Investment in fintech companies is at an all-time high. “Unicorns” are start-ups that have valuations of more than 1 billion dollars. The majority of the unicorns are in the fintech industry. Fintech companies are often agile and innovative, which can lead to initial success, but certain issues cannot be ignored if fintech companies want to leverage their valuations for an investment or acquisition.
Intellectual property is one of the most valuable assets of a fintech company and is often the driver of company valuations for acquisition and investment. IP assets, such as patents, technical know-how (including software and other technology), trade secrets, copyrights, licenses, trademarks, and data, are assessed by sophisticated purchasers and investors during a due diligence phase prior to closing of a deal. Accordingly, in preparation for an investment or acquisition, a fintech company needs to ensure it has:
- taken appropriate steps to register and protect its IP;
- implemented and complied with its data privacy and security practices and policies; and
- addressed any issues arising from the use of (1) third-party IP, (2) open source software, and (3) development by third parties (e.g., independent contractors or third party vendors) of any IP used by the fintech company.
Many fintech companies operate outside of the financial services regulation. But a buyer might bring the business under such regulation. Thus, the fintech company should consider whether its technologies or processes will comply with regulatory requirements as such can affect valuation and raise liability issues in an M&A transaction.
A buyer’s assessments during a due diligence phase of an investment or acquisition often involve the following:
- Conducting a comprehensive review of all of the IP (and related documentation) utilized in the fintech company’s business, and any issues impacting the IP (e.g., liens, third party rights or claims, or litigation affecting such IP);
- Confirming that the value it places on the fintech company is supported by the IP that the fintech company owns or has the rights to use and transfer its IP as any issues preventing the use or transfer of the IP can impact the transaction or the price the buyer is will to pay; and
- Ensuring that the fintech company has implemented and maintains appropriate policies and practices regarding data privacy and security.
Fintech companies should take the following concrete steps now to maximize the value of their IP assets for any future deal.
Develop a System to Document all IP and Continue to Update the List of IP
The fintech company should liberally document all IP or potential IP that is used in its business, which includes:
- Patents and patent applications (including patent numbers, jurisdictions covered, filing, registration and issue dates);
- Trademarks and service marks;
- Trade secrets;
- Know-how (for example, technical information used in the business);
- Systems, platforms, software, and other technology (both on premise and cloud based) identified by name and, for software, storage of source code;
- Data and databases;
- Mobile applications;
- Domain names; and
- Social media accounts/handles (Twitter, Facebook, LinkedIn, etc.)
Obtain and Store Documentation Evidencing Ownership or Right to Use Developed and Acquired IP
Companies, particularly fintech companies, naturally focus effort and energy on developing products and services and creating revenue streams from those products and services. Understandably, it is not uncommon to find that there are uncertainties as to the ownership of (or the right to use or assign) the IP embedded in or utilized with such products and services, particularly if the individuals who were involved in the development are no longer with the company (or worse, now work for a competitor).
Documenting ownership along the way during product development is an investment that is sure to pay off in closing a deal. Some of the key elements to ensuring proper ownership and right to use include:
- Obtaining signed confidentially and assignment agreements from all employees and contractors to protect ownership rights in and unauthorized use or disclosure of the fintech company’s IP. Beware of using “form” agreements that may not adequately address these issues.
- Limit licenses granted to third parties with respect to the IP – overly broad or unclear licenses can impact the FinTech’s ownership rights.
- If the fintech company’s IP was developed jointly with another party or developed using government, university, or military resources, these arrangements may also restrict the transfer of the IP, mandate sharing or ownership of the IP with third parties, or require a payment in connection with the acquisition.
- Be wary of licensing third-party IP or software under restrictions upon a change in control of a company, or that limit the ability of the company to assign the rights licensed from the third-party.
Implement an Open Source Policy and Understand License Restrictions of Open Source Code Used in Products
Many software engineers and developers use open source software or incorporate such software into their work in developing products or technology. But the use or incorporation of such open source software by a fintech company can lead to ownership, licensing, and compliance issues for a buyer. In particular, some open source licenses require any user modifying and distributing the open source software to make its source code generally available to other users and to license its software to third parties under the same terms as the open source license. Buyers usually want representation and warranty that no open source or similar software has been incorporated into any of their software or products as they want to be able to exclusively use the fintech company’s technology. Thus, open source issues could become a deal killer.
During the start-up phase, open source may have been unknowingly used. Accordingly, a fintech company planning for an acquisition should use a software program, such as Black Duck or Palamida, to scan its software to determine whether it has an open source issue. The fintech company should also implement an open source policy regarding if, when, and under what conditions open source is allowed to be used. Such policy should apply not only to the products and services developed by the fintech company, but also with respect to any independent contractors, vendors, and third-party service providers utilized by the fintech company.
Develop and Implement Data Practices
Depending on the nature of the products or services offered by the fintech company, data can be a very valuable IP asset, but can also be a liability if there is data breach or violation of law in connection with the fintech’s collection, use, and disclosure of such data. Thus, an investor or buyer will want to confirm that the fintech company has implemented and maintained appropriate policies, practices, and security measures in connection with the company’s collection, protection, and use of data. These can include ensuring that the fintech company has taken appropriate steps to secure data from unauthorized access or use, investigating whether there have been any breaches of such data, and obtaining any requisite consents or providing required notice with respect to its collection, use, disclosure and transfer of data (e.g., Gramm-Leach-Bliley Act, the GDRP, etc.)
Thus, a fintech company should:
- Implement formal data privacy practices which address the types of data that will be collected by the fintech company, how such data is collected, internal security measures to protect such data from unauthorized access, use, and disclosure (which should address not only hackers but also employee access and use given that the majority of data security breaches are actually caused by an employee), and when data may be disclosed to third parties, all of which are considered data practices.
- Regularly audit its data practices and ensure compliance with its privacy olicy and any applicable laws and regulations.
- Review third-party contracts to ensure that third-party vendors and service providers are appropriately bound by robust confidentiality and data security obligations (e.g., a number of data breaches including target have been caused by third-party vendors).
- Document and implement a data security breach plan.
Experienced counsel can assist a fintech company in these endeavors and help pave the way for a successful investment or acquisition at maximum value.