M&A in the Payments Sector: Key Legal, Regulatory and Contractual Considerations

Mergers and acquisitions involving companies in the payments industry have continued at a fast pace in 2020, with an increasing focus on payments solutions beyond traditional credit cards and deposit accounts. The COVID-19 pandemic has served as an accelerator for digital payments solutions, with a push toward contactless payments and digital solutions for those sheltering at home. The pandemic has also exposed fintech companies with less durable revenue models and may increase the sale of fintech businesses to incumbent bank acquirers. Many large banks are reacting to the pandemic by prioritizing mobile channels and accelerating their drive to digital transformation, and in many cases that decision may lead to acquisitions where the ability to build digital businesses internally is viewed by incumbents as too slow and cumbersome.1 The payments space in particular has been viewed as a bright spot for fintech, with embedded payment solutions (where payment innovations are embedded in the end user experience of a non-financial business) gaining traction. Technology companies, such as Facebook, Apple, Amazon and Google, are also investing in payments solutions. The growing importance of online payments processors, such as PayPal and Stripe, and embedded payments companies, such as Shopify, Instacart and Klarna, exemplify these trends.

Accelerating Trend of Payments Companies M&A

Several large capital raising rounds demonstrate the strength of payments companies despite, and partially because of, the COVID-19 environment. Trends driving this growth include the changing needs of consumers, including the desire for cashless payments, digital onboarding, paperless identity verification and modernized payments infrastructure. In April 2020, payments processor Stripe raised $600 million in a Series G preferred stock capital raise with an enterprise value estimated at $36 billion. The progress in 2020 of Marqeta the digital card issuing platform, is indicative. In May 2020, it raised $150 million with an enterprise value estimated at $4.3 billion. In July 2020, Marqeta partnered with JP Morgan Chase to launch digital-only credit cards and, in October 2020, Marqeta and Mastercard announced a global partnership. Throughout the summer of 2020 rumors of a Marqeta IPO were reported.2

Perhaps the best indication of the importance of digital payment solutions can be seen in the three large deals announced in 2020 by three of the largest credit card networks, American Express, Visa and Mastercard.

Visa/Plaid: In January 2020, Visa announced that it would acquire data aggregator Plaid, with a closing still pending as of the date of this article. The consideration for the transaction totals $5.3 billion, consisting of approximately $4.9 billion of cash and $400 million of retention equity and deferred equity consideration. This acquisition will allow Visa to continue expanding from its core credit and debit network business into an emerging fintech ecosystem. Prior to the acquisition, Plaid successfully worked to allow consumers to connect their bank accounts with numerous successful fintech businesses (e.g., the popular "Venmo" application). According to Visa, the acquisition of Plaid presents an opportunity for Visa to use its reputation and recognition in the marketplace to grow Plaid's payment capabilities and further develop Visa's relationships with fintech companies in the future.3 The Plaid transaction was regarded as one of the most successful fintech exits to date.4

Mastercard/Finicity: In June 2020, Mastercard agreed to buy a financial data aggregator, Finicity, for $825 million plus up to $160 million in earn-out payments if certain performance targets are met. According to Mastercard, Finicity will bolster Mastercard's open banking services in North America and provide one-stop shopping for their customers' data, payment and open banking needs.5 Finicity's online platform will give customers the ability to allow their banking partners to make scheduled payments on their behalf and provide advice on money management. As with the Visa/Plaid deal, this deal highlights the importance of payments infrastructure for large financial institutions embracing fintech solutions.

American Express/Kabbage: In August 2020, American Express announced that it had agreed to acquire substantially all of the assets of the fintech lender, Kabbage. According to American Express, Kabbage's technology, products and people will allow American Express to offer a broader set of cash flow management tools and working capital products to its small business customers in the United States.6 Kabbage's lending portal unifies online bill payment, credit lines and cash flow management tools as well as a business checking account. American Express did not purchase Kabbage's pre-existing portfolio of marketplace loans. American Express will benefit from the well-regarded fintech lending technology held by Kabbage as well as its technology talent in a market where human resources are regarded as scarce. Kabbage's lending platform gathers data about small business customers, including bank account data, payment processing data, shipping data, credit card transaction data and accounting information.

