When an entrepreneur or a CFO says to me: “We want to buy a licensed PSP company in Europe”,: I always ask the same counter-question: “Are you sure you are ready for an honest Due Diligence?”
The purchase of a payment institution (Payment Institution) or an electronic money institution (EMI), is not just an M&A deal, but the purchase of regulatory history, compliance culture and risk profile, which will either strengthen your holding or become a source of ongoing conflicts with regulators and banks.
Over the years of COREDO‘s development in the EU, Asia and the CIS our team has completed dozens of projects with clients: from due diligence when buying a PSP company in Europe and Singapore to supporting transactions for acquiring EMI/PI licenses together with companies and integrating these assets into large financial groups. This experience has shown: 80% of a deal’s success is determined by the quality of preliminary due diligence: legal, financial, tax, operational and, of course, AML/KYC.
In this article I will break down how to approach due diligence of a PSP company, which red flags are critical, which documents you must request and how to use the verification results for deal structuring and investor protection.
Why it’s more advantageous to buy a licensed PSP
When we discuss a payments market entry strategy with clients, there are usually two options on the table:
- obtaining a new license (EMI/PI) in the EU, the UK, Singapore or Dubai;
- buying a licensed PSP company with an existing license and infrastructure.
Buying an existing PSP allows:
- to reduce time-to-market: often 12–18 months faster compared to obtaining a new license;
- to obtain established relationships with correspondent banks and payment partners;
- to inherit merchants, the technology platform and the team;
- to use the existing license for passporting within the EU (subject to compliance with PSD2 requirements and national rules).
But along with the license the investor takes on:
- regulatory legacy risks (past violations, outstanding regulatory orders);
- the historical transaction profile and client portfolio;
- the PSP’s reputational history in the market.
Therefore, due diligence of a payment provider is always conducted as a risk‑oriented (risk‑based approach) project with a clear map of risks when acquiring a business.
Structure of due diligence for a PSP company
When I’m asked to perform due diligence when buying a PSP company, I immediately divide the work into at least six blocks:
- Legal due diligence
- Regulatory and licensing due diligence (including checking the PSP license)
- AML/KYC due diligence and compliance check
- Financial and tax due diligence
- Operational due diligence and IT/cyber security
- Strategic and business due diligence (unit economics, model sustainability, ROI)
Each block provides its own layer of red flags, and at COREDO we are used to presenting the result as a risk heatmap: a visual map of the key deal risks and their impact on price, the SPA structure and the post-closing roadmap.
Legal due diligence: structure and change of control
Legal support for the purchase of a PSP in the EU and Asia begins with basic but critical matters.
What I check first
- Ownership structure and beneficiaries (UBO)
- transparency of the ownership chain;
- presence of trusts, nominee structures, offshore elements;
- whether beneficiaries match those registered with the regulator.
Red flags when buying a PSP: discrepancies between corporate documents and regulator data, hidden controllers, complex structures without a business purpose.
- Legal origin of the license
- whether the constitutional documents and the license contain restrictions on change of control;
- whether mandatory approval of a change of control by the regulator is required;
- whether there are legal restrictions on changes to directors and key personnel.
- Presence of material contracts and obligations
- agreements with correspondent banks, payment schemes, anti-fraud and KYC providers;
- agency, outsourcing and white-label agreements;
- agreements with key merchants, partner and referral contracts.
Legal support for M&A transactions in fintech always involves special clauses: representations & warranties concerning the license, AML/regulatory issues, compliance status, as well as indemnities for past breaches.
Which documents to request during PSP due diligence
The list is always adapted to the jurisdiction, but the core remains:
- corporate documents (articles of association, shareholders’ resolutions, register of participants);
- PSP license/EMI, all appendices, letters and regulator decisions;
- register of shareholders and beneficiaries, UBO confirmation;
- key commercial contracts (banks, schemes, merchants, KYC/AML providers, IT outsourcing);
- internal policies & procedures (regarding governance, decision‑making, outsourcing);
- history of legal disputes and counterparty claims.
At COREDO, legal due diligence of a payment organisation is always linked with regulatory review: the lawyer evaluates not only the formal validity of the documents but also how they “mesh” with the licensing requirements of the specific regulator.
Regulatory due diligence: license and PSD2
Frankly, buying a licensed payment company in the EU without in-depth regulatory review is a blind gamble.
How to check a PSP license in the EU
I always insist on at least:
- verification of the license via the regulator’s official register;
- analysis of the license scope: which types of payment services are permitted, and whether there are geographic or client-type restrictions;
- checking the business model’s compliance with PSD2 requirements (and prospectively PSD3) and AMLD.
