A Comprehensive Look at the Most Common Areas of Software Complexity within Financial Service Institutions
Financial Institutions are required to have a robust process to identify, assess and mitigate IT risk as defined under various regulatory frameworks and supervisory letters. Of particular importance are the following areas;
Regulations such as the FCA Handbook, PRA Rulebook, and various EU directives (e.g. GDPR, DORA) impose strict requirements around the management and control of software assets.
The FCA Handbook, and in particular the Senior Management Arrangements (SMCR & SMF), Systems and Controls (SYSC8 & SYSC 14) requires financial institutions to have robust processes for managing their software assets, including maintaining accurate records and ensuring appropriate licensing.
The PRA Rulebook has similar requirements around operational resilience, with firms expected to have effective controls and governance over their technology assets including critical third parties through Audit rights and independent audit reports e.g. ISAE300 or SOC1/2/3.
It is therefore, critical for financial institutions to have an understood, agreed and documented internal process for ongoing license management to ensure compliance with the FCA handbook. Software license policies must always be maintained, and the effective license position of entitlement vs deployment can be evidenced.
This post will look at the most common areas of complexity for financial institutions within the scope of enterprise software and offer our view on what actions can be taken to mitigate against unbudgeted cost and risk. These include:
· Understanding your governance, compliance and audit processes and procedures
· Licensing risk of mixing legacy applications with new
· The impact of technology transformation and cloud migration on software assets
· Compliance and cost risks associated with mergers and acquisitions
· Reliance on on-premises
· Private cloud
· FinOps
· Guest users/contractors
· Microsoft support contracts
Understanding your governance, compliance and audit processes and procedures
The recommended best practices for managing your enterprise software, which are often overlooked, include some of the following:
Governance
· Implementing software asset management processes and governance.
· Software cataloguing and monitoring of software usage.
· Retaining all pertinent documentation.
· Creation of an internal policy for software procurement/recycling to ensure money is not spent on software where spare licenses are available.
· Communication of internal policy for all users and IT to ensure a thorough understanding of the process and adherence.
Compliance
· Staying informed about changes in licensing terms.
· Defining and deploying processes for regular effective license positions.
· Automating entitlement vs deployment reports using processes that allows for verification.
· Use Microsoft native depositories and tools to obtain and maintain data and/or 3rd party tooling for inventory collection.
· Know and understand contractual obligations and be fully prepared for contract renewal negotiations to place the organisation in the strongest position.
Audits
· Carry-out regular internal self-auditing and be prepared for any approach from your vendor.
Watch our short video on preparing for a vendor audit
It is imperative that financial institutions employ a thorough software asset management methodology in order to maintain an accurate software inventory and ensure ongoing license compliance. Regardless of whether this is managed and audited by an in-house team or outsourced (or a hybrid arrangement) a strict approach is necessary to comply with the regulations and avoid punitive vendor and regulator fines.
Ongoing license compliance will also drive cost optimisation which in turn creates reduced spend and waste, cost avoidance and return on your software investment. When IT budgets are tight, reducing or removing cost and waste in your software assets or cloud consumption is one way to relieve the financial pressure.
Watch our short video on why Software Asset Management is so complex … and needs to be.
Licensing risk of mixing legacy applications with new
There are many reasons why financial institutions may run multiple versions of an operating system, productivity server or database server on the same on-premises infrastructure and networks. These can include legacy banking applications that are not compatible with the latest operating system or database platform versions, cost of change, application modernisation roadmap timelines, to name a few.
This does, however, add complexity to license management and underlines the importance of ensuring compliance within the parameters of differing product use rights is maintained.
Different versions can have varying deployment entitlement rights and usage interoperability considerations which need to be factored into the effective management of licenses and how they are used.
Similarly, different editions of Microsoft server software, for example Windows Server Standard and Windows Server Datacentre, whilst functionality is similar, are entirely separate products and must be licensed appropriately for their Edition. Often institutions will build ‘images’ for ease of deployment — these must still be deployed within the entitlement the license of each provides.
The impact of technology transformation and cloud migration on software assets
The PRA Rulebook has requirements around operational resilience for financial institutions — this is particularly important when institutions are planning an upgrade to their systems and expect downtime.
No upgrade, transition or migration to new technology is as simple as switching-off the current system and starting-up the new one; there are inevitably periods of testing, data migration, simultaneous use and early-life implementation.
Certain product sets and licenses allows for usage within server farms, a time-sensitive migration, or dual-use rights. These are specific to the entitlement provided with certain licenses within agreements and must be considered as part of any upgrade, migration or transformation planning and deployment projects.
Transformation projects can also trigger interest from your software vendors who will be keen to understand how their software is being used before, during and after the migration. If your vendor requests an audit during or after the migration and finds non-compliance, the cost of mitigation could eliminate any business case ROI expected from the transformation project.
Prepare accordingly for a migration project and include a license expert to review your current estate, how to run in parallel and license rightsizing on your new platform.
Watch our short video on license considerations during parallel running and/or platform migrations.