Special Consideration for Payments Companies M&A Transactions

Payments company M&A transactions present a number of issues unique to this fintech asset class. Special attention should be paid to the following considerations: (1) the complex and often competing regulatory framework for payments companies, including state and federal banking regulations as well as state money transmission laws; (2) valuation issues and the desirability of earn-out structures; (3) conditions to closing and consents needed in the payments space; and (4) technology and key contract diligence issues.

Regulatory Overlay for Transactions Involving Payments Company

Payments companies are subject to a complex regulatory framework, at both the state and federal level. These regulations are in addition to a financial institution's compliance obligations under banking laws related to M&A transactions. When considering a payments company transaction, the buyer should diligence the seller's compliance with its regulatory obligations sooner rather than later in the transaction lifecycle.

STATE MONEY TRANSMITTER LICENSURE REQUIREMENTS

At the state level, payments companies (and many other types of fintech companies that provide payments functionality as an embedded payment solution) may be subject to money transmission laws in 49 states and the District of Columbia.7 Generally speaking, state money transmission laws regulate receiving money for transmission or transmitting the same; however, the exact scope of regulated activity varies among states.8 Consequently, a payments company and its potential buyer should evaluate the money transmission laws in 50 jurisdictions (in addition to federal laws) to determine whether the payments company is operating in compliance with state money transmission laws.9

If a payments company does not hold appropriate money transmitter licenses, the buyer should consider structuring the transaction so that the company's licensure obligations are satisfied prior to closing. As an initial step, the parties should evaluate whether the payments company's business model is viable once a money transmitter license is obtained and whether the company must amend its practices to comply with the state's requirements to obtain and maintain a money transmitter license. Assuming the buyer determines the business model will continue to be viable when operating as a licensed money transmitter, then the buyer should consider requiring the payments company to obtain all necessary state licenses as a condition to closing. However, the buyer should bear in mind that the licensing process can be lengthy and costly. Another popular alternative is that the payments company could partner with a licensed money transmitter or a financial institution to handle the actual funds transmission. While this approach may be more expedient, bringing in a third party to perform this critical function can change the economics of the potential transaction. The buyer should evaluate whether the payments company will be as profitable if it is sharing revenues with a thirdparty service provider. If a buyer decides to pursue this option, then the buyer should consider requiring the payments company to finalize the third-party partnership as a condition to closing.

ONGOING COMPLIANCE OBLIGATIONS FOR STATE LICENSED MONEY TRANSMITTERS

If the payments company is a licensed money transmitter, the company will be subject to ongoing compliance obligations under state money transmission laws. The ongoing compliance obligations may vary by state; however, most states impose compliance obligations related to the transmitter's net worth and national outstandings. First, a licensed money transmitter must hold a tangible net worth in an amount specified either by statute or the state regulator. Second, nearly every state money transmission law requires a licensee to at all times hold "permissible investments"10 at least equal to the licensee's "national outstandings." A licensee's outstandings are all money received for transmission by the licensee or its agents that has not yet been paid to the recipient or refunded to the sender.11

Only certain types of assets qualify as permissible investments.12 They include cash, US bank deposits and certain types of highly-rated securities.13 A licensee must hold permissible investments free from any lien, encumbrance or security interest.14 As a result, any security interest that a licensee grants that potentially could cover assets that the licensee counts as permissible investments (such as a blanket security interest in all the licensee's assets) must carve out assets held for permissible investments. Regulators will sometimes raise concerns if they conclude that the carve out is ambiguous about the scope of assets excluded from the security interest.

