Business travel: Keeping mobile roaming headaches at bay

With summer holidays coming up and international roaming data at £1 for 1mb – thats one email with an attachment, it’s time for drastic action.

http://www.bbc.co.uk/news/business-14129868

Gagging for IT

I can’t comment on what someone who can’t be said to be a banker was up to when the Crunch hit. The buzz when Twitter user @injunctionsuper spilled the beans was mainly around the celebrities named.

@Ruskin147 – Rather weird that Twitter has been alive with super-injunction details for weeks – but one new account with inaccurate reports is news

@DorothyKing - If we’re not “allowed” to know who has a #superinjunction how do we know who not to discuss? Goldsmith? Ryan Giggs? Fred Goodwin? Branson?

@TheSpacePope – Anyone think @injunctionsuper got one wrong deliberately to allow trad media to be able to report the story? #superinjunction

However less was said about the conduct of those at the helm of an industry whose collapse cost the UK taxpayer £1trillion – perhaps because they have deeper pockets. But even if you get a “Contra Mundi” super-injunction it can’t redact the internet rumours altogether.

• The story may have been pulled from http://onlinejournalismblog.com/2011/03/12/internet-destroys-fred-goodwins-affair-super-injunction …but it still shows up in Google search results and the full blog is still in the cache at http://bit.ly/iFPlYR
  
• The Daily Mail may have pulled the story published in print before the injunction from its website – but it seems to have overlooked the mobile version web page
  
• And Guido Fawkes still publishes a rumour without naming names or professions: http://order-order.com/2011/03/11/unbankable-story/

But I can’t say anything.

Except to point out that sometimes even recent history repeats itself:

http://www.telegraph.co.uk/news/uknews/1573557/Northern-Rock-chief-had-affair-before-collapse.html

Adobe’s name is mud

More is coming out about the loss of the “keys to the Kingdom” at RSA.

For a great discussion of this and other security topics follow the Security Now! Podcast and the archive at GRC.com

In short a user just opened a spreadsheet.

A small group of RSA employees received a targeted spearfishing email, which got intercepted and moved into their spam folders.

Steve Gibson continues:

But one of the employees in one of these small groups looked in her junk mail folder, and the email was titled “2011 Recruitment Plan.” And she opened the email, and there was an attachment, 2011 Recruitment Plan.XLS, making it a Microsoft Excel spreadsheet. That she opened, and that allowed a Flash movie, an Adobe Flash file that was embedded in the spreadsheet with an at-that-time unknown exploit, a zero-day flaw which Adobe has since patched, that allowed it to run. And that installed a well-known trojan which is freely available on the Internet called “Poison Ivy.” It’s a so-called RAT, an R-A-T, a Remote Administration/Access Tool/Toolkit trojan, which then phoned home, that is, it called outwards from her machine to a remote server that gave bad guys essentially the ability to do anything that she could do from her machine, they could do. And that’s all it took. That was their foothold in RSA. And the rest, as they say, is history…

The incident highlights two major security issues.

Firstly however much you warn people not to open attachments from sources they don’t know, the hackers will always come up with something so tempting – such as the promise of video of a tennis star -that someone, somewhere will just have to open it. And it only takes one. That’s social engineering!

The second is equally challenging to solve.

Adobe have rightly earned their place on every desktop, laptop, tablet and smartphone (except for Flash on Apple IOS!) by providing software for rich media.

A PDF document will always display a document as it would appear on the printed page – but it can extend beyond that to include video and links to the page. When filing my company return earlier in the year, I downloaded a PDF from the Companies House , filled it in. The PDF document validated my return and then transmitted the return off with the click of a button. Most useful when you have four hours left before the filing deadline.

No multimedia or social networking site would survive now without Adobe Flash videos. Celebrating the Royal Wedding I am stiing with the live YouTube courtesy of Flash and even the programme with animated page turns.

However to provide this rich media the Adobe software has system powers far beyond what you would expect for a “reader” or “player” software. And the Adobe software is cross platform – common across browsers (Internet Explorer, Firefox, Chrome, Safari, Opera) and Operating Systems (All versions of Windows, Mac OS, Unix) so the products provide a big target for exploits.

