Under many federal and state laws, the owner or operator of a consumer financial services provider is responsible for complying with numerous statutes and regulations. The failure to comply with legal requirements can lead to injunctions, consumer refunds, fines, penalties, and, in some instances, void consumer agreements. Often that liability is strict—the consumer financial services company need not have intended to cause the violation to be liable for financial payments and conduct restrictions. When acquiring consumer financial products and services, such as deposit products, lending activities, money transmission, or a business that provides consumer financial products or services, one key to avoiding consumer financial services law liability is to understand the regulatory risk before buying the portfolio or business.
Consumer financial services legal and regulatory due diligence is therefore an essential element of any such transaction. For most prospective buyers, the minimum diligence will include a review of company-provided information, such as a confidential information memorandum (CIM) drafted by the investment advisory firm seeking to market the business and, sometimes, legal and other consultant memos produced at the request of the seller to address specific topics.
But merely reviewing the CIM and other introductory materials provided by a target may not be enough. Information provided by a target may not provide a complete picture of the company's activities, or include third-party materials with conclusions based on an incomplete set of information (or the law). Furthermore, material provided by the target, including its third-party consultants, may not identify all of the potential sources of consumer financial legal and regulatory liability. As a result, consumer financial services regulatory due diligence should include a carefully planned scope of work and a careful review of as much information as possible.
Here are five common issues we see when working with clients in the diligence process.
1. Insufficient Information
As in any diligence, the more information there is to review, the more nuanced the risk analysis. When deciding on the scope for regulatory diligence, prospective buyers should take into account a target's marketing programs, product and service mix, customer base, and other factors, as appropriate. There is no "one-size-fits-all" set of diligence requests when reviewing highly regulated consumer financial products and services. Typically, consumer financial services regulatory due diligence includes a review of target company documents (i.e., policies and procedures for products and services, compliance management system, training, audits, monitoring, compensation, scripts, marketing programs, advertisements, other promotional materials, agreements, org. charts, consumer complaints, and software testing, as applicable); management and policy review (e.g., review of written policies and procedures, customer complaints, internal and external audit reports, and exam reports); and transaction testing / account-level reviews, as appropriate. Depending on the type of products and services offered, there may be exam or audit reports that can be used to efficiently identify areas for deep-dive reviews or to make early decisions to forgo the merger or acquisition.
2. Failing to Understand Consumer Complaints
Consumer complaints can play a key role in the detection of consumer financial services regulatory risk factors. Complaints may be made directly to the company, service providers, government agencies (e.g., the CFPB, FTC, state attorneys general, other federal and state agencies, and online portals and message boards). As a general matter, consumer complaints may highlight weaknesses in a company's compliance management system, including training programs, internal controls, audits, and monitoring. Complaints lodged against subsidiaries, affiliates, and service providers (e.g., marketers, lead generators, servicers, and others) may provide a window into areas that need closer review. When reviewing complaints made against a business or its products and services, how the company addressed the complaint internally and externally may be as important as understanding what the initial cause of the complaint was. The absence of complaints doesn't always mean a company is in compliance with all legal requirements; complaints can be one indication of practices that merit closer review.
3. Missing the Significance of Licensing and Approvals
It may become apparent that a target has failed to comply with some state licensing or other compliance requirements. For example, licensing and related requirements may have changed, the applicability of a statute or regulation may not be black and white (for example, this is possible with loan broker statutes that could apply certain advertising lead generation activities, or potential arguments for an exemption from an otherwise relevant and applicable law, which is often seen in the area of money transmission / money services), or a licensing body has to be informed in advance of (or approve) a change in control. From a regulatory due diligence perspective, it often can be critical to understand the compliance position of the target. When considering licensing and substantive compliance requirements, it is important that state law compliance is reviewed in as much detail as possible. Some state laws, including lending laws, render consumer transactions void or voidable if they are made without a license or by a non-compliant provider.
4. Lack of Anticipating Government Examinations or Investigations
Consumer financial services are highly regulated and are often subject to examination and sometimes investigations. Potentially problematic risk practices are often identified during diligence, which later could be swept up in information and document requests in an examination or investigation. A key source of potential information about a subject of government scrutiny is prospective investors. And, in recent years, government enforcers have sought due diligence materials from investors and potential investors with an eye to assisting in their own investigations. Once the due diligence team has been assembled, consider the communication and work product protocols that will be put in place. What steps will be taken to protect privileged communications, such as legal communications between clients and their legal counsel? Will the information exchanged by lawyers and clients be for legal advice, and will it be shared with non-legal consultants? What protocols will be put in place for requests for legal counsel, non-legal communications among the deal team members, and the creation and retention of work product?
5. Focusing Only on the Past and Not Future Proofing
Buyer diligence inherently involves looking at the past activities of a target. Past and present consumer financial services legal and regulatory landscapes may be very different from each other. Even in a deregulated environment, it may be critical to understand how the target viewed and addressed compliance at the time its business model was developed, and when each consumer transaction took place. The latter can be an especially complex and technical analysis if the potential transaction involves consumer accounts that were purchased by the target. A prospective buyer also will want to understand the potential future legal and regulatory landscape applicable to the business model. While no one has a crystal ball, regulatory regimes are constantly changing, and, frequently, business models for consumer financial services are based on nuanced and specific interpretations of compliance obligations that are subject to interpretation or litigation. What's on the regulatory horizon may be impacted by changes in the law, regulator expectations, or court decisions that affect the target.