For many established financial institutions, the rapidly growing involvement in fintech M&A is fuelled by the promise of solutions for realising cost efficiencies across existing service models, maximising existing customer bases and tapping new markets.
However, M&A is no magic wand—the right business pairing, efficient execution and effective post-deal integration are of paramount importance to a successful inorganic strategy. In this article, we examine four key issues that strategic investors should carefully consider in the context of bolt-on fintech M&A, namely:
- Ensuring regulatory compliance
- Protecting intellectual property
- Tackling data protection and cybersecurity concerns
- Integrating the target's management team
Regulatory compliance is a fundamental area of concern for strategic investors, not least because of the severe financial penalties (and even, in some cases, senior manager culpability), damage to customer sentiment and market reputation as well as harmful impact on relationships with regulators which non-compliance can bring.
A thorough investigation, as part of the investor's pre-deal diligence process, is important for unearthing which (if any) regulated activities are being conducted by the target and whether the correct permissions are in place to carry them out. Investors in international fintech businesses should tread particularly carefully as different regulatory approaches across jurisdictions can create additional complexities.
The continually shifting regulatory perimeter can also pose a threat for fintech businesses further down the line, and a lack of preparation can quickly spiral into unviability of the target's operations. This risk can be mitigated by having a forward-looking approach to regulatory requirements. Issues to be addressed early on include assessing the likelihood of the target's future need for regulatory authorisations and determining which regulatory framework(s) may apply.
- Does the target have the relevant regulatory licenses to operate?
- Are there any circumstances which could lead to those licenses being restricted or withdrawn?
- What are the upcoming changes to the regulatory landscape which are likely to impact the target's business?
New, innovative technology is at the heart of all fintech businesses. Furthermore, the build-out of this technology may have involved multiple parties (including freelance coders and agencies) contributing to the coding, algorithms and design. It is therefore important to ensure that all such IP/IT rights are vested in the business, and to understand any restrictions on use. When tackling IP/IT matters, a good starting place is deciding which of the target's assets are material for its operation. From there, it can be determined whether the target owns, or at least has exclusive rights to use, these assets and whether trade marks will be needed to protect the target's branding and identity. Future-proofing can be achieved by ensuring the target has the right legal infrastructure and governance in place to upscale and protect its IP.
- Does the target own or have the exclusive right to use IP necessary to operate?
- Does the target have the right infrastructure to develop, exploit and protect its IP?
- Is the target's IT scale-able to meet demand? Is this IT compatible with the investor's own systems?
Data protection and cybersecurity
The collection, analysis and manipulation of data are a core part of many fintech operations and its protection is essential for building and maintaining end-user trust. With new, stricter data protection regimes, many with extraterritorial effect, coming into force across Europe and elsewhere, the ability of a target to comply is now, more than ever, crucial to its success – having the right internal procedures and protocols in place is a must.
Cyberattacks pose an obvious and serious threat to data-heavy fintech businesses. Under many data protection regimes, fintech businesses are responsible for identifying the cybersecurity risks they face and for ensuring adequate technical and organizational measures are implemented. These measures will not only need to address the risks the business currently faces but also be sufficiently malleable to ensure continued compliance in the event the business changes the way it processes data.
- Does the target have programs which will enable compliance with relevant data protection regulations?
- Are the target's technical measures, monitoring and training policies and practices robust enough to withstand cyberattacks?
- Does the target have appropriate protocols for responding to cybersecurity breaches?
Integrating the fintech target's existing management team
An investment in a fintech start-up is often an investment in its senior management team and their ability to deliver on their contractual promises. The incumbent management team will often best know the ins-andouts of the business plan as well as the business' operations, employees, customers and regulators. Therefore, if an investor intends to retain existing management, effectively integrating the team is critical.
Carefully constructed service agreements with management, governance arrangements within the target, management incentive arrangements and succession planning are key ingredients for a successful relationship between a strategic investor and the target's existing management team.
- What should be the key focus for investors in service agreements with management? (e.g., lock-in period, post-termination non-competes/non-solicits, etc.)
- Will management be afforded post-investment board representation rights? If so, deadlock resolution mechanisms must be robust enough to protect the investor.
- What financial structure is proposed to incentivise management? If a "real" equity scheme, robust good/bad leaver and drag-along/tag-along provisions are critical.
This content first appeared in Chambers Professional Advisers: FinTech.