If Target is a fintech in the payments industry, additional watch-outs must be considered, including reserves, guarantee obligations, and chargeback rules. Target can request reserves from its merchant clients to cover for chargebacks (as explained further) or protect against default by setting aside a percentage of a client’s monthly turnover. The existence - or not - of reserve obligations to Target’s clients does not constitute certainty of payment or a red flag. This should be analyzed along with Target’s pool of clients and their paying capacities, as well as Target’s fee payment model (some companies deduct fees upon settlement of transaction amounts, while others charge fees at the end of the month). Contrary to reserves, some merchant clients may request a guarantee from Target to protect against Target’s undue retention of transaction amounts. Such arrangements should also be verified, as they will influence Target’s financial analysis.
Lastly, contract chargeback rules should be necessary if Target processes card payments. Chargebacks are requests made by final customers to return funds paid in a purchase (i.e., a request to cancel a credit card purchase). When reviewing the contracts with clients, it is crucial to assess the attribution of liability in a chargeback—whether payment of chargebacks is attributed to the client or the Target, which deadlines for chargeback disputes were agreed upon, and what was negotiated about chargeback after the termination of the contract.
In addition to the financial watch-outs, cybersecurity risks are also relevant in the due diligence of tech companies. The first step in a legal assessment is to request Target’s security certificates. The most common are PCI-DSS for companies processing card transactions and SOC and ISO 27001 certifications to assess the company’s security controls and processes to manage data. This analysis demands a joint effort between legal and cybersecurity teams to understand the applicability of such certificates to Target’s practice and the company’s cybersecurity and data operations (from a practical perspective).
As for Target’s software, verifying if the company used open-source codes is essential. Under the open-source model, the code is typically made available royalty-free under a license that allows redistribution and modification by any individual. However, it can also come with certain licensing restrictions, such as demanding that any derivative software be open and available. Moreover, any user in the network could have modified the open-source code used by Target with infringing code, and Target could have later incorporated the result into its software without knowledge of such infringement. One recommended practice to mitigate this risk is verifying if Target implemented policies to record the use of open-source code in software development.
Lastly, it is relevant to assess Target’s compliance with specific regulations regarding its activities in all countries where it operates. Especially in the fintech space, there are many different players, such as acquirers, gateways, and payment aggregators. It is necessary to understand precisely where Target stands within this regulatory framework in each jurisdiction and certify that Target has obtained the proper licenses.
With so many particularities, a deep dive into each factor involving the due diligence of a tech target demands additional pages. This article intended to shine a light on the importance of a multidisciplinary approach when conducting due diligence on a tech target and to help practicing lawyers spot issues that can influence a tech target’s revenue and final purchase price, as well as anticipate the purchasing client any legal risks that may affect the company’s activities down the road.