or to answer questions about.
Among the various points made by Mr Winter were these:
The activity reports themselves do not show when log-ons and log-offs occurred. For example, they do not show the undoubted log-off by the appellant at about 17.20. This leaves open the possibility that he had previously logged off at about 17.00, just before the illegitimate activity.
There was no evidence about the appellant’s log-on in the morning. Further, although Mr Roddy said that the computer timed out if the session was idle for a period, the evidence was not clear as to how long it needed before a timed log-off occurred. One would have expected a timed log-off when the appellant left the appellant at lunchtime, but there was nothing to show whether there had been a log-off followed by a fresh log-on by the appellant after lunch. In short, there was simply no evidence about when or how the appellant’s CC000051 session was created.
Mr Roddy gave evidence that, once a session ended, the next session would not be given the same number again: the number reverted to a pool of numbers available to be allocated by the computer to new sessions. He said in cross-examination that there was a 1 in 100,000 chance of it being reallocated to a different session on the same day. Yet there was evidence of three instances the previous day in which session numbers had been reallocated to other sessions after discontinuance of the session to which they were originally allocated. Mr Roddy was unable to say how this could have happened.
There were other pointers to the illegitimate activity having been carried out by someone other than the appellant. The illegitimate activity involved a random attack on five companies beginning with the letter ‘A’, whereas the appellant would have known or could have discovered the primary delegate identification for all the companies and would not have needed to do things in this way. Moreover, on two occasions in the course of the illegitimate activity the user deployed a shortcut that was never used by the appellant in the course of his legitimate transactions. The vulnerability of the system to attack by members of staff was illustrated by the fraud perpetrated by Mr Kareer earlier the same year, involving as it did the use of other people’s terminals in their absence.
For all those reasons, submitted Mr Winter, Mr Roddy did not have a proper basis for saying that there was one continuous session and did not have the expertise to answer the questions raised by the defence on this issue. He was not qualified to give the evidence he did about the nature of the activity shown by the activity reports. His evidence should have been confined to telling the jury how the system was ordinarily designed to operate. A properly qualified expert should have been called to show how it did in fact operate and to say whether what was shown by the activity reports did form part of a single session. The defence were at the additional disadvantage that, because the data had not been properly secured, it was not possible for the defence expert to reach any conclusion on the subject.
A further strand of Mr Winter’s submissions concerned Mr Roddy’s independence. The implications for the bank if an operation moving £16 billion per day was vulnerable to fraud placed Mr Roddy, as an employee of the bank, under great pressure. He conceded that he might have been subject to a subliminal lack of objectivity in his task. He ought not to have been placed in this position. Expertise and independence go hand in hand. In this case Mr Roddy had neither quality, which created a truly dangerous situation. Without this part of his evidence, there would have been no case against the appellant.
In granting leave to appeal, the Full Court said that it had some concerns as to whether Mr Roddy’s evidence could truly be described as expert evidence. Having had the benefit of full argument, however, we are satisfied that the judge was entitled to rule as he did.
The judge said that he was applying the test in Bonython. There is no suggestion that he was wrong to apply that test. In Bonython it was said that there are two questions for the judge to decide: (1) whether the subject matter of the opinion falls within the class of subjects upon which expert testimony is permissible; and (2) whether the witness has acquired by study or experience sufficient knowledge of the subject to render his opinion of value in resolving the issues before the court.
It is not in dispute that the judge was right to give an affirmative answer to the first question, holding that the operation of the Hexagon system was a subject appropriate for expert testimony. In our judgment he was also right to give an affirmative answer to the second question, holding that Mr Roddy had acquired sufficient knowledge of the subject to render his opinion of value in resolving the issues before the court concerning the operation of the Hexagon system. This was an assessment properly made after hearing Mr Roddy’s evidence on the voir dire. The extent of Mr Roddy’s experience of the Hexagon system, as summarised above, enabled him to give valuable assistance on the interpretation of the data taken from the central computer and set out in the activity reports. It was accepted that he was not an IT specialist in any wider sense and that his technical knowledge of the system was limited. But this did not preclude his being regarded as an expert to the extent indicated by the judge.
There was no attempt to hide or downplay the limitations in the evidence that Mr Roddy was able to give. They were explored in depth in cross-examination, and both Mr Roddy and the Crown made important concessions. For example, as appears from the summing up, in the light of the evidence about the reallocation of session numbers, Mr Roddy “conceded that he could not say that the logon reference numbers served to identify a single session, on a single and particular workstation, by a single particular operator, because it clearly does happen that session reference numbers were being reallocated” (tr. 20A-B). Such matters were placed clearly before the jury. They were relevant to the question whether they should accept and place weight on Mr Roddy’s evidence, but they did not mean that it was wrong to treat Mr Roddy as an expert witness in the first place.
