Guide to Payment M&A
Post-closing the focus will be on any separation/integration issues. Similarly, in a private equity context, any ongoing obligations to be mindful of during the lifetime of the investment should be flushed out. There will be particular emphasis at this stage on any data/cyber security audit and, if applicable, overseeing any implementation of uplift plans.
IP and data considerations
Data privacy/cyber security/operational resilience audit. Both data protection and payments regulators will expect the buyer to ensure the target’s systems and processes are robust and compliant from both an operational resilience perspective and a data privacy perspective. However, meaningful due diligence of a target’s security posture is likely to have been very difficult to achieve in practice, and so it is critical to take steps post-closing to diligence the position. It is recommended that, in addition to extensive diligence, regular independent audits are carried out to ensure ongoing compliance.
OSS audit. Due to the potential risks associated with OSS use and the prevalence of OSS usage in the payments space, where due diligence has identified the use of or reliance on OSS by the target, and to the extent one has not been conducted prior to closing, it is recommended that an incoming buyer perform an OSS audit over the target to assess its ongoing risk.
Preparation of migration plan. Where the target is being supported by transitional services from the seller, the parties will typically prepare a migration plan following commencement of the TSA to govern the target’s migration from reliance on the TSA’s services.
The post-closing period will be crunch time from a people perspective, as the target workforce adjusts to life within the buyer group. The ability of dominant personalities within senior management to adjust to the input and influence of the buyer will be a key question in the post-closing period, and the adequacy of any retention arrangements, including remuneration put in place may start to be tested.
Key litigation risks
To the extent the target has agreed to put in place an ‘uplift plan’ (as to which, see ‘Post-final offer to closing'), it may be necessary to oversee the implementation of this after closing. In addition, it will often be necessary to integrate the target’s compliance framework with that of the buyer group. For example, a decision may need to be taken as to whether the buyer’s AML policy will apply to the target after completion, or whether the target will continue to follow its own stand-alone policy.
Financial services regulatory considerations
Payment services providers are subject to authorisation requirements and regulation pertaining to the way they conduct their business. Authorisation requirements mean that firms will not be permitted to provide regulated payment services without authorisation from the relevant financial regulator.
Proposals for international expansion will need to be assessed with local legal advice. Providing payment services internationally is likely to require regulatory authorisations, including in the European Union if services are provided cross-border from the UK. Implementing appropriate compliance policies and procedures can help if the merged entity is seeking to expand. Reviewing and improving existing compliance frameworks can be a valuable post-acquisition exercise for the merged entity. It should build on the regulatory compliance due diligence carried out pre-acquisition.
Holly Insley Partner
Ali Kirby-Harris Partner
Rikki Haria Senior Associate
Tom Hingley Senior Associate
Hannah Family Associate
Maija Hall Associate