Building a successful business in the rapidly changing and growing electronic payments space has never been easy.

The industry evolves almost daily with the introduction of new technologies, expanding regulatory considerations, and shifting consumer preferences. Once you’ve built your company, staying on top can be difficult. One way is to expand your business by acquiring complimentary companies, assets, customers, or know how. Doing so, however, can create its own legal and regulatory challenges.

While the hope is that an acquisition will provide strategic, operating, and financial benefits, an ill-conceived or poorly executed acquisition may result in financial loss, business disruption, and regulatory risk.

Image: Bloomberg News
Image: Bloomberg News

In particular, regulatory pressure in the payments industry has increased considerably in the past few years.

At the federal level, payments companies are subject to oversight from a host of agencies, including the prudential banking regulators (such as the Office of the Comptroller of the Currency), the Financial Crimes Enforcement Network (FinCEN), the Department of Justice (DOJ), the Consumer Financial Protection Bureau (CFPB), and the Federal Trade Commission (FTC). While bank regulators oversee the “safety and soundness” of the banking industry, the CFPB, DOJ, and FTC focus on protecting consumers from potential harm in the payments space. Together, these regulatory agencies monitor payments companies on issues ranging from anti-money laundering to data security and consumer fraud.

In particular, regulators are pressing banks, payment processors, and independent sales organizations (ISOs) to both "know your customer" and engage in monitoring to limit the use of legitimate financial services for illicit purposes. The consumer-focused agencies have brought numerous enforcement actions in recent years against payments companies alleged to have facilitated fraud by providing services to merchants engaged in conduct that harms consumers.

The government’s scrutiny of payments companies for the alleged wrongdoing of their customers can catch the unprepared by surprise. Most FTC and CFPB enforcement actions have been resolved by consent decrees (i.e., settlement orders), which typically include injunctive relief restricting the payments company’s future conduct and monetary penalties.

Often, the target of the enforcement action is compelled to enter into the decree because protracted, expensive defense is simply untenable. Injunctive provisions in these orders are usually more debilitating to a company than financial penalties, and are an example of the government’s effort to use “regulation by litigation” to establish standards for the industry at large. Such pressure can be debilitating for companies

There are five big legal and regulatory issues to consider when acquiring a payments company.

Engage in regulatory due diligence. When it comes to acquiring a payments-related company, a good starting point for regulatory due diligence is a thorough review of the target’s policies and procedures governing anti-money laundering, merchant or customer underwriting, data security, and compliance with consumer protection laws and regulations.

These policies should be spelled out in written documents that address how the company manages the myriad laws that impact its services and the industries in which it (or its customers) operate. In particular, for acquisitions involving payment processors or ISOs, it is critical for the buyer to review the target’s merchant portfolio to assess underlying risk and whether the target has implemented appropriate policies and procedures to manage that risk. A failure to have a clear picture of the policies and practices of the target can prove costly.

Another important area to review is data security. A number of recent data breaches has brought renewed focus on data security across all industries—including payment processing. The FTC and CFPB have broad mandates to pursue unfair or deceptive acts or practices, which both have interpreted to include data security.

Structure the deal to minimize risk. It is axiomatic to suggest the structure of a deal can have a significant impact on risk. This is a particularly important consideration in the payments industry given the current regulatory environment. In an asset acquisition, for example, where the buyer purchases all or some of the assets of the target, the buyer will have more control over the liabilities it assumes. In contrast, when a buyer purchases control of the target by acquiring all or a majority of the target’s shares, or through a merger, the liabilities of the target pass to the buyer. This means, for example, that the buyer of a payments processor could be held responsible for the target’s prior processing activities (including in the event of a government investigation). Regardless of the nature of the deal, allocating risk deliberately and clearly through the use of indemnification provisions, schedules, potential earn-outs, and claw backs should all be considered as part of any structuring discussion.

Document the deal to protectyYourself. Once the buyer identifies a target, and completes initial due diligence, and the final structure is set, the parties complete documenting the deal. Each side’s lawyers and accountants will help negotiate the basic terms of the transaction, formalize the terms in a written agreement, and draft any required supporting documentation. In the payments industry, it is critical for the buyer to obtain detailed representations and warranties in areas such as intellectual property, security, and regulatory compliance so that the buyer is indemnified in the event of a breach or subsequent regulatory scrutiny. For the same reasons, assuming the deal is not a simultaneous sign and close, the agreement should include detailed closing conditions, including confirmations related to legal and regulatory risks.

Protect your investment. The payments industry is competitive; any acquisition should protect the purchaser by including non-compete clauses that limit the ability of the target’s prior management and shareholders from competing or interfering with the buyer’s business. This is particularly important in the payments industry, where a company’s success is often determined by its technology, know how, and customer relationships. Such clauses, if crafted carefully, are generally enforceable and are an important tool to ensure the buyer actually gets what they intend to purchase.

Ensure compliance moving forward. Once the deal closes, long term success requires a commitment to compliance. The starting point is a compliance management system (“CMS”) that addresses business operations and sets management’s expectations for compliance with applicable laws. Such a system should be a natural outgrowth of the diligence process and follow naturally from what was discovered as part of execution on the deal. A CMS should address how a company will implement its compliance policies and monitor for changes in the laws that impact its services and the industries in which its merchants are operating.

In particular, one of the challenges that buyers often face post-transaction is merging the target’s compliance system and personnel with those of the buyer. This process is often complicated because of differences in systems, databases, and data protection systems, but is critical to plugging potential gaps in compliance. Finally, a payments company should keep a close eye on federal and state legal developments. An industry or merchant practice that is legal today may be an enforcement target tomorrow. Given this risk, payments companies must keep abreast of legal and regulatory developments so they can revise their policies and procedures as needed.

Andrew Bigart

Andrew Bigart

Andrew Bigart is a Counsel in the Washington office of Venable LLP