chevron-down Created with Sketch Beta.


Tech Targets: A Practical Approach to Due Diligence (Brazil)

Luisa Shinzato


  • For fintech targets, due diligence attention should be given to reserves, guarantee obligations, and chargeback rules, which can impact revenue streams and financial stability.
  • Legal assessment should include requesting security certificates and verifying the use of open-source codes in the “Target's software.
  • The presence of licensing restrictions and potential infringement risks should be thoroughly examined.
Tech Targets: A Practical Approach to Due Diligence (Brazil)
golero via Getty Images

After the tech M&A spree of 2020 and 2021, the last two years proved challenging for the tech industry, with fewer deals and decreased volume. Despite the sobering scenario of the past couple of years, analysts predict that more prominent players will focus on innovative startups to gain a competitive advantage and promote digital transformation in 2024. Predictions are cautiously optimistic, pointing to increased technology deals prioritizing liquidity and working capital. Higher scrutiny of these tech targets ultimately leads to a careful assessment of the company’s overall status, considering financial and legal risks reflected in the due diligence process. This article presents a high-level view of the risks concerning tech targets (the “Target”) with a multi-jurisdictional approach.

From a financial perspective, it is essential to carefully analyze the Service Level Agreements (“SLAs”) executed with clients when Target renders software services. It is common for SLAs to contain fee discounts for the downtime of the platform (the time when the platform is inactive), commonly called “service credits”. Analysts should flag the existence of service credits and the amounts discounted from fees to the financial teams since they can affect the flow of payments to Target by its clients and the engineering and product teams verifying Target’s technical capabilities. The worse the overall performance of the platform, the more likely that service credits will be applied, thus affecting Target’s revenue.

If Target is a fintech in the payments industry, additional watch-outs must be considered, including reserves, guarantee obligations, and chargeback rules. Target can request reserves from its merchant clients to cover for chargebacks (as explained further) or protect against default by setting aside a percentage of a client’s monthly turnover. The existence - or not - of reserve obligations to Target’s clients does not constitute certainty of payment or a red flag. This should be analyzed along with Target’s pool of clients and their paying capacities, as well as Target’s fee payment model (some companies deduct fees upon settlement of transaction amounts, while others charge fees at the end of the month). Contrary to reserves, some merchant clients may request a guarantee from Target to protect against Target’s undue retention of transaction amounts. Such arrangements should also be verified, as they will influence Target’s financial analysis.

Lastly, contract chargeback rules should be necessary if Target processes card payments. Chargebacks are requests made by final customers to return funds paid in a purchase (i.e., a request to cancel a credit card purchase). When reviewing the contracts with clients, it is crucial to assess the attribution of liability in a chargeback—whether payment of chargebacks is attributed to the client or the Target, which deadlines for chargeback disputes were agreed upon, and what was negotiated about chargeback after the termination of the contract.

In addition to the financial watch-outs, cybersecurity risks are also relevant in the due diligence of tech companies. The first step in a legal assessment is to request Target’s security certificates. The most common are PCI-DSS for companies processing card transactions and SOC and ISO 27001 certifications to assess the company’s security controls and processes to manage data. This analysis demands a joint effort between legal and cybersecurity teams to understand the applicability of such certificates to Target’s practice and the company’s cybersecurity and data operations (from a practical perspective).

As for Target’s software, verifying if the company used open-source codes is essential. Under the open-source model, the code is typically made available royalty-free under a license that allows redistribution and modification by any individual. However, it can also come with certain licensing restrictions, such as demanding that any derivative software be open and available. Moreover, any user in the network could have modified the open-source code used by Target with infringing code, and Target could have later incorporated the result into its software without knowledge of such infringement. One recommended practice to mitigate this risk is verifying if Target implemented policies to record the use of open-source code in software development.

Lastly, it is relevant to assess Target’s compliance with specific regulations regarding its activities in all countries where it operates. Especially in the fintech space, there are many different players, such as acquirers, gateways, and payment aggregators. It is necessary to understand precisely where Target stands within this regulatory framework in each jurisdiction and certify that Target has obtained the proper licenses.

With so many particularities, a deep dive into each factor involving the due diligence of a tech target demands additional pages. This article intended to shine a light on the importance of a multidisciplinary approach when conducting due diligence on a tech target and to help practicing lawyers spot issues that can influence a tech target’s revenue and final purchase price, as well as anticipate the purchasing client any legal risks that may affect the company’s activities down the road.