Compliance and cost risks associated with mergers and acquisitions
With an increase in M&A activity forecast for 2024 in the Financial Services sector (according to PWC and Deloitte), it’s imperative that financial institutions have a firm grasp on the processes and requirements to follow to minimise non-compliance risk.
Referencing again the necessity to comply with the obligatory regulatory frameworks and supervisory letters, financial institutions must consider the following during M&A;
· Regulations such as the FCA Handbook, PRA Rulebook, and various EU directives (e.g. GDPR, DORA) impose strict requirements around the management and control of software assets and acquiring entities need to thoroughly understand the software landscape of the target company to avoid unnecessary costs
· Continuity of services ensures that critical software and applications can be seamlessly integrated and transitioned as part of the M&A process to maintain business operations and avoid disruptions
Software license paperwork will generally state that the license is granted to a company or an entity, or minority owned subsidiary organisation. If you are about to merge, acquire or divest, find your contract paperwork and carefully examine any stipulations or restrictions, such as entity or geography.
Until you know what your contract contains, it’s very difficult to begin to understand the impact M&A will have and what options are available to you. Due diligence in the M&A planning stages should include close examination of your software license policies and our recommendation would be for an independent third-party expert, such as Version 1, to provide advice and guidance in this area.
If all contractual, entitlement and deployment information on your current software estate is in hand, any M&A clause stipulations are clarified, and are clear on the software landscape of the target company or new entity, then you’re ready for any proactive vendor conversation before M&A begins.
If the situation dictates that a license purchase is necessary, then you can plan for this and allocate budget accordingly. In this instance, you can lead those negotiations rather than reacting to a potentially confrontational vendor approach after M&A and as a result of an audit.
Forewarned is forearmed in these situations, particularly when it involves complex financial institutions with extensive software estates spanning multiple subsidiaries and geographies. It really does pay to have an independent expert guide you through the minefield of software contracts. Clarifying your current software estate to ensure compliance and understanding the ‘to be’ structure, will significantly reduce the risk and cost associated with using software for which you are not licensed.
Read our full post on the license considerations as part of M&A
Reliance on on-premises
In October 2022, Microsoft announced significant changes to Windows Server licensing for on-premises deployment of Virtual Machines (VMs).
https://www.microsoft.com/en-us/licensing/product-licensing/windows-server
Prior to the change, Microsoft’s licensing model required all physical hosts to be fully licensed with corresponding number of Windows Core Licenses to physical Processor Cores available in the host, irrespective of whether the physical host was actually running Windows Server Operating System.
The change to deployment requirements allowed individual Windows Server VMs to be licensed at the VM level, based on the number of Cores assigned to the VM (subject to a minimum of 8 Core Licenses per VM).
This allows customers to analyse and assess their virtualisation density (number of VMs) and determine if there is an opportunity to realign their licensing from unlimited virtualisation using Windows Server Datacenter Core Licensing (which requires all physical cores to be licensed) or license each individual VM with Windows Server Standard Core licenses (at a potentially lower total cost of ownership).
On-premises licensing is often seen as static with little or no room to consider alternative licensing options for the infrastructure; however, changes do occur and provides an opportunity for customers to factor in these amendments before their next agreement renewal.
Private cloud
In October 2022, Microsoft made the Flexible Virtualisation (FVB) generally available to all customers with eligible licenses, namely: any software license covered with Software Assurance or subscription license.
https://www.microsoft.com/en-us/licensing/news/options-for-hosted-cloud
FVB extends the capabilities previously offered through License Mobility, allowing customers the freedom to outsource their software on any outsourcer beyond the specific Authorised Mobility Partners (except the Listed Providers: AWS, Google, Alibaba and Microsoft). This enables customers to use licenses with software assurance or subscription licenses on dedicated and shared hardware which they do not own.
This expands the concept of private data centres beyond the traditional Authorised Mobility Partners to any scenario (excluding Listed Providers) where the customer wishes to run their software.
This provides greater deployment options and flexibility but does not negate the responsibility of the customer to ensure they remain within the specific product use rights and terms of use or lessen the responsibility of the customer to remain compliant.
FinOps as a business imperative
FinOps is a methodology and set of practices designed to enable organisations obtain the maximum business value from their cloud investment.
This is based upon the principles of optimising cloud expenditure and maximising efficiency of cloud usage through effective governance, controls and shared responsibility of use.
Deloitte’s 2024 banking and capital market outlook reported that, “With the rising pressure on revenue generation, cost discipline will become even more of a priority, and possibly a competitive differentiator for banks.”
FinOps can help financial institutions to reduce costs, improve performance of applications and services and increase their overall competitiveness.
Forbes also recently posted on how FinOps for banking has become, “ … a business imperative.” In their post, they state, “Organisations (are) focusing their FinOps efforts on the first phase: Inform. The consideration needs to look beyond Inform and what to do after, Inform, and onto Optimise and Operate stages.”