Likewise the judge was in our view right to hold that Mr Roddy’s position within HSBC, coupled with the importance of the case to HSBC, went only to the weight of his evidence and did not render such evidence inadmissible.
It was held in R v Gokal (judgment of the Court of Appeal, Criminal Division, 11 March 1999), in relation to the evidence of a prosecution investigator who was accepted at trial to be an expert, that the extent of his independence could go only to weight, not to admissibility. Mr Winter submitted that the position in the present case was materially different, in that Mr Roddy represented the victim of the fraud and there was also an issue concerning his expertise. He submitted that given the centrality of Mr Roddy’s evidence on the question whether the illegitimate activity had been carried out as part of the same session as the legitimate activity, it was important that any expert witness should observe the requirements laid down in National Justice Compania Naviera SA v Prudential Assurance Co Ltd (The ‘Ikarian Reefer’) [1993] 2 Lloyd’s Rep 68, for example that the evidence should be seen to be the independent product of an expert uninfluenced by the exigencies of litigation.
We take the view that the differences between this case and Gokal are not material. Expertise and independence are separate issues, and we have dealt already with the question of Mr Roddy’s expertise. As to independence, we do not accept that his employment with HSBC and the importance of the case to HSBC disqualified him from giving expert evidence. Although he made a very fair concession about the risk of subliminal lack of objectivity, our attention has not been drawn to any feature of his evidence that could support a case of conscious bias or lack of objectivity. In any event it was a matter for the jury to determine whether there was any conscious or unconscious bias or lack of objectivity that might render his evidence unreliable. This was, as the judge said, a matter going to weight rather than admissibility. The circumstances did not warrant a refusal by the judge to admit the relevant parts of Mr Roddy’s evidence at all.
Accordingly we reject the first and main ground of appeal.
The submission of no case to answer
One of the written grounds of appeal is that Mr Roddy’s evidence was unreliable and unsafe and that the judge should therefore have withdrawn the case from the jury at the close of the prosecution case. Mr Winter did not press that ground in his oral submissions. In our judgment it is unsustainable. Once Mr Roddy’s evidence was held to be admissible, the evaluation of that evidence was, as we have said, a matter for the jury. Notwithstanding the limitations in Mr Roddy’s expertise and knowledge, as explored in cross-examination, his evidence was capable of providing a proper framework for the other evidence led by the Crown; and the evidence as a whole plainly provided a case to answer.
As to the strength of the prosecution case, the submissions made by Mr Rhodes QC on behalf of the Crown were in our view compelling. They are relevant both here and in relation to the final ground of appeal, concerning the ultimate question of safety of the conviction.
Mr Rhodes invited the court to stand back and take a bird’s eye view of the facts. The appellant accepts that he reset passwords just before and just after the illegitimate activity and that he left work soon afterwards. His re-entry to work was recorded at 17.27. In interview he admitted that he did not know that it was recorded and he gave a story which hardened into an account of returning to get his umbrella. He said that the pavement was wet, but this must have been a lie: there was CCTV evidence that the conditions were dry. The relevance of the return to work was to be found in Mr Fisher’s evidence that at the end of the working day the appellant asked him to authorise three password resets, which he did without seeing the paperwork because he knew the appellant to be a password reset clerk and assumed that he would have carried out the necessary checks. The jury must have accepted Mr Fisher’s evidence although its veracity and reliability were challenged by the defence. So the appellant avoided his team leader, Ms Moncur, and went to Mr Fisher, ‘the weak link’. If the appellant simply came back for his umbrella, why did he ask for the authorisations? If, on the other hand, the request for authorisation came from someone other than the appellant, why did that person include one legitimate transaction (Bay Bournemouth) as well as the two illegitimate transactions? The appellant’s responses to such questions in interview were ‘all over the place’. Mr Rhodes also drew attention to the fact that faxes and cover sheets were found for the legitimate transactions before and after the illegitimate activity. The appellant suggested in interview that a fax had been received from AT&T, but none was found and there was unchallenged evidence that none was sent.
When assessing the appellant’s performance in interview, account must be taken of his low intellect, as Mr Winter stressed, and of his case throughout that he had no clear recollection of the day in question. But in our view that does not negative the force of the points made by Mr Rhodes by reference to those interviews.
Mr Rhodes submitted that it strained credulity even more to suggest, as the appellant had done, that someone must have taken advantage of his temporary absence from his desk (when he went off to do some photocopying) to carry out the illegitimate transactions. The fraud previously perpetrated by Mr Kareer was drawn to the attention of the jury, but Mr Kareer had logged on at other people’s terminals when they were away for a day’s training or for lunch. By contrast, it is unlikely that someone would use another person’s terminal during a short absence for photocopying when the period of that absence could not be known.