My Adobe Reader has 21 Plugins – from a vanilla installation – allowing internet access, sending mail, reading out loud, updating, and the Adobe EScript plug-in ‘that allows PDF documents to take advantage of JavaScript’.

Right click on any flash plug in and look at the settings. There flash can take over your hardware including the microphone and the webcam. It can put a file anywhere the user can – including the installation of malicious software.

Adobe are belatedly patching vulnerabilities – and seem to be giving up on their lethargic quarterly update frequency. Adobe Reader X (I’m no sure if that’s an “ex” or a “ten”) is starting to introduce a sandbox to isolate Adobe from the core operating system.

So what can be done to avoid these vulnerabilities?

• You can remove add-ins and features you don’t need or intend to use (For adobe reader Edit Menu Preferences – but this is a long winded “expert-level” exercise.
• You can handle this at a corporate level with the security settings downloaded from a specified location – This has a slight downside by slowing down distribution of updates patching vulnerabilities.
• Braver IT Management might even try to eliminate Adobe Software. Other PDF readers are available – and Google’s Chrome browser now has a built in PDF reader. Many larger web video sites are moving away from Flash video toward the emerging HTML5 standard. This has the additional advantage of reducing the client resources needed.

However it would be a brave IT manager to try to take Adobe reader and Flash away from users, and it is a complex exercise to find substitutes. Few would have enough clout to impose the “iPhone approach” and simply say No.

Compliance testing

I was chased today to complete my overdue mandatory compliance training.

So I spent a few hours completing the training and the test. The result?

“Test Passed

The exam contained 14 questions, of which you answered 13 correctly, or 93%.

These are the questions you answered incorrectly:

• What are the consequences of failing to complete / attend mandatory Compliance training?”

Phishermans Friend

I get an email from McKinsey. “Someone you have never heard of has lost your data.”

I was not alone. Epsilon, a marketing services company that sends 40 billion e-mails a year has been hacked. An estimated 2% of its customer date has been “exposed”. As with the recent major leak at RSA, Epsilon has not disclosed any details of the breech. The full impact of the breech is well explained in the Economist.

The emails being sent by major companies including JPMorgan Chase, Target, McKinsey and Marks & Spencer are all in the same format:

“We have been assured by Epsilon that the only information that was obtained was your first name, last name and e-mail address and that the files that were accessed did not include any other information…We want to urge you to be cautious when opening links or attachments from unknown third parties.”

Well the files stolen DID contain some other valuable information – the trusted relationship between me and the company. The phishing emails won’t appear to come from ‘unknown third parties’ – they will look as if they have come from the company which I know, and have trusted until now.

Phishing emails are always obvious from:

• They contain basic spelling errors.
• They never address you personally.
• They come from a company where you don’t have an account.

Combined with a spell checker, the spear phishers behind the Epsilon leak can give the crime a quantum leap.

Here are the questions to ask any company that has been using Epsilon to email you:

I am sorry that your email of n April provided so little information about the data breach. The wording, which appears to be the same boilerplate sent by other customers of Epsilon, contains some significant omissions:

• “the only information that was obtained was your first name, last name and e-mail address” – did it not contain more?: the trusted relationship with you? my home address? my email preferences?
• “We want to urge you to be cautious when opening links or attachments from unknown third parties.” Any spear phishing emails using this lost information will not “come” from an unknown third party.
• “ We take your privacy very seriously, and we will continue to work diligently to protect your personal information.”. What diligent work had been undertaken before the breech to audit the security at Epsilon?

Postscript

To McKinseys credit they responded within hours:

Dear Nic

Below is another boiler plate for you as I’ve had to answer this a lot. Incidentally, I looked up your account under nic@nicevans.eu, and you are just a free member so we only have your email, name, company and title – not your address. Epsilon assures us that ONLY name and email were taken. Please read on for further info.

McKinsey Quarterly deeply regrets this unfortunate circumstance.  We take your privacy concerns very seriously, and we felt it was important to inform our users as soon as the facts became available to us.

