Mergers and acquisitions (M&A) remain a primary tool for growth in the financial services sector. However, beneath the surface of strategic alignment and market opportunity lies a persistent challenge – compliance risk.
Mike Walters, senior managing director and EMEA head of financial services in the forensic & litigation consulting segment at FTI Consulting, says that these risks are frequently underestimated or addressed too late in the M&A process.
“Before assessing a target, firms should ensure their own compliance function is equipped to manage integration. This includes having a defined risk appetite, clear escalation channels and sufficient bandwidth to oversee change,” Walters said.
The drivers of M&A vary depending on the market segment. Large institutions may seek efficiencies by cutting duplication, while smaller regional banks look to mergers for survival. Walters highlights how rising fixed costs in compliance and risk management are pushing this trend.
“Market consolidation remains a major theme, especially as the fixed costs of compliance, digital transformation, and risk management outpace the ability of smaller firms to absorb them,” he says.
In parallel, many acquisitions are motivated by digital innovation. Established banks are acquiring fintech firms to fast-track capabilities they may struggle to build organically. Walters points out that these transactions are less about balance sheet strength than about acquiring platforms and people.
“These deals are less about balance sheet strength and more about accessing talent, platforms and customer experience innovation.”
Private capital is also playing an increasingly active role. As valuations stabilise, private equity and venture investors are investing across subsectors such as payments and digital lending.
According to Walters, “For many targets, valuations have stabilised, making acquisition a cheaper path to capability than building in-house.”
Yet despite these strategic imperatives, compliance remains a potential stumbling block – one that can affect not just deal execution but long-term integration success. Walters stressed that acquirers are inheriting more than just balance sheets.
“Often, the most material issues are not headline-grabbing breaches, but subtler signs of misalignment ─ outdated systems, underdeveloped governance or a culture that deprioritises compliance.”
Regulatory issues can emerge in several forms. A target firm may have legacy misconduct cases, unresolved supervisory findings, or systems that don’t meet current expectations. This can introduce unexpected costs or affect customer retention.
“Products that don’t meet current standards on fairness, transparency or accessibility can expose the acquiring firm to conduct risk — particularly if customer journeys are disrupted post-merger,” he said.
In particular, financial crime compliance remains a sensitive area. For fintech targets, this risk can be pronounced given less mature AML or sanctions frameworks.
“Financial crime compliance must also be scrutinised. Weak AML or sanctions controls, an unusual customer base or opaque ownership structures can all introduce significant legal and reputational risk. This is especially true when acquiring FinTechs, where controls may be less mature,” he said.
Cybersecurity and data protection have also become central considerations in due diligence. Without full transparency on IT infrastructure and privacy controls, firms risk regulatory breaches post-deal.
Walters said the consequences can be significant. “Merging systems without full visibility of security standards or data handling processes can leave vulnerabilities open to exploitation or breach regulatory requirements.”
Culture is another key integration variable – one that often determines whether controls are embedded or simply imposed. While difficult to quantify, cultural alignment is critical to effective governance and risk management.
“Cultural incompatibility, while less tangible, often proves decisive,” he says. “Different attitudes to compliance, governance and accountability can make integration harder, slow down decision-making and weaken control environments.”
To address these risks proactively, Walters advised that compliance must be embedded into each stage of the M&A lifecycle. It begins with tailored due diligence – not standardised templates.
“Compliance reviews must go beyond just checklists or tick box exercises. Acquirers should tailor their approach based on the target’s profile and known risks.”
This includes reviewing policies, governance structures, customer file samples, complaints data, and even internal audit reports. External advisers, especially in areas such as financial crime and technology, can add depth and credibility. “Engaging independent advisers for targeted reviews, particularly on financial crime or technology, can add credibility and depth,” Walters said.
Where risks are identified, firms should be ready to reflect these in deal terms, including pricing and conditions precedent.
“If risks are identified, they should influence deal pricing, warranties and conditions. In some cases, remediation may be required as a condition precedent,” Walters said. “Early, transparent engagement with regulators can streamline approvals and reduce post-deal scrutiny.”
Post-close, the acquiring institution becomes responsible for the compliance profile of the acquired firm. Walters recommended early integration planning, especially for aligning governance frameworks and systems.
“In fintech deals, firms may choose to preserve the target’s autonomy to retain innovation capability. But over time, regulatory standards must converge – requiring a roadmap to align policies, training, and oversight,” he said.
For firms that approach M&A with compliance at the forefront, there may also be longer-term benefits.
“Integration isn’t just about risk avoidance; it’s an opportunity to enhance compliance maturity, simplify frameworks and build a stronger risk culture across the combined business,” Walters said. “M&A can be transformative – but only if compliance risk is seen not as a burden, but as a core dimension of deal success.”
What are your thoughts on this story? Please feel free to share your comments below.