Most, if not all, states require that the state regulator be notified of a change in "control" of a licensed money transmitter.15 Although the definition of "control" varies by state, most states employ a definition similar to that established in the New York Banking Law, i.e., "the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of a licensee, whether through the ownership of voting stock of such licensee, the ownership of voting stock of any person which possesses such power or otherwise."16 Often a threshold of 15% to 25% of ownership is used to determine whether a person has "control" of a money transmitter.17 Some states, such as California and New York, require prior notice and approval of a change in control.18 Other states, such as Florida, require the submission of a new license application by the proposed person to obtain control of the licensed money transmitter.19 Mergers can constitute a change of control depending on the definition specified in the state's money transmitter laws.20 Thus, the change of control provisions in each state in which the payments company is licensed should be evaluated.

Regardless of when the change in control notice must be submitted, the buyer will likely be required to make extensive disclosures regarding not only the entity acquiring the payments company, but also individuals whose ownership interest in the buyer would result in a "controlling" interest of the payments company.21 A change in control may require the same amount of disclosure as that required for an initial application for a money transmitter license.22 The personal disclosure requirements are quite invasive in some states and may require items such as: (i) criminal background checks that may only be scheduled and/or completed at certain designated locations; (ii) state specific background checks that may only be completed using state specific fingerprint cards; (iii) residential histories; (iv) employment histories; and (v) personal financial histories.23

FEDERAL PAYMENTS COMPANY COMPLIANCE OBLIGATIONS

In addition to state regulatory compliance obligations, a payments company may also be subject to compliance obligations under federal financial services laws. For example, the Consumer Financial Protection Bureau (the "CFPB") retains jurisdiction over some payments companies. Most notably, the CFPB's Prepaid Rule can present significant and complex regulatory compliance burdens for a payments company.24 Among other things, the Prepaid Rule requires a regulated entity to provide a consumer with two disclosures prior to acquiring a "prepaid account."25 "Prepaid account" captures much more than a traditional prepaid card and can extend to digital wallets.26 The Prepaid Rule's coverage of digital wallets is currently being challenged in court.27 Specifically, a major digital wallet provider has challenged the CFPB's application of the Prepaid Rule to digital wallets under the Administrative Procedure Act and the First Amendment and recently filed a motion for summary judgment in the US District Court for the District of Columbia.28 The CFPB recently responded to the digital wallet provider's challenge.29 The court's opinion is pending.

A payments company may also be subject to antimoney laundering rules issued by the Financial Crimes Enforcement Network ("FinCEN") if the company constitutes a "money services business."30 FinCEN has established seven different types of money services businesses, one of which is a "money transmitter."31 Like state money transmission laws, FinCEN has adopted its own definition of "money transmitter," which may differ from a specific state's definition.32 If a payments company constitutes a money transmitter or any other type of money services business, as defined by FinCEN, then the company must, among other things, "develop, implement, and maintain an effective anti-money laundering program."33

An additional federal compliance consideration for bank and bank affiliate buyers is compliance with the Bank Holding Company Act (the "BHCA").34 If the buyer's investment is significant enough, then the payments company may be subject to the BHCA restrictions on permissible activities after the acquisition. Such restrictions should be taken into account not only when evaluating the payments company's current activities but also future activities that the company is contemplating.

REGULATION OF EMBEDDED FUNCTIONALITIES

In addition to the above general payments regulatory considerations, functionalities embedded in a payments company's platform can raise other specific regulatory considerations. This is particularly true for the increasing number of payments companies that rely on open banking technology to provide services to their customers. The OCC has advised that even if a payments company and a financial institution have not entered into a formal information sharing agreement, the financial institution is still expected to comply with certain regulatory expectations.35 While a payments company may not be directly subject to these regulatory expectations, potential partners or buyers may expect the company to utilize technology that fully maximizes its open banking capabilities within those regulatory expectations.

Regulatory Changes on the Horizon

State and federal regulators are pursuing regulatory and operational changes to reflect the evolving payments landscape. At the federal level, Acting Comptroller of the Currency Brian Brooks recently announced that the Office of the Comptroller of the Currency (the "OCC") will accept applications from payments companies to obtain a national bank charter, referred to informally as a "payments charter."36 A payments charter could consolidate a payments company's 50-jurisdiction licensure and compliance obligations under the jurisdiction of one federal regulator. This change could potentially reduce a payments company's compliance burden and associated costs.