As you may have seen since McKinsey Quarterly’s message to its users, McKinsey Quarterly was one of many Epsilon clients whose data was compromised.  Many of our users have noted that they subsequently received breach notifications from credit card companies, reward programs, online services, retailers, etc.  Epsilon is one of the largest email service providers, and, unfortunately, many have been affected.
For all affected companies and end users, Epsilon has publicly stated that the breach was “limited to email addresses and/or customer names only.”  Following our message to users, Epsilon has provided further assurances to McKinsey Quarterly, specifically: “All data extracted from the platform is logged and the only data extracted/downloaded to a file was email, first name and last name.”  Additionally, “the attacker was only logged into the system for a short period of time based on application logs… which would not have allowed the user to manually review (rather than download) a single record at a time.”

McKinsey Quarterly does not store sensitive personal information (such as account passwords, financial information, or other personal identity details) with Epsilon.  We urge our users never to respond to emails requesting sensitive information and to be cautious when opening links or attachments from unknown third parties.

Epsilon has detailed for McKinsey Quarterly security measures put into place since the breach, and they are working with appropriate legal authorities in an ongoing investigation.  McKinsey Quarterly is separately undertaking its own review of Epsilon and email service providers, in general, and we can assure our readers that we will endeavor to ensure the highest security of our users’ information.

Again, McKinsey Quarterly deeply regrets the inconvenience to our valued readers. Thank you for your continued patience, understanding and readership.

Sincerely Yours,

Rik Kirkland
Senior Managing Editor,
McKinsey & Company

Break in at the locksmith

The IT security world was rocked by the publication of an open letter, written by security vendor RSA boss Art Coviello on 18 March.

In the letter he said the company had ‘identified an extremely sophisticated cyber-attack in progress’. ‘An investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat’. In layman’s terms that means that a burglar broke in, the alarms didn’t go off, and they were there for quite a time.

‘The attack resulted in certain information being extracted from RSA’s systems. Some of that information is specifically related to RSA’s SecurID two-factor authentication products.’ Just about anyone who has used a corporate Virtual Private Network in the last ten years will be familiar with these tokens which display an apparently random 6 digit number that changes every minute or so. This number is used together with some other password (two factors) to log-in.

I am sure this letter will become a case study in damage limitation – see my earlier blog “Sorry seems to be the hardest world“. This was a clear example of the minimum necessary disclosure approach. There was much speculation at the Financial Sector Technology Expo in London today about what might have been stolen. “If I knew, I couldn’t tell you” said one Chief Security Officer. “They are only speaking to a very few of their major customers at Banks, and then under tight Non Disclosure Agreements.”

In the absence of hard facts, most informed opinion suggests the breech included the data that links the key used to generate the number to the identification number engraved on the back of each token. This is supported by advice going around that you should remove this engraved number – and RSA’s fix which is to issue replacement tokens.

So the news headlines again:

• There has been a break in at the locksmiths.
• Some of the customers’ master keys have been stolen
• Why did they need to keep a copy?
• Could you trust that locksmith again?

Social Security Payments

Madison Kay spent $1,400 on bushels of Smurfberries. Aside from illustrating the need for Stephanie Kay to keep one-click ordering away from her eight year old daughter, it also illustrates the bushels of money to be made from virtual worlds: with $99 for a barrow load of smurfberries in a game ostensibly for children, what money could be made for more adult products?

There have been many red faces on social networks with the appearance of FireSheep – a simple add in to the FireFox browser that allows anyone to hijack social networking sessions of other users on an open wireless network. The security hole was basic. While the login to Facebook is performed over a secure https connection the subsequent exchanges are then open. These can be eavesdropped and even hijacked: the security credentials are stored in cookies on the client and passed to the eavesdropper.

So was Facebook’s hasty move to implement secure connections, which had previously been too expensive to implement, out of concern for the privacy of their users data?  There is a bigger and more direct motive for Facebook.

Many addicts of Facebook apps, such as Farmville and Bejewelled Blitz will have been tempted to get extra credits for a small credit card payment. Up until now each of these virtual worlds have had their own virtual currency. However Facebook are now making the Apps providers use Facebook credits. The spin is that it’s simpler for the single market and travellers in these virtual worlds. But most lucrative for Facebook who take a 30% commission on the exchange between real currency and Facebook credits.

And Apple makes a similar 30% on payments through its Apps store – and is similarly forcing apps providers to make payments for usage of apps through the Apps store. Which makes easy money for virtual products like Smurf’s Village – even with hasty patching forcing users to input a password for purchases. But is tough on real service providers like Spotify. Even Rupert Murdoch – whose iPad only Daily launched last month in the US – pays 30%.

