Investor and acquirer appetite for digital economy businesses has grown significantly over the past three years. Payment companies, crypto exchanges, stablecoin issuers, digital asset custodians, and licensed fintech operators are now meaningful components of private equity portfolios, venture books, and strategic acquisition pipelines. The commercial logic is clear. The due diligence frameworks, in many cases, have not kept pace.

Standard financial due diligence (FDD) was designed for businesses where the primary risks live on the balance sheet and in the income statement. In regulated digital economy businesses, some of the most consequential risks live elsewhere: in the licence, in the compliance architecture, in the financial crime control environment, and in the relationship between the business and its regulator. A clean audit opinion and a well-structured cap table do not tell an investor whether a target is one enforcement action away from losing its operating permissions.

This piece sets out what rigorous financial due diligence (FDD) and regulatory due diligence (RDD) look like for digital economy targets, why the standard playbook is insufficient, and where the most material risks tend to concentrate across the asset classes investors are most actively considering.

Why Standard Due Diligence Falls Short

The gap between conventional FDD and what digital economy businesses actually require is not marginal. It is structural. Three features of these businesses create diligence risk that generic frameworks routinely miss.

The licence is the business

For a payment institution, a VASP, or a digital bank, regulatory authorisation is not a background condition. It is the asset. A licence that is subject to conditions, under review, or held by an entity that cannot be cleanly transferred in a change of control transaction is a material issue that affects both deal structure and valuation. Investors who treat licensing as a legal workstream rather than a financial one frequently discover post-close that the economic assumptions underpinning the deal were built on an authorisation that is less certain than it appeared.

Controller and substantial shareholder approval requirements exist across virtually every major jurisdiction. A new investor crossing a specified threshold, typically 10% to 30% depending on the regime, will trigger a regulatory approval process. In some jurisdictions that process takes six to twelve months. In others, approval is not guaranteed. The implications for deal timing, structure, and closing mechanics are significant and are frequently underestimated in initial deal planning.

Financial crime risk is not just a compliance question

AML and financial crime exposure in digital economy businesses is a financial risk, not merely a regulatory one. Enforcement actions in this sector regularly result in fines measured in hundreds of millions of dollars, mandatory remediation programmes that consume management bandwidth for years, and in serious cases, licence revocation. For an acquirer, inheriting a target with deficient transaction monitoring, inadequate KYC/CDD processes, or historical SAR filing gaps is inheriting contingent liability that may not appear anywhere in the financial statements.

The quality of a target's financial crime control environment requires independent assessment. Reviewing the compliance manual is not sufficient. The relevant questions are whether the controls actually function as designed, whether the risk appetite is calibrated appropriately for the business model and customer base, and whether there is documented evidence of a culture of compliance at operational level, not just board level.

Regulatory history travels with the business

Enforcement history, skilled person appointments, past regulatory findings, and open dialogue with regulators are not always visible in standard document review. They may not be disclosed voluntarily. A target that has been subject to a skilled person review, received a supervisory notice, or entered into a voluntary requirement with its regulator carries a history that materially affects both risk assessment and post-acquisition regulatory relationships. Diligence that does not surface this history is incomplete.

The Regulatory Landscape: A Multi-Jurisdictional Reality

Most digital economy businesses of meaningful scale operate across more than one jurisdiction, or are expanding into additional ones. The regulatory frameworks governing these businesses differ materially in their structure, their scope, and the obligations they impose on investors and controllers. Understanding the cross-border regulatory picture is not optional for a serious acquirer. It is foundational.

The table above reflects the primary frameworks as of mid-2026. Several of these regimes are in active development. MiCA's full implementation across EU member states is ongoing. The IASB's position on digital asset accounting remains unresolved. US regulatory classification of digital assets as securities or commodities remains contested. Any investor conducting diligence should obtain current regulatory analysis rather than relying on framework-level knowledge that may be months out of date.

Key Diligence Workstreams

Rigorous FDD and RDD on a digital economy target should address the following workstreams, each of which requires specialist input beyond what a generalist financial advisor can provide.