Key red flags in PSP company due diligence: mismatch between actual activities and permitted services, use of schemes that circumvent regulation (de‑facto e‑money presented as technical processing), substantial deviations from requirements on safeguarding client funds and capital adequacy.
History of regulator inspections and orders
The COREDO team always requests:
- copies of regulatory letters, orders, enforcement actions for the last 3–5 years;
- external auditors’ reports on regulatory matters;
- remediation plans and action plans submitted by the PSP to the regulator.
The key question is how the company responded to findings: whether it addressed them promptly, strengthened the compliance function, and improved governance.
If due diligence of a payment institution in Europe reveals recurring violations, deferred orders, or open investigations, this directly affects: the price structure (earn‑out, holdbacks, escrow); the scope of indemnities; the decision whether to enter the deal now or after completion of remediation.
AML/KYC due diligence when working with PSP
If you ask me which part of a PSP review is critical to the survival of a deal, I would answer: AML/KYC due diligence.
What I check in KYC/AML compliance
- Risk-based approach policy
- whether there is a formalized risk appetite statement;
- how clients are segmented by risk (high‑risk industries, high‑risk jurisdictions);
- how decisions on onboarding and offboarding are made.
- KYC/AML procedures
- customer due diligence (CDD) and enhanced due diligence (EDD);
- source of funds/source of wealth checks;
- procedures for ongoing monitoring of customers and transactions;
- sanctions screening, PEP screening, adverse media.
- Transaction monitoring & anti‑fraud
- presence of an automated transaction monitoring system;
- scenarios and rules (rules‑based, risk‑based or hybrid models);
- model for managing alerts and internal investigations;
- chargeback ratio and dispute ratio metrics for key merchants.
Signs of high AML risk at a PSP provider are often visible already in the first weeks of review: concentration on high‑risk merchants (gambling, betting, forex, crypto) without clear limits; insufficient documentation for high‑risk clients; formal KYC questionnaires without supporting documents; weak or absent ongoing monitoring.
Which documents for AML are needed for due diligence
In COREDO projects for AML due diligence of a PSP provider, I usually request:
- AML policy, KYC policy, risk assessment and risk appetite statement;
- descriptions of onboarding, monitoring, investigation and reporting (SAR/STR) processes;
- internal and external AML audit reports;
- statistics on STR/SAR, offboardings and onboarding refusals for the last 2–3 years;
- training records for employees;
- a sample of customer files (KYC dossiers), including high‑risk customers and PEPs;
- a sample of transactions in high‑risk segments for forensic analysis.
Due diligence of high-risk jurisdictions
For international investors, we at COREDO regularly conduct sanctions due diligence of a payment company:
- we analyze countries, currencies and payment corridors;
- we check whether there are clients or transactions linked to sanction regimes;
- we assess the sanctions screening and negative news monitoring processes.
Key question: will the purchase of the PSP create a de‑risking risk from correspondent banks and payment schemes. Sometimes it is the sanctions profile of the client base that becomes the reason for banks to refuse to continue relationships after a change of control.
Financial and tax due diligence: regulatory context
The payments business is specific: a purely financial due diligence does not give the full picture without understanding regulatory constraints.
In COREDO’s PSP financial due diligence projects we look at:
- revenue structure: processing fees, interchange, FX margin, ancillary services;
- concentration of revenue among a few key merchants;
- stability of margins and unit economics by segment;
- expenses for compliance, IT, licenses and regulatory capital.
Key red flags: dependence on a single large merchant or a narrow niche; aggressive growth in turnover without a proportional increase in the compliance function; a significant portion of revenue from sectors that regulators treat especially harshly.
We supplement tax due diligence in fintech acquisitions with:
- analysis of intercompany agreements within the group;
- verification of substance in the jurisdictions where the company operates;
- assessment of the tax model’s alignment with the overall business logic.
Operational due diligence — IT/cybersecurity
For a PSP technology is not back‑office, but the core of the licensed activity. Operational due diligence of a PSP provider at COREDO always includes:
- assessment of governance: role and independence of the board of directors, existence of a compliance committee, three lines of defence;
- analysis of the key team: experience of the CEO, COO, CCO, MLRO, IT director;
- assessment of the incident management and business continuity processes.
IT infrastructure and cybersecurity review
Minimum set of questions:
- platform architecture (own vs white‑label, critical dependencies on vendors);
- SLAs with key providers, uptime, disaster recovery plans;
- results of penetration testing and vulnerability assessments;
- access management, logging, segregation of duties.
GDPR and personal data
In the EU and the UK I always pay special attention to:
- presence and implementation of GDPR policies (data protection, data retention, data minimisation);
- appointment of a DPO and their role;
- data breach incidents and the company’s response.