These may be small amounts individually but enormous in total. The market capitalisation of Zynga, owner of FarmVille is over $5.5Billion – comparable to the merged British Airways and Iberia (IAG) $6,7Billion- so a 30% cut of their revenues is….a lot.

Keeping Tags On Your Assets

Some old fashioned truths were brought to the fore at LeasingWorld Expo, which lead Nic Evans on to a high tech solution for a very current industry challenge.

Mark your card

“Mark your card” said the magician. I wrote my initials and a smiley on the four of clubs before holding it firmly down on the bar in the Tattershall Castle. With hindsight it was inevitable that my card should have gone from under my hand. The mystery remains of how it got to be folded and gripped by a paper clip in the magicians hand, which had remained in clear view of both myself and the esteemed editor of Leasing World.

This incident took me back to the FLA Seminar earlier that day at LeasingWorld Expo on Responding To Higher Credit Risk. I expected a discussion on the finer points of credit analysis or risk weighted pricing. However Robert Munn of Total Asset Recovery took us back to a much more fundamental truth. “In this challenging economic climate, as credits are more difficult to underwrite, the Asset is your key collateral. This needs a proactive approach to asset management”

The key questions that Rob posed at the seminar are:

• Does the asset exist? – Speak to dealers and suppliers. Physically inspect some of them.
• Is it correctly priced? – Check asset prices – from manufacturers’ price lists and by physical inspection.
• What’s the asset worth now and over time? – Get a market valuation prediction.
• Are you buying what you think?
• What’s your audit policy? – Audits counter fraud
• Will the asset be there if the dreaded day comes? – asset marking is an important often neglected activity in fraud mitigation

We have all been there:

• The Credit Director wanders into the IT department asking “Could you just look down this list of kit and see if the prices are reasonable?” “Well that must be a great laptop at that price!”
• The unseemly rush of funders trying to get ahead of the receivers as they make sure that their assets are clearly marked.
• Dawn raids on dodgy Essex motor dealers with suspiciously empty forecourts.

Return to ‘Old Fashioned’ lending

There is no money in being wise after the event. “Return to ‘Old Fashioned’ lending – get to know the customer and treat your asset as core collateral” says Rob. He went on to show some of the practical inspection services and asset marking services that Total Asset Recovery offer. A DNA datadot, less than 1 mm across, can be invisible to the untrained eye, but contain more information to identify an asset than an easily removable serial number sticker.

Clearly the power behind such identification is the central asset register. The Vehicle Finance Industry is familiar with the HPI database – and that is clearly a major protection against asset fraud.

“Why haven’t registers been adopted for other sectors?” came the question at LeasingWorld Expo. In technology serial numbers are widely used – although the Service Tag seems tightly managed by the manufacturers. Could they have a vested interest in controlling this connection to their customers rather than sharing a central register? Technology funders such as 3Step IT also offer services for asset tracking and management, giving lessees online access to maintain additional information on their equipment, such as cost centre and location.

Chips with everything

In the last decade the use of technology for identification of assets has become very established. The principle technology in this area is Radio Frequency Identification or RFID.

The basic version – Passive RFID – has chips that respond with their identification when scanned. Chips can be embedded in an asset, which makes them hard to remove. This technology has already gained acceptance in financial services for micropayments, with toll road payments, touch n’ go payment cards and London Transport’s Oyster Card. While such “electronic purses” usually don’t hold balances on the chip, the storage on these chips can be large as is seen with their use in biometric passports. The security of such sensitive information is an issue, with reports of data being read off the passport over several yards, even though shielding is now built into the covers of US passports.

Another limitation of this passive technology is clearly demonstrated by my dog Clover: despite being ‘chipped’ – which gives her buttock more intelligence than her head – this is no help in finding her when she escapes. Active RFID overcomes this limitation by having a powered chip that can transmit up to 50 feet using Wi-Fi technology. This can be increased to a distance of several miles by using mobile phone technology, which allows tracking across the coverage of mobile phone networks, and finding the location by measuring the distance from several mobile phone masts.