1. Licence Review and Portability Analysis

— Scope and conditions of each regulatory authorisation held
— Activity permissions versus actual business activities: gaps and unlicensed activity risk
— Controller and substantial shareholder approval requirements on change of control
— Licence portability in an asset deal versus a share deal
— Pending applications, outstanding regulatory queries, and conditions imposed
— Cross-border licensing gaps where the business operates in jurisdictions without local authorisation

2. Financial Crime Control Assessment

— AML and CTF framework adequacy relative to business model and customer risk profile
— Transaction monitoring system design, calibration, and alert management
— KYC and CDD processes, including enhanced due diligence for high-risk customers
— SAR filing history and quality
— Sanctions screening programme: completeness, frequency, and escalation procedures
— Financial crime governance: MLRO quality, board oversight, and resource adequacy
— Third-party and correspondent relationship risk

3. Regulatory Relationship and History

— History of regulatory engagement: supervisory visits, thematic reviews, and findings
— Any skilled person appointments, past or present
— Enforcement history across all jurisdictions of operation
— Open regulatory dialogue and any pending supervisory matters
— Quality of regulatory reporting and submissions

4. Financial Crime Liability Assessment

— Quantification of potential fines and remediation costs under identified control gaps
— Assessment of historical transaction populations for financial crime exposure
— Digital asset tracing where the target holds or has held third-party digital assets
— Identification of contingent regulatory liability not reflected in financial statements

5. Accounting and Financial Reporting Quality

— Digital asset accounting policies: IAS 38 versus IAS 2 classification; revaluation model application
— Revenue recognition: fee structures, staking income, and token-based arrangements
— Custody asset treatment: on versus off balance sheet
— Intercompany and related-party arrangements across group entities in multiple jurisdictions
— Quality of management information and financial reporting infrastructure

Asset Class Considerations

The specific risks that dominate diligence will differ depending on the type of digital economy business under review. The following observations reflect the most common risk concentrations by asset class.

Payment Companies and E-Money Institutions

The primary risk concentration in payment businesses is typically at the intersection of licensing breadth, financial crime controls, and scheme membership. An acquirer should understand precisely which payment activities are covered by the licence, whether the business holds or processes client funds in ways that trigger safeguarding requirements, and the quality of its correspondent and banking relationships. Banking relationships are frequently the most fragile element of a payments business and the most difficult to replicate if lost.

Crypto Exchanges and VASPs

For exchanges and VASPs, the dominant risks are regulatory authorisation scope, financial crime exposure from historical customer activity, and the accounting treatment of proprietary digital asset positions. Wallet-level exposure analysis is often necessary: understanding which counterparties a VASP has transacted with, and whether those counterparties carry sanctions or financial crime risk, can materially affect the risk profile of the business. This analysis requires specialist blockchain analytics capability alongside standard financial review.

Stablecoin Issuers

Stablecoin issuers face a rapidly evolving regulatory environment across all major jurisdictions. The quality and composition of reserve assets, the legal structure of redemption rights, and the regulatory classification of the stablecoin instrument itself are all live issues. MiCA imposes specific reserve and disclosure requirements on e-money token and asset-referenced token issuers within the EU. Outside the EU, the framework is less settled. An acquirer should obtain current legal and regulatory analysis on classification and reserve adequacy rather than relying on the issuer's own characterisation.

Licensed Fintechs and Digital Banks

For regulated fintechs and digital banks, the critical diligence questions typically concern the depth and durability of the regulatory licence, the adequacy of capital relative to regulatory requirements and growth plans, and the maturity of the compliance and financial crime infrastructure. Early-stage fintechs that obtained licences during a period of more permissive regulatory oversight may be carrying authorisations that would not be granted today under current supervisory standards. This creates a risk profile that is not visible in historical financials.

Structuring Implications

The output of FDD and RDD should directly inform transaction structure, not merely appear as an appendix to the deal report. The most common structural responses to diligence findings in digital economy transactions include:

— Deferred consideration or earnout arrangements contingent on regulatory approval of the change of control
— Escrow provisions sized against identified financial crime liability or remediation cost estimates
— Regulatory condition precedents: closing conditional on receipt of controller approval
— Warranties and indemnities specifically addressing undisclosed enforcement history and regulatory conditions
— Pre-close remediation requirements imposed as a condition of signing, where control gaps are identified
— Separate acquisition of licence-holding entities in jurisdictions where licence portability is constrained

These mechanisms are increasingly standard in well-advised digital economy transactions. Investors who do not obtain the specialist diligence necessary to identify the underlying exposures cannot structure around them effectively.

The regulatory and financial crime dimension of digital economy diligence is not a compliance formality. It is where deal value is most commonly mispriced, and where post-acquisition surprises tend to be most consequential. The quality of specialist input at the diligence stage is what separates investors who close well from those who inherit problems they did not know they were buying.

Meridion advises law firms, investors, and acquirers on the FDD and RDD aspects of transactions involving digital asset businesses, payment companies, fintech operators, and other regulated entities in the digital economy. Our practice combines deep regulatory expertise across the UAE, UK, EU, Singapore, and other major jurisdictions with the financial crime investigation and accounting capabilities required to assess the financial crime and accounting dimensions of these transactions rigorously.