Checking the protection of PSP customers’ personal data is not a formality: serious violations can lead to fines on a scale comparable to the company’s annual profit.
Red flags during PSP due diligence
Over the past few years the COREDO team has developed a fairly consistent list of “red flags” that lead me to either strongly recommend revising the price and deal structure or to walk away altogether:
- Mismatch between licensed and actual activities (for example, hidden e‑money activity without the appropriate license).
- Systemic AML violations/KYC: lack of adequate documentation for high‑risk clients, weak EDD procedures, a formal approach to ongoing monitoring.
- Open regulatory investigations or outstanding orders.
- Heavy concentration on sanctions‑sensitive markets or high‑risk jurisdictions without a considered risk‑based approach.
- Critical dependence on a single correspondent bank or a single large merchant.
- History of serious data breaches, weak cybersecurity, lack of proper disaster recovery.
- Opaque ownership structure, hidden beneficiaries, discrepancies between regulator records and corporate documents.
- Absence of a real governance structure and an independent compliance officer.
Each such red flag does not necessarily kill the deal, but requires: either a substantial discount and strengthened indemnities; or a clear remediation plan before closing or in the early post‑closing period.
Due diligence in the deal structure
When due diligence in an acquisition is completed, the most important thing for me is to translate the findings into specific legal and financial SPA mechanisms.
In practice COREDO often offers:
- earn‑out: part of the price is tied to future performance (including compliance indicators, retention of licenses, absence of new sanctions/penalties);
- escrow and holdbacks: part of the amount is blocked for a period sufficient to surface potential legacy risks;
- specialized representations & warranties regarding:
- absence of undisclosed regulatory investigations;
- completeness of disclosure of AML/CTF incidents;
- license status and absence of grounds for its revocation;
- indemnities for:
- fines and sanctions for breaches whose roots lie pre-closing;
- regulatory claims related to the historical client portfolio and transactions.
In large deals with PSPs, COREDO teams help structure deferred-payment transactions (earn‑outs), where the seller bears shared responsibility for how the business will withstand subsequent regulatory reviews and banking due diligence.
Comparison of jurisdictions for investors
A separate part of the work is choosing a jurisdiction for acquiring a licensed PSP company: the EU, United Kingdom, Singapore, certain Asian or Middle Eastern centres.
What we usually focus on with clients:
- the strictness and predictability of the regulator;
- requirements regarding capital adequacy and safeguarding;
- banks’ attitude towards PSPs from that jurisdiction;
- scalability opportunities (passporting in the EU, cross-border Licensing in Asia);
- historical cases of enforcement practice.
Sometimes it makes more sense not to chase the “cheapest” license, but to choose a jurisdiction where: it’s easier to convince banks of the model’s resilience; there is a lower risk of a sudden tightening of regulation; there is a higher likelihood of strategically reselling the asset in the future.
How I structure PSP due diligence with a client
To make due diligence of a payment institution in Europe or Asia genuinely useful rather than formal, at COREDO we follow a simple but effective methodology:
- We build a map of the investor’s objectives
- why the PSP is being acquired (geography, products, license, technology, customer base);
- planning horizon (rapid integration or a careful roll‑out).
- We develop the scope of due diligence and a deal risk map
- we determine the depth of review by blocks: legal, regulatory, AML/KYC, financial, tax, IT, operational;
- we identify critical KPIs and red flags.
- We perform a phased analysis
- first a high‑level screening (to weed out clearly problematic targets at an early stage);
- then a detailed deep dive into key areas.
- We turn the findings into a deal plan
- we adjust the deal structure and the SPA;
- we prepare a remediation roadmap after closing;
- we model scenarios of regulatory inspections and stress scenarios (for example, withdrawal of correspondent accounts by the main bank).
- We support the change of control and interaction with the regulator
- we prepare the document package for approval of the change of control;
- we help establish a dialogue with the regulator to explain the new owner’s strategy;
- we take into account the timing and conditions of approvals in the deal timeline.
What’s important before a deal starts
Buying a PSP is not a quick shortcut, but a strategic decision that changes the risk profile of the entire group. From my experience:
- Due diligence of a fintech company and a PSP is never “too deep” when it comes to AML/KYC and regulation;
- weak compliance at the target almost always costs more than the highest possible price discount;
- a properly conducted due diligence when acquiring a company is not an expense, but a tool for negotiations and managing ROI.
My role as the founder of COREDO, and my team’s role, is to ensure that when you decide to buy a PSP you rely not on the seller’s optimism but on a structured analysis: legal, financial, tax, AML, and operational.
If you are considering the purchase of a licensed payment institution, an EMI, or another fintech asset in the EU, Asia, or the CIS, start not with discussing the price but with a due diligence plan. Price is a derivative of risks, not the other way around.