Location, Location, Location

“The primary benefit of this technology to the funder is the security of the asset.”

says Adrian McMullan of L&A Consultants, who specialise in integrated resource management for fleet and logistics operations. “If you are concerned over the location of vehicles, alarms can be set that will notify you if the vehicle passes way points such as approaches to ports. It can be covertly equipped in the dashboard or under the engine – there are so many black boxes in a modern vehicle it is hard to remove.”

At his desk or on the golf course?

Such pervasive tracking does resurrect the old tachometer “spy in the cab” arguments, with a very modern twist of internet privacy. Indeed it has even been controversially suggested that companies should use this to measure the effective use of some of their more expensive human assets – keeping track of their sales force by the location of their mobile phones.

Once you have this connection to track your assets almost wherever they might be, then clearly they can also communicate more than their identity, but also usage and service data . This starts to open up new opportunities for leasing and equipment rental:

• Copiers that send in their own meter readings.
• Cars that not only say how far they have driven, but how fast and even how well.

“You can get real-time mileage capture for vehicles, which both warns of excess usage and prevents clocking.” says McMullan. “Both funders and insurers ask us to provide Incident Data Recorders – IDR – that are triggered by extreme deceleration. They will record speed and other measurements every tenth of a second for thirty seconds before the deceleration and fifteen seconds after. Insurers use this to find who was at fault for an accident. Funders can check that repairs have been carried out to protect the value of their asset. Hitting a kerb may not visibly damage bodywork , but the funder can see that the impact could have damaged the chassis.”

Getting Connected

Such “Smart” telemetry can fundamentally change the whole economic relationship between the asset and the user. “Once devices are connected and their use can be metered, there is no longer any need to buy them.” says the Economists technology correspondent Ludwig Siegele, in his recent report on Smart Systems.

“Once devices are connected and their use can be metered, there is no longer any need to buy them”

Which car shall we use today?

In London, and several US Cities, members of Zipcar simply logon to find the nearest vehicle (that reports its own position by GPS), unlock the car with another RFID chip in their membership card, use it by the hour and then return it to any of the allocated parking bays across the city. You can look for the nearest estate car if you have a load to move or make a ‘lifestyle choice’ for coupe with a sunroof and an adapter for your iPod

Rolls Royce offer in-flight monitoring for their jet engines, that not only lets them charge airlines a fixed cost per flight hour, but also allows them to predict when maintenance will be needed, which increases aircraft availability. (It is not known whether this showed any problems with the Rolls Royce Trent engine that disintegrated on the Quantas A380 over Singapore in November.)

Paying for service

Now the IASBs Draft Exposure places new requirements for lessee capitalisation and complex accounting calculations. It is widely expected that this will drive a large move toward service contracts in order to keep assets, particularly non-core assets, off the balance sheet. This will mean many finance industry changes:

• from copier rental to managed print services,
• providing the use of a car, rather than lease of a specific vehicle
• even paying for thrust rather than financing a jet engine.

Use of such smart systems to remotely monitor usage clearly allows charging for a service rather than the right to use an asset.

Could we even see city car sharing schemes like Zipcar coming to the company car park?

A message behind the Boris Bike?

Perhaps the sponsor’s message on the back of the “Boris Bikes” now being rented around London is a sign that one bank has already spotted this opportunity in technology-enabled short-term service contracts?

This Article appeared in January 2011 Edition of LeasingWorld.

(c) Nic Evans 2011. This Article may not be reproduced, in full or in part, without the prior permission of the author.

Nic Evans is an independent consultant and interim manager for commercial finance technology and business agility. He is an affiliate at Invigors LLP. If you want to discuss any points raised by this article or broader issues he can be contacted by email nic@nicevans.eu or through LinkedIn http://uk.linkedin.com/in/nicevans

Get Set for Leasing Systems Shake-up.

Will IT ease the pain of IASB change? asks Nic Evans.

Debate has raged on both sides of the Atlantic throughout the leasing conference season about the International Accounting Standards Board (IASB) proposals for lease accounting. The exposure draft (ED/2010/09) was the subject of a public meeting in London on 5 November, hosted by the FLA and the UK Accounting Standards Board.

Whatever happens as a result of responses to ED/2010/09, significant change is certain. “Lessee capitalisation… is set in stone,” IASB member Pat Finnegan says. “The financial crisis has really dictated that accounting standard setters take a very serious look at current accounting models and not proceed on the glacial path that they have been following for many years.”

How should the industry manage such change?

