What does a real M&A process look like? The seven phases explained

From the first indicative offer to the 100-day integration plan — what happens at each phase, what breaks, and how a platform changes the outcome.

Why most deals fail — and where

The M&A process has seven phases. Deals collapse most often in Phase 3 (Fintech Regulatory Due Diligence) and Phase 4 (Regulatory Approvals) — not because the commercial logic was wrong, but because compliance risks that were present throughout the process surface at exactly the point where they are hardest to address.

A deal team that has spent six months on financial and legal due diligence discovers, one week before SPA signing, that the target's BSA Officer has no retention agreement and is actively speaking to recruiters. Or that the Money Transmitter Licence in Texas is non-transferable and will require a 12-month new application. Or that the CBK requires prior approval in Kenya and the 60-day notification window has already expired.

Phase 1 — LOI and NDA

The process begins with a Letter of Intent (LOI) — a non-binding document that sets the headline commercial terms: indicative price, structure (shares vs assets), exclusivity period, and break fee. The LOI is signed alongside or shortly after the NDA.

For the buyer, the LOI is a commitment of resources — legal, compliance, and integration teams will be engaged from this point. For the seller, it is the moment at which the rest of the company typically becomes aware an acquisition process is underway.

What goes wrong at this phase: NDAs with incomplete scope (missing sub-processors, missing jurisdictions); LOIs that are silent on regulatory approval timelines; exclusivity periods that are too short to complete proper compliance due diligence in cross-border deals.

Phase 2 — VDR and data room

The virtual data room is opened and populated by the seller. The quality of the data room at this stage is itself a compliance signal — sellers who have well-organised document archives, up-to-date licence registers, and indexed employment contracts are demonstrating operational maturity that correlates with compliance programme quality.

For the buyer, Phase 2 is when the AI extraction begins — contract portfolios are parsed for change-of-control clauses, employment contracts are reviewed for regulated roles, and the AML audit trail is extracted for recency analysis.

Phase 3 — Regulatory due diligence

Phase 3 is the most complex and the most consequential. Financial due diligence is largely complete by this point — the compliance workstream is now the critical path. In fintech acquisitions, this means AML programme assessment, payment licensing transferability analysis, data protection obligations mapping, and regulated role identification.

This is the phase where DealSafi's 32 guardrails are most active. GR-008 through GR-015 cover AML and licensing. GR-016 through GR-020 cover data protection. GR-026 through GR-030 cover workforce continuity.

Phase 3 cannot advance to Phase 4 if any phase-gate guardrails are unmet. This is the core mechanism that prevents the deal from reaching SPA with open compliance blockers.

Phase 4 — Regulatory approvals

Phase 4 is where the deal sits with regulators. In a multi-jurisdiction fintech acquisition, this means filing simultaneously with multiple authorities — FCA, CBK, RBI, relevant state MTL authorities — while managing different timelines, different documentation requirements, and different definitions of what constitutes prior approval vs notification.

The most common failure mode: the buyer assumes regulatory approvals are a parallel track managed by local counsel and does not assign a phase gate to them. The SPA is signed with approvals outstanding. The deal closes. Six months later, an approval that was expected in 90 days is still pending, and the buyer is operating a licensed payment service in a jurisdiction without the required approval.

Phase 5 — SPA drafting

The Sale and Purchase Agreement is the primary legal document governing the transaction. Every open compliance guardrail that has not been resolved by Phase 5 must have a corresponding SPA mechanism — price reduction, escrow, warranty, or indemnity.

DealSafi's SPA mechanics module maps each open guardrail to its recommended SPA treatment and models the financial impact of each mechanism. For GR-008 (AML audit lapse), the typical mechanism is a price reduction based on the low end of the FinCEN penalty range, discounted for enforcement probability. For GR-009 (BSA Officer continuity), the mechanism is a retention escrow funded at close, releasing at the 18-month employee anniversary.

Phase 6 — Board approval and close

Phase 6 is the final gate before transfer of control. All Conditions Precedent must be satisfied. The board of both entities must approve. The regulatory approvals must be in hand. The Day 1 readiness checklist — including AML programme continuity, system access provisioning, and employee communications — must be complete.

Day 1 is also the moment when the BSA Officer's personal regulatory obligations transfer to the new entity. If the BSA Officer is not confirmed, their salary is below market, and they have been approached by three competitors in the previous 60 days — all of which DealSafi would have flagged six months earlier — then Day 1 is the day they give notice.

Phase 7 — 100-day integration

The 100-day plan covers stabilisation (Days 1–30), integration (Days 31–60), and synergy realisation (Days 61–100). Compliance continuity — AML programme governance, data protection obligations, regulatory reporting — must be explicitly addressed from Day 1, not discovered during integration.

The deals that achieve their projected synergies are the deals where the compliance workstream was continuous from VDR ingestion through close. The integration team inherits clean data, clear ownership, and documented exceptions — rather than discovering surprises.