The payments charter is in addition to the OCC's recent advanced notice of proposed rulemaking published July 7, 2020 (the "ANPR").37 Among other things, the ANPR requested comments in response to the following questions: "What new payments technologies and processes should the OCC be aware of and what are the potential implications of these technologies and processes for the banking industry? How are new payments technologies and processes facilitated or hindered by existing regulatory frameworks?"38 The broad scope of the OCC's inquiry presented both payments companies and financial institutions with the opportunity to submit information regarding recent developments in the industry and identify regulatory burdens that may hinder further innovation.

At the state level, the Conference of State Bank Supervisors recently announced the launch of a coordinated multi-state money transmitter examination process through which a licensed money transmitter can undergo one examination to satisfy its examination obligations in more than 40 states. Examinations can be a costly and timeconsuming process. Undergoing one consolidated examination to satisfy a statutory examination obligation in a majority of states may result in reduced compliance costs for a licensed money transmitter.

The above is in addition to state and federal regulatory sandboxes as well as the establishment of offices of innovation that evaluate developments in the financial services industry more generally.

Valuation Issues for Payments Company M&A: Use of Earn-Outs

In the post-COVID-19 world, potential obstacles to using straight cash consideration in payments company M&A deals may become more pronounced. Valuation of a potential target may be more difficult, leading to a greater chance that there is a significant difference between buyers' and sellers' respective valuations of a prospective target. Valuation issues are always more acute for an emerging fintech company that has not yet proven its ability to generate net income. Potential issues for the buyer from the regulatory side, such as the need for money transmitter licenses and the potential need to build a more robust compliance management system, may also pose valuation challenges.

Earn-outs are a popular mechanism to bridge the differences between the perceived value of a target from the buyer's and the seller's perspective. Earn-outs require the seller to accept a lower initial purchase price based on the theory that the seller will share in the upside of the target business prospering in the hands of the buyer. This mechanism is generally easy to understand at a high level. It is also considered intrinsically fair, because it gives the seller the opportunity to "prove" the promising projections it has provided to the buyer. The buyer is also benefitted by the acquired business meeting firm milestones.

Although earn-outs are easy to understand conceptually, in practice there are a number of concerns to keep in mind when considering this form of consideration because disputes over whether earn-out targets have been met are common. A key element of any earn-out, which is often the subject of extensive discussions between the parties, is the target metric(s) that must be met. Targets are typically financial targets, such as revenue or EBITDA, but they can also be based on other metrics or milestones tailored to the particular industry, such as the number of retained or new clients for a payments company serving small businesses or consumers. The choice of metric can be contentious, as both the buyer and seller will want to limit the ability of the other party to manipulate any data used to calculate whether the target has been met. For example, the seller may attempt to push for a straight gross revenue target to prevent the buyer from moving costs to the target business in an inequitable manner, whereas the buyer often wishes to use a metric that includes costs in order to provide a more holistic representation of the success of the target business. In general, the more objective and straightforward the metric used, the better, as vaguely defined metrics and targets may lead to disputes or litigation.

Another potential area of contention is the timing of payments and length of the earn-out period. Sellers will generally prefer shorter periods, although the length of an earn-out period will also depend on the type and status of the payments business and the goals agreed upon by the parties. If there are disagreements about the length of the earn-out period, interim targets may help bridge the gap by allowing partial payment of the earn-out at set intervals so long as interim targets are met.

A frequent concern with respect to earn-outs is the extent of the buyer's obligations to run the acquired business in a way that makes the earnout achievable. Sellers will want to restrict the ability of the buyer to take actions that make the achievement of the earn-out targets more difficult and bind the buyer to agree to make investments in the acquired business to help it thrive. Buyers do not want an express obligation to take specific actions with regard to the acquired business, as they will want maximum flexibility to operate the acquired business in a way that is best for the entire company, not just the acquired business. In fact, buyers usually push to include disclaimers of any obligation to operate the acquire business in any particular manner. In order to make calculations of whether the earn-out target has been met more straightforward, sellers may request (and some sellers may insist) that the acquired business be kept separate from the rest of the company, with separate bookkeeping for the acquired business. Aligning the economic interest of the buyer and the seller in achieving an earn-out will be key and often times can provide more practical protection than detailed operating covenants.