Be prepared

Nick Pattenden, MD of specialist finance pricing supplier Field Solutions, says: “The thing to do now is to get back to the IASB and say, ‘This will be the effect on my business and this will be the cost’. Do the benefits of the proposals outweigh the costs to us and to our customers?”

Having submitted comments to their national Accounting Standards Board, companies should start to plan. “Time spent planning is never wasted. If you plan for the worst, it won’t be wasted if things don’t turn out so bad. You will need system resources and adequately trained people,” Pattenden says.

A lot of preparatory work can be started now.

“Finance companies will need to review the impact to the business from A to Z and then assess the impact to their systems,” says Ian Charik, Cassiopae asset finance director.

Implementation can be scheduled as soon as the timescale for the new standard is published. Management should avoid other systems-related work, such as mergers and acquisitions, during this time.

Impact on sales behaviour

The complexity of lessee capitalisation may put off many potential customers from leasing. Equipment funders are already hearing from large lessees they will stop leasing for non-core assets.

At the London meeting, Mark Venus, BNP Paribas accounting and reporting and chair of LeaseEurope accounting committee, said: “A purchasing manager whose job today is to rent photocopiers will need to be trained in law and accountancy to be able to analyse the contracts for each photocopier, and to provide estimates back to head office of likely outcomes for each lease.”

Funders may, as part of the sales process, need to provide additional information and illustrations, with independent verification, to help lessees. Treasurers and CFOs may need training about the benefits of leasing.

ED/2010/09 fails to distinguish between lessees’ core assets and fungible assets, like copiers and cars. “In these areas we will see a move toward managed services, and even to contract rentals where, rather than lease specific vehicles, users are provided with the service of a car averaging, say, 18 months old,” Pattenden says.

As the new standards change the timing of funders’ profits from the lease, will this change methods of pricing?

Pattenden claims that in smaller ticket deals sales will still be driven by money over rate of return. “Sales people won’t keep in mind accounting profit. But there will be a less direct connection where business development will target sales of particular products,” he adds.

David Maxwell, director of Classic Technology, says: “While the accounting standards shouldn’t be driving commercial decisions, funders are going to want to see year on year profits.  And while the IASB have tried to do away with structuring, this will continue – just in new areas. For bank regulated funders and where there are any tax benefits the pricing will also change.”

Tipping point

ED/2010/09 has a clear impact on lessors’ administration and accounting systems.

FLA chair of asset finance George Lynn says: “To demonstrate the level of complexity we reckon that there are at least 75 steps that you have to go through to get the information that is required for the new methods. To put that in context, there are 10 steps required for a current operating lease, and about 30 steps for a finance lease.”

Cassiopae’s Charik adds: “A lot of systems, on both sides of the pond, have the accounting treatment hard wired – even to the extent that lists of products can’t be changed.”

Joe Franco of IDS sees a similar impact in the US. He says: “The impact of the changes was clearly demonstrated at our recent ELFA National Conference: attendance at the sessions discussing the lease accounting changes was high. And you are also right that most of the systems are hard wired.”

CHP Consulting senior manager Nick Pattison says: “A significant number of companies will have to look long and hard at their systems. This will be the tipping point for a number of lessors, particularly those who have keeping in-house systems going over the years. It will be a significant investment to make the changes needed to in-house systems.”

Lessors who already have modern, highly configurable, systems will have a significant advantage.

“Any changes that do have to be made to our software will have a lot less impact,” Pattison says. “It will be keyhole surgery rather than an open-heart operation. This will save significant time on implementation and re-testing.

Charik says: “Any software changes that are needed will be provided under our support agreements at no additional cost to our customers. We give the guarantee of compliance in each country where our software is operating.”

Pattison believes that making the software changes is not the expensive part, and that the bigger project will be to apply the new lease classifications across the current portfolio. “Performance obligation, derecognition or they may no longer be classified as leases, but rather installment purchase or service contracts,” he says. “There are a number of areas where discretional decisions have to be made. A big ticket lessor can look at each lease but the smaller ticket business will need to apply rules based on contract data. CHP’s ALFA has the business rules engine to automate the decision and it stores contract information at the most detailed level, enabling it to be used as the basis for the classification.”

