Conducting Effective Private Equity Due Diligence Most post-acquisition surprises don't come from bad markets. They come from gaps in the due diligence process itself. Bain found that 71% of PE investments fell short of projected margins, ending an average of 330 basis points below deal-model forecasts — a gap Bain attributes largely to siloed, disconnected diligence workstreams rather than external conditions.

The stakes keep rising. Global buyout investment value climbed 37% year over year to $602 billion in 2024, with $1.2 trillion in dry powder waiting to be deployed. In that environment, overpaying for a target or inheriting an undisclosed liability isn't a minor setback — it can define fund performance for a decade.

This guide covers the full PE due diligence process: the two phases every deal team should follow, the five functional workstreams that organize confirmatory diligence, and the compliance dimension that most generic frameworks treat as an afterthought — despite it being the most consequential risk area when acquiring regulated targets like fintech, payments, crypto, and banking businesses.

TLDR: Key Takeaways

  • PE due diligence runs in two phases (exploratory and confirmatory); knowing when to shift between them takes judgment, not just momentum
  • Five workstreams need structured evaluation: financial, commercial, legal, operational, and technology
  • Compliance and regulatory DD is chronically underweighted, yet it's the highest-consequence risk area for regulated-sector acquisitions
  • Red flags aren't automatic deal-killers — they need to be quantified, priced, and assigned remediation plans before closing

What Is Private Equity Due Diligence?

PE due diligence is the structured investigative process a deal team undertakes before committing capital. It covers financial, legal, operational, commercial, and compliance dimensions of the target company to validate investment assumptions, surface hidden liabilities, and confirm the thesis holds under scrutiny.

The process serves two purposes that are easy to conflate but genuinely distinct:

  1. Risk protection — keeping the fund from overpaying or inheriting undisclosed obligations
  2. Value creation mapping — identifying achievable operational and strategic improvements post-close — the foundation of the 100-day plan

Both matter. Funds that run diligence purely as a checklist exercise protect against downside but leave upside on the table — and upside is what justifies the price paid.

The Two Phases of PE Due Diligence

Exploratory Phase: Rapid Fit Assessment

The exploratory phase is a quick screen against the fund's investment thesis. Deal teams typically work from the Confidential Information Memorandum (CIM) and publicly available data to determine whether further investment of time and specialist resources is warranted.

At this stage, sellers provide limited disclosure. That makes independent verification of key claims worth doing before the data room even opens — specifically:

  • Revenue figures and how they're recognized
  • Market size assertions and the methodology behind them
  • Customer retention narratives and whether churn data supports them

If the exploratory phase doesn't surface a clear thesis-breaker, the deal moves to confirmatory diligence.

Confirmatory Phase: Deep Verification

This is where the real work happens. Confirmatory diligence involves:

  • Third-party specialists (legal counsel, financial auditors, compliance advisors)
  • Management interviews and site visits
  • Full data room review against a comprehensive document request list
  • Stress-testing of the financial model's core assumptions

4-step confirmatory due diligence process flow for PE deal teams

The confirmatory phase should actively challenge the initial positive read from exploratory diligence — not validate it. Deal teams that use this stage to build a case for closing, rather than probe for weaknesses, are the ones who get surprised post-close.

The Five Core Areas Every Deal Team Must Evaluate

Most PE firms organize confirmatory diligence across five functional workstreams. Each has its own specialists and documentation requirements, and the depth applied to each varies by industry, deal size, and risk profile.

Financial Due Diligence

The financial workstream covers audited financials for a minimum of three to five years — income statements, balance sheets, and cash flow statements. The centerpiece is a Quality of Earnings (Q of E) assessment, which strips out one-time items to reveal normalized, recurring revenue and EBITDA.

RSM's financial due diligence framework includes quality of earnings analysis, working-capital and cash-flow analysis, revenue and margin analytics, balance-sheet benchmarking, and debt normalization adjustments. A well-executed Q of E should stress-test:

  • Revenue impact if the top two or three customers exited
  • Exposure to rising input costs and whether margins hold
  • Whether reported EBITDA includes seller-specific perks, one-time gains, or management adjustments that won't survive under new ownership

Large gaps between reported GAAP earnings and Q of E earnings are a material signal : not automatically disqualifying, but requiring explanation.

Commercial Due Diligence

Commercial DD answers the question a financial buyer can't take on faith: is the target's revenue growth assumption actually achievable?

KPMG's commercial due diligence framework analyzes market environment, competitive positioning, customer retention and churn, and the defensibility of the target's competitive position. PwC's approach similarly examines whether business plan projections are aggressive relative to historical performance.

The output of commercial DD should be a validated revenue growth assumption that feeds directly into the deal model — not a narrative, but a number the deal team can defend.

Legal Due Diligence

Legal review covers the following areas, each with its own documentation requirements:

  • Corporate structure and shareholder agreements
  • Customer and vendor contracts (including change-of-control clauses)
  • Employment agreements and compensation obligations
  • Pending or threatened litigation
  • IP ownership and licensing arrangements

Change-of-control clauses deserve specific attention. An acquisition can trigger automatic termination or renegotiation rights that weren't visible in the CIM.