Conditions to Closing

Beyond the conditions to closing found in most M&A deals (e.g., representations true and correct, covenants performed, no illegality, any antitrust or regulatory approvals received and the like), buyers in payments M&A transactions may require some conditions tailored to the payments business. First, as discussed above, most state regulators of money transmitter licenses require notice or approval of a "change in control" or submission of a new license application by the buyer. Receipt of these approvals would typically be a condition to closing for both the buyer and seller. On the other hand, if the buyer is a national bank not otherwise required to maintain a state money transmitter license, the bank may opt to surrender the payments company's license.39 However, surrender of a license does not reduce or eliminate the license holder's civil or criminal liability arising from any acts or omissions before the surrender of the license.40

Buyers may also want to consider adding closing conditions that specifically address prior to closing regulatory compliance issues found during the buyer's due diligence. For example, the buyer may want to revamp customer agreements or websites that do not comply with law rather than closing over these issues and raising potential reputational risk and business interruption issues for the buyer. Note that the CFPB has argued in the pre-Kraninger era that providing investment capital in a non-M&A context that allows a company to engage in business activities may constitute "substantial assistance" for the target's violations of law. As discussed below, closing conditions tied to technology issues may also be desired. For example, where a software audit identifies open source software ownership issues, removal of any source code governed by the problematic open source licenses may be warranted. Technology audits and transition plans may be appropriate covenants that the buyer should ensure are satisfied prior to at closing. Consents and waivers under key contracts may be required, especially if the target gave up exclusivity, non-competition, most favored nation pricing or rights of first refusal provisions early in its development. Finally, the buyer may want to ensure that top innovators are identified, retained and motivated, whether through employment agreements, incentive plans, equity grants or longer term strategic opportunities and integration.

Technology Diligence Issues

In payments company M&A transactions, technology is often a key asset and value driver-- in some cases, acquiring technology is the primary reason for the deal in the first place. Failure to conduct adequate technology due diligence can leave a buyer prone to overvaluation of a target because of an insufficient understanding of the strengths, weaknesses and risks of the technology the company is reliant upon. In conducting technology due diligence of a payments company, buyers need to confirm that the technology and infrastructure of the business are explainable, resilient, secure and scalable. It is critical for integration planning that the target's technology be well-documented, including its architecture and data flows. Buyers will want to know about past problems, whether these problems caused any material disruption, and how they were resolved. Buyers should consider including representations and warranties regarding identification of material IT components, whether they are in good working order, whether they are sufficient to conduct the business and whether there have been any bugs, failures or breakdowns that have caused interruption or disruption.

The use of open source code in the development of business technologies, while prevalent, can sometimes pose risks to the buyer. Using open source code in development offers a number of advantages, including lowering up-front costs and allowing companies to leverage the knowledge of a community of developers--not just their own--which means companies don't have to spend time reinventing wheels and can rely on the community to surface bugs and edge use cases much more quickly than they could have on their own. As a result, all modern companies use open source code in their development, and payments companies are no different. There are, however, different licensing regimes under which different open source code is licensed to the public. Some licensing regimes can materially impact the proprietary nature of the owned software of the target's business. Where software is an important element of the deal, engaging a software auditing service (e.g., Black Duck) early in the process will allow the buyer to better understand the scope of the open source use in the target's software and the licensing regimes (and therefore obligations and restrictions) under which the code has been licensed in order to identify potential risk areas at the onset. Scans are becoming more common and can be performed relatively quickly. The buyer can also include specific open-source representations and warranties as well as covenants and closing conditions requiring the removal of any source code governed by the problematic open source licenses.