In the circumstances we have no doubt that the judge was right not to withdraw the case from the jury.
The judge’s directions to the jury
In his summing up, the judge told the jury that there was a direction he needed to give them in relation to Mr Roddy “because he has been treated as an expert witness”. He explained the basis on which Mr Roddy fell within the category of expert witness, namely “because of his long experience in the specific work of providing to the HSBC Bank, who employed him, technical support”. He described the nature of Mr Roddy’s experience, reminding the jury that Mr Roddy had conceded that he was not an IT specialist in any wider sense but had said that he was good on how the Hexagon system worked in practice. The judge went on:
“And it is, of course, for you to judge, having seen him, having heard him you will form an opinion as to the knowledge that Richard Roddy really has and how true it is that he says he knows the Hexagon system.
It is a matter for you to judge the extent to which you feel able to accept him as a witness of expertise, but because he is an expert witness I need to give you a particular direction ….”
He then gave a direction in conventional terms as to the approach the jury should adopt towards expert evidence, stating inter alia that it was for the jury to decide whether to accept the opinions expressed by an expert witness. He referred next to the issue of Mr Roddy’s independence and in particular to the defence suggestion that because Mr Roddy was employed by HSBC he might be mindful of the bank’s need to represent to the world at large the integrity of the Hexagon system, and that his evidence or aspects of it might be skewed to achieve that end rather than be truly reliable. The judge also mentioned Mr Roddy’s acceptance of the risk of a subliminal lack of objectivity. He concluded:
“Well, bear Mr Winter’s suggestions as to that in mind and give those the weight you think they deserve.”
It is contended in the grounds of appeal that the judge erred by directing the jury that they should satisfy themselves that Mr Roddy was an expert before relying upon him. This is said to have amounted to passing the decision as to admissibility from himself to the jury. In the development of the written argument, it is said that the directions fell between two stools. The judge did not direct the jury that he had ruled that Mr Roddy was an expert and that the only question was whether they found him sufficiently reliable to accept his evidence. Nor did he direct them that they could not accept any of his evidence unless they were sure that he was an expert. He directed them to consider how much of an expert he was and how much he could assist them.
In our judgment there was no misdirection by the judge. In particular, his statement that it was for the jury to judge the extent to which they felt able to accept Mr Roddy as a witness of expertise must be read in the light of the relevant directions as a whole. In those directions the judge made perfectly clear that Mr Roddy was an expert witness and why he had been treated as an expert witness. But he also made clear, as he was bound to do, that it was for the jury to decide whether to accept the expert evidence given by Mr Roddy and what weight to place on it. He did not pass to the jury his function of deciding whether and to what extent Mr Roddy was an expert witness. Nor did he fall between two stools. His approach might even be said to have been favourable to the defence, but in any event it involved no legal error.
The safety of the conviction
Mr Winter put his personal weight behind a submission that, even leaving aside the criticisms of Mr Roddy’s evidence, the court should feel a lurking doubt about the safety of the appellant’s conviction. Mr Winter pointed to the underlying concerns arising out of the activities of Mr Kareer and the various matters in which the appellant himself could have had no involvement (including the obtaining of the installation key from someone within HSBC to enable remote access on the days following the password resets). He also pointed to the appellant’s youth and vulnerability and described him as ‘the perfect fall guy’ for someone else’s fraud. It was well known within HSBC that computers held audit trails and that protocols must be followed. If the appellant was guilty, he must have been prepared to engage in activity under his own identity in circumstances where he would have known that the records would reveal he had done so; and, without the supporting documentation, he risked a refusal of authorisation and immediate exposure. The audit trail was much more consistent with the rushed and error-strewn activity of someone using the appellant’s unattended workstation. Such a person would have had no concern for the audit trail it would leave and indeed might have wanted suspicion to rest upon one of the more inadequate members of HSBC’s staff.
It is of course true that there are points of this kind to be made in the appellant’s favour. But in our view such points were very much for the jury to evaluate, and no doubt they were put to the jury with the same skill and vigour as Mr Winter displayed in his submissions before us. On the other hand, there were many compelling points to be made against the appellant, as appears from the Mr Rhodes’s ‘bird’s eye view’ summarised above. This was a classic jury case. In our judgment there was a solid evidential basis for the jury’s decision to convict. We reject the contention that there is a lurking doubt justifying interference by this court.
Conclusion
It was for the reasons elaborated in this judgment that we were of the clear view, at the conclusion of the hearing of the appeal, that the appeal should be dismissed.