M&A transactions involving financial services providers—including tech-based providers or “fintechs”—raise a host of unique questions based on the types of services they provide, which are often highly regulated and may involve fiduciary or similar obligations. Parties to fintech M&A transactions should therefore carefully consider issues related to their regulatory status in structuring and executing those transactions.

Below we provide a high-level discussion of some of the considerations that may be involved in a fintech M&A transaction. This list is not comprehensive and is meant solely as an introduction to the types of issues at play.

1. The Heightened Importance of Diligence: Diligence is always important to an M&A transaction, but diligence around regulatory compliance by fintech companies is particularly critical. Purchasers need to understand the nuances of the ways a target company may or may not be fully compliant with applicable law, as noncompliance can result in significant liabilities to the buyer. Good diligence of fintechs should involve, among other things:
   • assessing a target company’s registration status and policies regarding any substantive requirements it must comply with;
   • reviewing how well it supervises employees carrying out those policies;
   • assessing the risks involved with regulatory events noted in public filings and/or correspondence from regulators, plus any responses and follow up;
   • reviewing any problems noted on internal exams and resulting remedial actions; and
   • reviewing customer complaints and any follow up.
   Sellers should assess these types of questions preemptively, to ensure the fintech is in the best possible regulatory position for the transaction.
2. Regulatory Approval or Notice: If the target or any of its affiliates is subject to state or federal regulation, the purchaser should consider whether it needs regulatory approval for the M&A transaction. Some, but not all, M&A transactions involving financial services providers—e.g., broker-dealers, banks, and state-licensed money transmitters—must be approved by the applicable financial regulator. This can be a surprisingly long and involved process, even when it goes smoothly. Parties to these transactions need to build in appropriate time to account for approval, specify who is responsible for which pieces of the approval process, and agree on whether the transaction will close before or after approval, depending on what is permissible by law.

   If the buyer of a fintech plans material changes to its business, it may also need separate regulatory approval for those changes. Depending on the purpose of the transaction, purchasers may want to consider whether to incorporate approval for a change in business at the time of approval for a change in ownership, or whether to address the change of business later, in order to expedite approval solely for change in ownership.

   Even if a fintech company does not need regulatory approval for the changes resulting from an M&A transaction, it may be required to promptly report changes in ownership or business; the buyer and seller should be clear about which party will do so. Certain providers, such as registered investment advisers (RIAs), may also need to deliver disclosures about the change to their customers.

3. Regulatory Event Disclosures: Most financial institutions are required to disclose any regulatory or legal events (e.g., enforcement actions, private lawsuits, settlements, etc.) involving the institution itself and/or principals or significant owners. In cases where a new owner or principal has been a party to this type of event, the purchaser will need to ensure they appropriately and promptly report any information about these events, as required by law.
4. Foreign Investment Reviews: Non-U.S. businesses that invest in or acquire U.S. businesses may be required to make filings with the Committee on Foreign Investment in the United States (CFIUS), which conducts national security reviews of foreign investments into, and acquisitions of, U.S. businesses, including financial services providers. For CFIUS purposes, a “U.S. business” is any business that has operations in the United States (even if it is already foreign-owned), and a “foreign investor or acquirer” includes not only a foreign person, but also a U.S. entity that is owned or controlled by a foreign person. Even if a filing is not required, a voluntary filing might nevertheless be advisable because failure to obtain CFIUS clearance may create the risk of forced divestment or other adverse action, notwithstanding that a filing was not mandatory. Many countries have similar foreign investment review regimes, and so if a target financial services provider has operations in multiple countries, it may be necessary to analyze the applicability of foreign investment review regimes (i.e., CFIUS analogues) in each of those countries.
5. Privacy and Cybersecurity: Fintechs often are subject to myriad privacy- and cybersecurity-related obligations under applicable law, related contractual terms with third parties, and similar industry standards, such as the Payment Card Industry Data Security Standard. A purchaser of a fintech should utilize the M&A legal diligence process to gain a comprehensive understanding of (i) the data processed by or for the target, the sources from which such data is obtained, and the purposes for which such data is processed; (ii) the fintech’s ability to disclose and otherwise process data in its business (and, depending on integration plans and the transaction structure, the ability to disclose and transfer such data in the context of a transaction or during integration); (iii) the applicability of federal, state, and international privacy and cybersecurity laws, regulations, and standards to the target and the target’s compliance posture regarding the same; (iv) the privacy- and cybersecurity-related contractual obligations to which the target is subject and the target’s compliance with those obligations; (v) the target’s cybersecurity practices and history of remediating security vulnerabilities; (vi) whether the target has suffered security breaches or incidents, and its handling of the same; and (vii) the target’s handling of any privacy- or cybersecurity-related complaints, claims, demands, litigation, and regulatory inquiries, investigations, or other proceedings.