Multi-GAAP

White Clarke Group chairman Ed White says: “CALMS has been designed to have multiple accounting methods, so you can see the impact of the new methods alongside the old operating and finance leases.  A rules-based system allows you to incorporate processes to make consistent judgments needed for the new standards. It will be a lot more work for lessors without this, which will significantly add to their costs.”

Charik says: “Multi-GAAP allows parallel running, with the old treatment running alongside the new methods. Cassiopae allows multiple strings, but systems with just one set of books, or even dual accounting, will struggle.”

Pattison says: “In countries where the take up of the new methods are different you can keep local GAAP, while also using IAS when the parent chooses to adopt it.”

Even companies using compliant packages will face problems if they are running on older versions of software. They may be tied to a particular version of software because of customisations, or they may have held off upgrading because of the effort and cost involved.

Interfaces will give further challenges. The feed of information on new business coming from customer relationship management and point of sales systems will need to be modified. An interface inevitably involves changes to two systems, so this can considerably add to the complexity and timescales for change. Although a lease administration system may be fully configurable for new financial products, the front end systems will be more constrained. Few accountants like to entrust lease classification to their sales force.

Lessors and major lessees will at an early stage need to model the impact of the accounting treatment on their current portfolios of leases.

Pattenden says: “A lot of people will look to Excel to do this job, but this is fraught with problems. We have software that will manage portfolios, but it’s not just a case of plugging it into your database. Data acquisition is the difficult part. No two package software installations are the same. It is a consulting exercise so everyone understands how the data is being used and the assumptions that are made.”

While transitional arrangements for moving to the new standard are still to be agreed, CHP claims its ALFA has another advantage. “We can make mid-life changes to lease income without the need to terminate or rebook the lease,” says Pattison. “This also has an effective date which allows us to make the changes retrospectively, or just going forward.”

What will be the consequences for leasing companies and their customers if the deadlines are not met?

Pattenden says: “Failure to meet the deadlines would be disastrous. It’s a regulatory issue that you can account for your full business, current and future.”

ED/2010/09 –  call to action

Understand the impact to your business. Talk to your auditors, advisors,  your customers, parent company, other subsidiaries and business partners,  your IT provider and industry bodies. Build a vision for the new shape of your whole business: what is your  distinctive value to customers, and what products will you offer? How will  you get the efficient flow of business and information through your  operations? Brainstorm with all areas of your company and work through  scenarios. Consider an external facilitator to stimulate ideas. Work with your current IT provider to see how they can support the new business models. Get independent advice on systems options. Your incumbent provider will not  suggest that you consider alternatives to find the best IT strategy for the evolving business. Identify the scope of changes to be made, gaps in your current processes,  priorities and the benefits to be achieved. Identify the resources you will need. Get your best internal people to build  and start the new business – and plan to backfill their current work. Consider external resources for the transition with skills for accounting,  project management and business process redesign. Industry expertise will be in  short supply – “It’s a case of Book Early for Christmas” says one consultant. Plan the work to be done, breaking down the task for estimating, understanding the  costs, effort and risks, and go through iterations until you get the plan  right. Keep the vision and benefits to the fore in executing the plan. Allow for adjustments to the  strategy while keeping a tight control on scope.

An edited version of this article appeared in December 2010 Edition of Leasing Life.

A printer friendly PDF version of this article can be downloaded from https://www.box.net/shared/vk9s3b5gjl

Nic Evans is an independent consultant and interim manager for commercial finance technology and business agility, and he is an affiliate at Invigors LLP. Nic may be contacted by email nic@nicevans.eu through LinkedIn  http://uk.linkedin.com/in/nicevans .

Achieving efficiency in a new dimension

My introduction to pan-European finance technology came on the day Europhile Tony Blair became prime minister. After casting my vote, I drove to my companies newly opened Paris office to struggle with installing a French version of Windows 95 from 24 floppy disks. Since then I have become well versed in the benefits and practice of multi-national finance systems.

So I feel a neat parallel as we enter a new era of domestic coalition politics in the UK, that there is an increasing realisation that in the current climate more untapped and immediate efficiencies might be gained from a coalition of commercial finance businesses.

