M&A glossary

A set of laws, regulations, and procedures designed to prevent criminals from disguising illegally obtained funds as legitimate income. In M&A, AML programme quality is a material due diligence item — deficiencies create post-close regulatory exposure. Key US regulatory basis: Bank Secrecy Act, 31 CFR § 1020.210.

An immutable, hash-linked log of every action taken in a deal process. Each entry contains the previous entry's SHA-256 hash, making any tampering mathematically detectable. Required for regulatory proceedings and litigation support.

An acquisition structure where the buyer acquires specific assets of the target rather than its shares. Often used to avoid inheriting certain liabilities — but regulatory obligations that attach to business activities transfer regardless of structure.

US federal law requiring financial institutions to assist government agencies in detecting and preventing money laundering. Non-compliance penalties: $1,000–$1,000,000+ per day per violation.

The designated individual at a US financial institution personally responsible for BSA/AML programme compliance. Loss of BSA Officer continuity post-acquisition is a material regulatory risk. DealSafi guardrail: GR-009.

Contract allowing a non-bank entity to issue cards under a bank member's Bank Identification Number. Typically contains change-of-control provisions requiring scheme consent.

Kenya's primary competition regulator. Requires pre-notification of mergers meeting threshold criteria before completion. Timeline: 14–30 business days.

Kenya's central bank and primary financial services regulator. Requires prior approval for change of control in licensed payment service providers. Minimum 60-day notification period. DealSafi guardrail: GR-021.

Mandatory component of a BSA-compliant AML programme. Requires verification of customer identity. Deficiencies create post-close remediation obligations. DealSafi guardrail: GR-003.

A contract provision that triggers specific rights or obligations upon a change in controlling ownership. Can require consent, trigger termination rights, or accelerate obligations. AI extraction of CoC clauses is a core due diligence activity.

Conditions that must be satisfied before SPA obligations become binding. Common CPs: regulatory approvals, key employee retention confirmations, AML programme remediations. Unsatisfied CPs block deal close.

The investigation a buyer conducts before completing an acquisition — covering financial, legal, commercial, regulatory, technical, and HR workstreams. The quality of due diligence determines whether compliance risks are discovered before or after close.

A contract required under GDPR Article 28 between a data controller and processor. In M&A, the acquirer must execute DPAs with all sub-processors before assuming data controller status. DealSafi guardrail: GR-025.

Deal consideration held in third-party account after close, pending satisfaction of conditions. Common types in fintech M&A: retention escrow (BSA Officer), R&W escrow (regulatory warranties), remediation escrow (AML programme cure).

UK financial services regulator. Requires notification and approval of change of control for FCA-authorised firms. Approved Persons (CF11 MLRO) must be confirmed for the post-acquisition entity. Timeline: 60 working days.

US Treasury bureau responsible for BSA/AML enforcement. Issues civil money penalties for AML programme failures. Penalty range: $1M–$100M+ depending on severity and duration.

A rule in a deal platform that fires when a compliance condition is not met, blocking phase advancement until resolved or a documented exception is granted. DealSafi operates 32 guardrails across seven deal phases.

EU data protection regulation. Key M&A obligations: Article 37 (DPO appointment), Article 28 (processor agreements), cross-border transfer mechanisms. Applies from Day 1 of the new entity's data processing.

US antitrust pre-merger notification requirement. Transactions above the filing threshold require submission to FTC and DOJ, triggering a 30-day waiting period. Filing threshold (2025): $119.5M.

A record that cannot be altered after it is written. In M&A platforms, implemented with SHA-256 hash chains and WORM storage. Required to provide reliable evidence of decisions and exceptions for regulatory and litigation purposes.

A structured work plan for the first 100 days post-close: stabilisation (Days 1–30), integration (Days 31–60), and synergy realisation (Days 61–100). AML programme continuity must be addressed from Day 1.

Kenya's primary data protection legislation. Requires ODPC registration, DPO appointment, and data processing agreements. Applies to organisations processing data of Kenya-resident persons.

Non-binding document outlining key terms of a proposed acquisition. Typically triggers exclusivity, initiates formal due diligence, and opens the data room. Phase 1 in DealSafi's seven-phase deal model.

State-level US licence required to operate as a money transmitter. MTLs are entity-specific in 23 states and cannot be transferred upon acquisition — requiring new applications taking 6–18 months. DealSafi guardrail: GR-011.

Designated individual at a UK financial institution responsible for AML compliance and suspicious activity reporting. FCA Approved Person (CF11). Equivalent to the US BSA Officer.

Contract protecting confidential information shared during an M&A process. Typically executed before data room access. The first phase gate in a structured deal — no documents transfer without it.

US Treasury office administering economic and trade sanctions. OFAC screening of beneficial owners, counterparties, and key personnel is a standard AML due diligence requirement. DealSafi guardrail: GR-002.

A point in a deal process where advancement requires all conditions for that phase to be met. In DealSafi, phase gates are enforced by compliance guardrails — the deal cannot advance if material conditions are unmet.

Protection preventing compelled disclosure of confidential lawyer-client communications. In M&A, privileged documents require segregated handling — not processed by AI systems or accessible to non-legal personnel.

Security model granting access based on role, not identity. In M&A platforms, RBAC ensures salary data is only visible to CHRO and Deal Owner, privilege is restricted to legal personnel, and each workstream sees only what is necessary.

India's central bank. Requires prior approval — not just notification — for acquisitions of licensed payment system operators. No binding SPA can be executed before approval is granted. Timeline: 90–180 days.

Insurance for breaches of SPA representations and warranties. R&W policies typically contain compliance exclusions for known programme deficiencies — making pre-close guardrail documentation critical for coverage.

Report filed with FinCEN when a financial institution suspects a transaction involves money laundering or other criminal activity. SAR filing history is a material AML due diligence item.

The primary legal document governing an acquisition. Contains representations, warranties, conditions precedent, and price adjustment mechanics. Every open compliance guardrail at SPA signing should have a corresponding SPA mechanism.

Secure online repository for confidential document sharing during an M&A process. VDR quality — access controls, audit logging, document classification — is a meaningful indicator of seller compliance maturity.

Storage technology preventing modification or deletion of data after it is written. Required for regulatory record-keeping in financial services. AWS S3 Object Lock in compliance mode implements WORM with configurable retention periods.

Employee representative body in EU jurisdictions. Must be informed and/or consulted before corporate restructuring including M&A. Most material in Germany, Poland, France, Netherlands.