   Further, to properly assess and address material privacy or cybersecurity risks that could impact the acquired business or the purchaser following an M&A transaction (e.g., via privacy and cybersecurity representations and warranties, covenants, or special indemnification in the definitive agreement), the purchaser also should develop a strong understanding of the types of customers served by the fintech, the technologies that comprise its products and services, and the fintech’s geographic footprint.

6. Anti-Money Laundering: “Financial institutions” are required to implement and maintain an anti-money laundering (AML) program. The term “financial institution” is defined by the U.S. Bank Secrecy Act (BSA) to include not only banks, broker-dealers, and other traditional financial institutions, but also money transmitters (e.g., PayPal and Venmo), providers and sellers of “prepaid access” (also known as stored value), and other non-traditional financial institutions. A wide variety of fintechs may be “financial institutions” and required to have an AML program in place. An AML program generally includes adopting internal policies and procedures designed to comply with the BSA, designating a compliance person to oversee the AML program, conducting customer due diligence, training relevant personnel, and conducting an independent audit of the AML program. Due diligence as part of an M&A transaction should include reviewing the financial institution’s AML program to make sure it meets applicable regulatory requirements, requesting documentation to ensure that the financial institution is complying with its AML program, and asking whether the financial institution is or has been the target of an AML investigation. Failure to conduct due diligence on a financial institution’s AML program may create unwanted money laundering risk and lead to significant liabilities for the acquirer.
7. Office of Foreign Asset Control (OFAC)-Related Liabilities: If the target fintech has committed violations of U.S. economic sanctions, which prohibit or limit transactions with certain countries, groups, legal entities, and individuals, the acquirer may have substantial liability for those past violations.
8. Training: Operating under financial regulations requires a company’s principals and employees to understand applicable regulations, comply with those regulations, and supervise accordingly. Those in charge may also have personal liability for failures of supervision. It is critical that purchasers of fintechs provide effective and comprehensive training to any new employees and supervisors.
9. Testing, Licensing, and Similar Requirements: In some cases, principals and employees of a fintech (such as a registered investment adviser (RIA) or a broker-dealer) may be required to take qualifying examinations and/or obtain licenses or certifications related to their roles and needed expertise. Principals and employees may also be required to register at the federal and/or state level in their individual capacities. Purchasers of fintechs should assess whether any of their employees or principals will become subject to these requirements based on an M&A transaction and work to ensure those employees and principals obtain the needed qualifications in a timely fashion.
10. Select considerations specific to particular types of financial services providers:
    • Assignment of Advisory Agreements: The Investment Advisers Act prohibits assignments of investment advisory agreements without client consent. This typically includes situations where an RIA takes on new ownership based on an M&A transaction—meaning that the RIA must seek written consent for each client to continue as a client. Determining whether consent is required and what mechanisms to use for soliciting consent requires assessing what post-M&A operations will look like, which employees and principals will continue on after the transaction, and what an RIA’s advisory agreements say about assignment, among other things.
    • Broker-Dealer Change of Control: Any change of control in an entity that is a broker-dealer registered with the Financial Industry Regulatory Authority (FINRA) or that owns or controls a registered broker-dealer will likely require the filing of a Continuing Membership Application (CMA) with FINRA. The CMA must be filed at least 30 days before the change of control becomes effective, and potential acquirers must determine whether, if any material changes to the broker’s business are contemplated, those changes should form part of the CMA or should be filed through a separate CMA at a later date.
    • Bank and Bank Holding Company (BHC) Buyers: Banks are limited in the activities that are legally permissible for them to engage in and therefore may be subject to restrictions in the post-M&A activities of their target. BHCs, which are subject to the Bank Holding Company Act, are also limited in the types of activities that they can engage in. The Bank Holding Company Act may restrict a BHC’s ability to acquire control of a company engaged in activities beyond the business of banking. BHCs engaged in an M&A transaction with a fintech company will place heightened importance on regulatory due diligence, with a particular focus on compliance policies and procedures in relation to the regulatory obligations that may govern the activities of the fintech company (e.g., the Truth in Lending Act, the Truth in Savings Act, and the Electronic Fund Transfer Act). BHCs will also closely scrutinize the fintech company’s approach to data privacy, the prevention of financial crime, and compliance with the Federal Trade Commission Act’s prohibition on unfair or deceptive acts or practices in or affecting commerce.
    • Money Transmitter Change of Control: Generally, either the licensed money transmitter or proposed new control person must obtain written approval from the relevant state regulator prior to the date a change-of-control transaction is to be consummated. Some states impose a timing requirement for a change-of-control notice (for example, Texas requires a change-of-control notice to be submitted at least 45 days before the date the proposed transaction is to be consummated). Generally, state regulators will review the proposed change of control to determine whether the proposed person has the financial condition, business experience, and general fitness to conduct a money transmission business before approving the proposed new control person.