Let’s first have a look at some trends:

• Through the slump at the start of 2009 just about the only new UK finance business activity was Private Equity investor Anacap’s creation of Aldermore. This combined the banking licence and source of funding from Ruffler Bank, Base Commercial Mortgages, newly formed leasing operations, and then the acquisition of Cattles – now Absolute – Invoice Finance and portfolios from Heritable Asset Finance
• Santander, which already has Abbey and Alliance & Leicester’s leasing operations within its Corporate and Industrial Banking unit also added Liquidity, a specialist factoring and invoice discounting provider, and a joint venture with Zenith Provecta to provide a fleet funding and management solution.
• Lloyds TSB Commercial Finance has continued its merger of commercial finance operations including Bowmaker and Alex Lawrie, while it acquired further operations with its acquisition of HBOS.
• And in continental Europe during the last month Credit Agricole Leasing and Eurofactor have merged.

So how does technology support the synergies that are obviously being sought here? Well, on the whole, from the software vendor side the answer to that question has to be “not immediately”. In the UK the majority of packages remain aligned with one or two of traditional silos of commercial finance. Perhaps this is changing – as recently demonstrated by White Clarkes acquisition of Nexus and Cassiopaes purchase of InfoParc.

Laurent Tabouelle, Product Manager for the iMX Commercial Finance solution at Codix (who supply software to both sides of Credit Agricole Leasing and Factoring) explains: “We have two flavours of iMX: one for commercial finance and one for debt collection. Regarding commercial finance, you hear a lot about products – Invoice discounting in the UK, Inhouse Factoring in Germany, supply chain finance, commercial finance – but to me these are mainly  marketing terms. When you really look at the details of those products, they are broadly the same but with different names in different details, and legal constraints. From a systems standpoint you don’t want different systems to handle different products. If you have thought of those products in a flexible way up front then you can very easily handle them in the same system, even in the same contract for the same customer. Today, I am speaking to prospective clients who have two or three systems. Why? ‘One for my invoice discounting, one for my financing of receivables, one for my leasing and other types of commercial finance.’ And why? ‘Oooh…because they are so different’. But the bottom line is that you have a creditor and collaterals, then all products are variations around those key concepts. By having several systems you spread your risks over systems, which is not what is wanted. It increases the operational risk because you don’t see it. Handling all these products on a single system, in the same way, is our focus.”

Even without software packages that will cover all of the finance products there are still efficiencies that can be gained from business operations. Could you achieve benefits just by simplifying the business without a single system? “One alternative that we are seeing more interest in recently is Business Process Management solutions.” says Steve Byrne of Cap Gemini. “This
alternative enables companies to leave the existing infrastructure in place and still deliver enhanced, standardized, processing capabilities.”

If we extend the basic concepts outlined by Laurent Tabouelle, we have the two fundamental components of any commercial finance:

• Providing finance to a customer in return for collateral or lien of an asset.
• Collecting receivables from a creditor – who is getting economic benefits from the asset.

The efficiencies that can be gained from use of technology and business process management – and where money can be made – in this process come in three areas:

• At the start with risk based pricing for the finance.
• In the middle with management of the assets and collateral that are your security.
• And finally with efficient collection from the creditor.

This should be a cyclical process – particularly under Basle ii – with feedback from the collections history – and the asset management process – being used to improve the accuracy of the pricing.

The most immediate benefits of synergy are to be had at the back end of this process. But don’t fall into the trap of thinking of it as a standard accounts receivable shared service centre. The collections process for each commercial finance product have unique features with long separation in time (for leases and commercial mortgages), separation of your customer and
your creditor (for invoice finance and factoring) and even geographical separation (if we include trade finance).

However the general concepts of a shared service centre can be applied to the collections process, accounting, statutory and regulatory reporting – and by sharing IT services, if not applications – to start to get real efficiency gains, particularly in a market that is still effectively in recession.

And there will be challenges, not least cultural differences between the traditional silos of commercial finance, not unlike those faced by multi-national finance systems delivery.

An edited version of this article appeared in June 2010 Edition of Leasing World

(c) Nic Evans 2010. This Article may not be reproduced, in full or in part, without the prior permission of the author.

Nic Evans is Director of Evans Global Associates, delivering consultancy and interim management for commercial
finance technology and business agility. If you want to discuss any points raised by this article or broader issues he can be contacted by email nic@nicevans.eu or through LinkedIn http://uk.linkedin.com/in/nicevans