In addition to the technology diligence mentioned above, the buyer should also conduct intellectual property due diligence to confirm that the value it places on the business is supported by the degree to which the target owns (or has the right to use) all of the IP that is critical to its current and anticipated business. If there are gaps in ownership or if the target is dependent on a third party to defend, enforce or otherwise use or exploit its technology, then this could significantly affect the valuation and the determination of a go/no-go decision. Buyers should confirm that confidentiality and invention assignment agreements are in place with all employees and contractors (especially developers). Such agreements should be signed at the outset of the employment (or other contractual relationship) with the target to ensure there are no gaps in ownership and buyers should not neglect former employees or contractors in its diligence. If any IP was developed jointly with a third party, there may be restrictions on the created IP that must be considered by the buyer. Buyers should be careful of any IP developed pursuant to government, military or university grants. Where the business technology is dependent on licensed third-party IP, the buyer should review the terms of these licenses closely, including for assignment and consent rights of the licensor and other potential issues.

Cybersecurity and privacy diligence is also a key area of diligence for buyers of payments companies because prior data security and privacy breaches can result in lingering liability for the buyer and can significantly decrease the valuation of a target. Buyers have been subject to class action lawsuits, fines by regulatory authorities and other losses arising from security incidents that occurred prior to the acquisition.

As a diligence matter, the buyer should request and review copies of policies, contracts and other documents of the business relating to cybersecurity and data privacy, including any previous audit results. The buyer should also review the procedures the target has put in place to protect its employee, customer and business partners' data and information as well as its networks and systems. The buyer should be especially focused on past data breaches or intrusions into the target's network, including how such breaches or intrusions were discovered or detected, how they were investigated, and what remedial actions were taken.

In addition, the buyer should consider adding data privacy and cybersecurity representations and warranties that include representations (1) that the business has materially followed written information security policies (WISPs), (2) regarding known or suspected data breaches or other cyber incidents and (3) that the business has complied with data privacy and cybersecurity laws, obtained consents and that transfer is permissible.

Key Contract Diligence Issues

In considering the acquisition of a fintech or payments company, the buyer should be aware that smaller organizations (particularly startups) tend to have more hidden contract landmines than established players. The landmines can include overbroad exclusivity and most favored nation provisions and rights of offer and refusal giving a contract counterparty rights to buy the business. Start-up companies may lack sophistication in contracting or may not be as concerned about agreeing to restrictive contract provisions at the early stages of their lifecycle. They may also lack negotiating leverage to say "no" to demands of more established counterparties and may be less concerned with binding "affiliates" than larger, more diverse organizations. On the other hand, large organizations are not immune from contract landmines especially where the interests of a business unit may diverge from those of the organization as a whole. In either case, the buyer cannot simply rely on the seller to identify contract restrictions as part of the representation and warranty/disclosure schedule process.

Due diligence request lists need to focus not only on contracts that are driving the success of the business, but also those that could be overly burdensome to comply with. Sellers are cost conscious and typically perform very limited sellside due diligence. The remedies for breaches of representations and warranties may be inadequate to cover a missed contract provision where the business still needs to comply with these restrictions after closing. Buyers should also diligence out-of-scope contracts that relate to the business. Even though the buyer may not be taking assignment of a contract, the out-of-scope contract may impact the transaction. For example, rights of first offer and first refusal that give a third party a right to acquire the business can be particularly troublesome. The buyer should include specific due diligence requests aimed at fleshing out this issue and ensure that representations and warranties are not too narrowly tailored.

Buyers also need to consider their own agreements. Are there any existing agreements that limit the buyer's ability to buy and operate the new business, such as exclusivity and noncompete clauses? The buyer will need to develop processes to track these restrictions. With a fast changing world, a strategy that seems unfathomable today could very well be an attractive opportunity tomorrow. To the extent possible, buyers should avoid agreeing to these restrictions in the first place as a matter of corporate policy and, at a minimum, track them carefully.

Conclusion

M&A in the payments industry remained quite active during the COVID-19 shutdown period and will likely continue into 2021 and beyond. Buyers and sellers of payments companies should be aware of the many unique regulatory, technology and contractual issues that may arise in the M&A context. Despite the complexity, payments companies will continue to thrive, develop new use cases, and attract acquisition and investment activity for the foreseeable future.