Building a successful business in the rapidly changing and growing electronic payments space has never been easy. The industry evolves almost daily with the introduction of new technologies, expanding regulatory considerations, and shifting consumer preferences. Once you've built your company, staying on top can be difficult. One way is to expand your business by acquiring complimentary companies, assets, customers, or know how. Doing so, however, can create its own legal and regulatory challenges.
While the hope is that an acquisition will provide strategic, operating, and financial benefits, an ill-conceived or poorly executed acquisition may result in financial loss, business disruption, and regulatory risk. In particular, regulatory pressure in the payments industry has increased considerably in the past few years. For those payments companies looking to expand through acquisition, this article highlights some of the recent legal and regulatory developments and then outlines five of the most critical areas to consider as part of the acquisition process.
Understand Regulatory Pressure in the Payments Industry
At the federal level, payments companies are subject to oversight from a host of agencies, including the prudential banking regulators (such as the Office of the Comptroller of the Currency), the Financial Crimes Enforcement Network (FinCEN), the Department of Justice (DOJ), the Consumer Financial Protection Bureau (CFPB), and the Federal Trade Commission (FTC). While bank regulators oversee the "safety and soundness" of the banking industry, the CFPB, DOJ, and FTC focus on protecting consumers from potential harm in the payments space. Together, these regulatory agencies monitor payments companies on issues ranging from anti-money laundering to data security and consumer fraud.
In particular, regulators are pressing banks, payment processors, and independent sales organizations (ISOs) to both "know your customer" and engage in monitoring to limit the use of legitimate financial services for illicit purposes. The consumer-focused agencies have brought numerous enforcement actions in recent years against payments companies alleged to have facilitated fraud by providing services to merchants engaged in conduct that harms consumers. In June, for example, the CFPB filed a lawsuit against Intercept Corp, a payment processor that allegedly turned a blind eye to "blatant warning signs" of potential fraud by its clients. In addition, Intercept is alleged to have ignored complaints and warnings from banks and consumers about high return rates and unauthorized debits by its merchant customers.
The government's scrutiny of payments companies for the alleged wrongdoing of their customers can catch the unprepared by surprise. Most FTC and CFPB enforcement actions have been resolved by consent decrees (i.e., settlement orders), which typically include injunctive relief restricting the payments company's future conduct and monetary penalties. Often, the target of the enforcement action is compelled to enter into the decree because protracted, expensive defense is simply untenable. Injunctive provisions in these orders are usually more debilitating to a company than financial penalties, and are an example of the government's effort to use "regulation by litigation" to establish standards for the industry at large. Such pressure can be debilitating for companies
Top Five Legal and Regulatory Issues to Consider When Acquiring a Payments Company
- Engage in Regulatory Due Diligence
When it comes to acquiring a payments-related company, a good starting point for regulatory due diligence is a thorough review of the target's policies and procedures governing anti-money laundering, merchant or customer underwriting, data security, and compliance with consumer protection laws and regulations. These policies should be spelled out in written documents that address how the company manages the myriad laws that impact its services and the industries in which it (or its customers) operate. In particular, for acquisitions involving payment processors or ISOs, it is critical for the buyer to review the target's merchant portfolio to assess underlying risk and whether the target has implemented appropriate policies and procedures to manage that risk. A failure to have a clear picture of the policies and practices of the target can prove costly.
Another important area to review is data security. A number of recent data breaches has brought renewed focus on data security across all industries—including payment processing. The FTC and CFPB have broad mandates to pursue unfair or deceptive acts or practices, which both have interpreted to include data security. Earlier this year, for example, the CFPB announced a consent order against Dwolla, Inc., an online payments platform, for deceptive acts relating to its data security practices. According to the CFPB, Dwolla had made various representations to consumers about the safety and security of transactions on its platform but had not implemented appropriate written data security policies and procedures to support such representations. This is a complicated and technically nuanced area, which, particularly on mid-market deals, can be made more challenging by concerns over transactional expenses.
- Structure the Deal to Minimize Risk
It is axiomatic to suggest the structure of a deal can have a significant impact on risk. This is a particularly important consideration in the payments industry given the current regulatory environment. In an asset acquisition, for example, where the buyer purchases all or some of the assets of the target, the buyer will have more control over the liabilities it assumes. In contrast, when a buyer purchases control of the target by acquiring all or a majority of the target's shares, or through a merger, the liabilities of the target pass to the buyer. This means, for example, that the buyer of a payments processor could be held responsible for the target's prior processing activities (including in the event of a government investigation). Regardless of the nature of the deal, allocating risk deliberately and clearly through the use of indemnification provisions, schedules, potential earn-outs, and claw backs should all be considered as part of any structuring discussion.
- Document the Deal to Protect Yourself
Once the buyer identifies a target, and completes initial due diligence, and the final structure is set, the parties complete documenting the deal. Each side's lawyers and accountants will help negotiate the basic terms of the transaction, formalize the terms in a written agreement, and draft any required supporting documentation. In the payments industry, it is critical for the buyer to obtain detailed representations and warranties in areas such as intellectual property, security, and regulatory compliance so that the buyer is indemnified in the event of a breach or subsequent regulatory scrutiny. For the same reasons, assuming the deal is not a simultaneous sign and close, the agreement should include detailed closing conditions, including confirmations related to legal and regulatory risks.
- Protect Your Investment
The payments industry is competitive; any acquisition should protect the purchaser by including non-compete clauses that limit the ability of the target's prior management and shareholders from competing or interfering with the buyer's business. This is particularly important in the payments industry, where a company's success is often determined by its technology, know how, and customer relationships. Such clauses, if crafted carefully, are generally enforceable and are an important tool to ensure the buyer actually gets what they intend to purchase.
- Ensure Compliance Moving Forward
Once the deal closes, long term success requires a commitment to compliance. The starting point is a compliance management system ("CMS") that addresses business operations and sets management's expectations for compliance with applicable laws. Such a system should be a natural outgrowth of the diligence process and follow naturally from what was discovered as part of execution on the deal. A CMS should address how a company will implement its compliance policies and monitor for changes in the laws that impact its services and the industries in which its merchants are operating. In particular, one of the challenges that buyers often face post-transaction is merging the target's compliance system and personnel with those of the buyer. This process is often complicated because of differences in systems, databases, and data protection systems, but is critical to plugging potential gaps in compliance. Finally, a payments company should keep a close eye on federal and state legal developments. An industry or merchant practice that is legal today may be an enforcement target tomorrow. Given this risk, payments companies must keep abreast of legal and regulatory developments so they can revise their policies and procedures as needed.
Creating value for shareholders through acquisitions in the payment space is an important, time-tested strategy. Yet, if poorly executed, acquisitions can have unintended and adverse consequences. In today's ever changing environment, combining regulatory insight, with proven deal execution is essential if your acquisition is to have the intended results.
* * * * * * * * * *
Charles J. Morton, Jr. chairs Venable's Corporate Practice Group. Since 2012, The Legal 500, which provides the most comprehensive worldwide coverage on recommended lawyers of any legal publication, has recognized him as one of approximately 20 "Leading Lawyers" in the United States doing middle-market M&A transactions. His practice focuses on the healthcare, consumer products, and technology (including monetizing data) industries.
Andrew Bigart is a Counsel in the Washington office of Venable LLP. He specializes in helping clients in the payments industry navigate the complex federal and state regulatory environment.