Hot on the heels of Oracle’s change to Java licensing IBM have published an update to the Passport Advantage agreement. An update which significantly increases the measurement and reporting required by any organization running IBM software. The result is a significant increase in compliance risk for IBM users.
IBM’s Passport Advantage agreement governs most volume license purchases from IBM. On February 1st, 2023, Clause 4.1.a (License Verification) changed to the following (our emphasis):
“Client will, for all Programs at all Sites and for all environments, create, retain, and each year provide to IBM upon request with 30 days’ advance notice: i) a report of deployed Programs, in a format requested by IBM, using records, system tools output, and other system information; and ii) supporting documentation (collectively, Deployment Data).”
This change means that you as the customer are contractually required to measure consumption of IBM licenses, in order to provide a report to IBM on their request within 30 days. This must be done once per year.
The scope is all programs covered by the Passport Advantage agreement, and also the International Program License Agreement (IPLA). The clause has been in the IPLA since October 2021. It also applies to licenses covered by Passport Advantage Express.
Previously the License Verification clause in these agreements merely required customers to provide sufficient records and outputs to IBM and its appointed auditors in order to verify compliance. As such, this amendment represents a considerable tightening of the rules. Many IBM licensees will be familiar with the need to keep continuous records for programs eligible for sub-capacity licensing but this change means that requirement is extended to every program.
This change also affects the audit process as IBM will use the report as the baseline for the audit, whilst still retaining the right to ask for additional information and deployment data. Essentially the annual report you provide becomes the baseline for the audit activity.
As noted by IBM licensing expert Niall Eddery the primary challenge – beyond the loss of control – is that reliable reporting methods aren’t available for all IBM software and metrics. Beyond more common metric types such as Authorized User & PVU IBM have a large number of other metrics which may be difficult to measure. Furthermore, Niall notes that at the time of writing IBM have yet to publish the required reporting format, so currently we don’t know what to measure, how to measure it, and how to report it. Readers familiar with PVU licensing will recall that peak usage (high water mark) is important in measuring consumption – but we don’t yet know IBM’s requirement for reporting usage of other metric types.
If 2023 wasn’t already busy enough for ITAM professionals, this announcement also requires urgent attention. As pointed out by IBM licensing expert Piaras MacDonnell these terms take effect for existing customers on May 1, 2023 – three months after the initial announcement. For new customers they apply immediately.
The terms apply as of that date to new orders and renewals, so as soon as you renew S&S you’re subject to the new terms. Therefore, it’s vital that processes and technologies are put in place to continuously discover your entire IBM estate. It’s also vital that you have a full and accurate understanding of your current license entitlements as you’ll need this to estimate the cost of any non-compliance.
Given the complexity of IBM licensing it’s important that you don’t underestimate the impact of this change. Talk to your existing tool providers to see how they can help and also consider engaging third-party IBM licensing experts. There are a wide variety of options out there ranging from your reseller, IBM partners, and independent consultants and firms. Now is the time to start planning such an engagement because you must have strong confidence in your IBM licensing position in time for your next renewal.
Taking a longer-term view on IBM compliance and hoping you don’t get an audit letter is no longer an option – you must now, at least once per year, declare your license consumption to IBM. If that declaration shows a shortfall you then must comply with the Excess Use Resolution as detailed in section 10.3 of the agreement.
This license change greatly reduces the leeway IBM licensees have with regard to compliance. In some ways it’s similar to SAP’s approach with annual LAW reports. Your primary defense against an audit (control of information) has been removed. It would be prudent to assume that annual reports will be used by IBM’s compliance teams to select audit targets. With the increased risks now associated with IBM software this may make an offer to join the IASP program one you’d be unwise to refuse.