In the Inform phase of FinOps, teams identify data sources for cloud costs, usage, and efficiency. This data is used for allocation, analysis, and reporting, helping teams with budgeting, forecasting, and developing KPIs. Forbes highlights the need for financial service institutions to mature their FinOps processes to include the Optimize phase where the focus is on enhancing cloud efficiency. In the Operate phase, the focus shifts to putting FinOps into action within the institution.
Due to the dynamic nature of cloud services and complex pricing, institutions must continuously revisit their activities to make data-driven decisions and ensure ongoing optimisation. FinOps is not a one-and-done activity — it’s an ongoing business process and cultural practice that if, done correctly, ensures maximum commercial and performance benefit from your cloud platform.
Third party licensing (contractors)
The finance sector will always rely upon the use of contractors to quickly fill vacated roles, long term leave of absence, and specialist roles for a project. However, the task of managing licensing for contractors is a difficult one due to constant change from never ending joiners and leavers. This can quickly unravel if not properly managed leading to overspend and financial waste.
Microsoft has a comprehensive and structured identity and access process for managing external users, guest users as well as temporary or contract users through Microsoft Entra ID, this includes:
- Centralised management: Administrators can control who has access to what resources and when
- Zero Trust user access: Employees can securely access applications across networks with least privilege access
- Multi-factor authentication (MFA): Users must provide two forms of verification, such as a password and a notification from the Microsoft Authenticator app.
- Just-in-time (JIT) and Just-enough-access (JEA): These features protect production environments and customer data by only granting temporary access that’s automatically revoked after a set period.
- Azure role-based access control (Azure RBAC): Teams can divide up responsibilities and roles, and only give users the access they need to do their jobs.
Entra ID provides the means for enabled organisations to permit, for example, guest users access to Azure resources and maintain full control of identity and access according to the needs required.
Specific to Microsoft 365 suites, including Exchange Online, the primary organisation is responsible for correctly licensing users with the appropriate subscriptions for use within the corporate domain. This includes temporary staff and contractors working for or on behalf of the organisation.
The exclusion to this rule applies to Power Apps and Power BI Pro and Premium which permits external users to ‘bring their own license’ from a separate tenant and access to data without a license, stored within SharePoint Online, OneDrive Online and in some scenarios, Dynamics 365.
Microsoft support contracts
Microsoft Unified Support aligns with the products and services within an Enterprise Agreement and is calculated as a percentage of the total value of the agreement — the higher the value of the agreement, the higher the cost of Unified Support (depending on the level of support, as described below). Unified Support is a single support plan covering every Microsoft product for your financial institution’s core business and IT priorities, establishing and reinforcing a strong organisation that serves the needs of the institution.
The Unified Support programme is designed for cloud services customer needs, providing as fast as a 30-minute response for critical incidents, and has three support levels:
· Core Support: offers affordable access to problem resolution, concierge services, elevated reactive support, self-help resources and data-driven insights to help plan for the future.
· Advanced Support: is a balance of reactive and preventive support that helps ensure business continuity with special handling of critical issues, automatic escalation management, access to Microsoft experts to evaluate new technology and a business advocate to help customers plan for changes.
· Performance Support: is the ultimate in personalised support with the fastest response times with financially backed SLA’s, product group engagement, an assigned support architect to create plans for your data and engineers to assess remediation planning.
However, Unified Support whilst comprehensive, is not mandatory; it is recommended you assess and review the historical support cases within your institution, anticipate potential future needs and create a needs and fit-gap analysis to determine the suitability of Unified Support.
Support can be obtained from a credible, reputable service provider or through Microsoft Partners Advanced Support for Partners offering, whereby a Microsoft Partner can provide support to institutions with Microsoft providing a resolver and escalation path, for example.
Unified Support also provides a key opportunity for negotiating with Microsoft in advance of an Enterprise Agreement renewal, in terms of leveraging a better discount rate or perhaps additional services as part of the deal.
Unified Support contract period does not have to align to the same date as the Enterprise Agreement, so if you are not ready to commit to Unified Support at the time of the agreement renewal, there is no obligation to include Unified Support at this time.
Summary
The appetite for risk and unbudgeted cost in financial institutions is very low with regulatory repercussions not only impacting the institution, but those responsible for managing cost and risk.
This post has covered a small percentage of issues that can arise inside the scope of enterprise software management within financial institutions. Any in-house team responsible for managing your software estate must hold deep licensing, technical, commercial and contractual expertise over a number of software vendors including Oracle, Microsoft and IBM. This level of skill is often difficult (and expensive) to find — this is where engaging with a vendor independent consultancy (such as Version 1) with multi-vendor, — technology and -platform expertise will work client-side to advise and guide you through any specific licensing challenge, such as an audit or move to the cloud, or on an ongoing basis to ensure proactive license management and compliance.
Save money, reduce unbudgeted spend and remove budgetary pressure by optimising your license estate. Contact Version 1 for more information.
About the Author
William Nelson is a Sales Specialist in the Licence Management practice at Version 1.