Legal DD should also map constraints on post-close operational changes. If the PE firm plans to reduce headcount, terminate underperforming vendor contracts, or restructure management, those actions need to be tested against contractual and statutory obstacles before close — not after.

Operational Due Diligence

Operational DD maps the target's organizational structure, management team depth, supply chain health, and workflow documentation. Weaknesses here don't automatically kill deals. Many represent exactly the kind of value creation opportunity that justifies PE ownership in the first place.

Standard practice here includes direct interviews with management, key customers, and suppliers. What the data room shows and what those conversations reveal are often different things.

Technology and IT Due Diligence

Technology DD inventories all hardware, software, and infrastructure — including ERP, CRM, financial systems, and cybersecurity controls. The core question isn't just whether the technology works today, but whether it can scale with the post-acquisition growth plan.

Legacy systems requiring significant investment to integrate or replace carry both cost risk and timeline risk. If the value creation thesis assumes 30% revenue growth over three years but the current tech stack needs a $4 million infrastructure rebuild to support it, that number belongs in the deal model.

Compliance and Regulatory Due Diligence: The Critical Gap in Most PE Deals

Generic due diligence frameworks treat compliance as a subset of legal review. For deals in regulated industries — fintech, payments, crypto, banking, embedded finance — that framing carries real financial consequences.

What the Enforcement Record Actually Shows

The penalties for BSA/AML program failures at financial institutions are not hypothetical:

Entity Year Violation Penalty
Binance 2023 Willful BSA violations; virtual asset exchange $3.4B
TD Bank 2024 Largest depository-institution penalty in FinCEN history $1.3B
USAA FSB 2022 Willful BSA violations; failure to report suspicious transactions $140M
BitMEX 2021 Operating without a compliant customer identification program $100M
Bittrex 2022 No effective AML program; two employees reviewing 20,000 daily transactions $29M

BSA AML enforcement penalties comparison table fintech and banking institutions 2021 to 2024

CFPB enforcement in fintech has followed a similar pattern — Block/Cash App faced a $55M civil penalty and up to $120M in consumer redress in January 2025 for failures in fraud dispute resolution.

These aren't edge cases. They illustrate the range and severity of what compliance gaps can cost a business — and by extension, what they can cost a PE firm that acquires one without assessing them.

What a Thorough Compliance Review Should Cover

For regulated targets, the compliance workstream should assess:

  • BSA/AML program maturity — policies, transaction monitoring system adequacy, SAR filing practices, CIP/KYC program quality, and high-risk customer controls
  • UDAAP exposure — review of consumer-facing disclosures, fee structures, and dispute resolution practices
  • State and federal licensing status — money transmitter licenses, FinCEN MSB registration (required within 180 days of establishment under federal rules), and any gaps between where the business operates and where it holds licenses
  • Regulatory examination history — prior exam findings, outstanding consent orders, and enforcement actions
  • Compliance function quality — staffing levels, reporting lines, and whether the team has the experience to manage regulatory relationships

The Sponsor Bank Risk Specific to Embedded Finance Targets

For fintech and embedded finance companies operating through a Banking as a Service (BaaS) model, the sponsor bank relationship is the business. If that relationship is at risk post-acquisition, the entire revenue model is at risk.

The Synapse collapse illustrated this directly: a $60–90 million shortfall in consumer funds and weeks of frozen accounts resulted from recordkeeping and program oversight failures that the CFPB subsequently pursued. Evolve Bank, a sponsor bank in that arrangement, received a Federal Reserve cease-and-desist order.

When evaluating a BaaS-dependent target, deal teams should assess:

  • Whether the sponsor bank's compliance requirements exceed the target's current program capabilities
  • Whether the bank has flagged concerns about the target's compliance posture in prior reviews
  • Whether the relationship agreement contains termination clauses tied to regulatory actions against the fintech

Engaging External Compliance Expertise

Most PE deal teams lack in-house regulatory expertise specific to fintech or crypto. Bringing in external compliance advisors during confirmatory diligence — not after close — is standard practice for regulated-sector acquisitions.

Fraxtional provides pre-investment compliance due diligence for PE firms acquiring financial services, payments, and crypto businesses. Deliverables are structured to serve the deal team's investment committee, LP reporting requirements, and sponsor bank review standards simultaneously. Each assessment includes:

  • Findings organized by severity and urgency
  • Specific remediation recommendations (not generic observations)
  • Board-level presentation format

For post-close needs, Fraxtional places named fractional executives — CCO, BSA Officer, CAMLO, or MLRO — directly into portfolio companies that lack internal compliance leadership, providing immediate coverage without the cost or timeline of a full-time hire.

Quantifying Compliance Gaps: The Materiality Framework

Not every compliance gap pauses a deal. The deal team's job is to classify each finding:

Classification Definition Common Examples
Threshold issues Unresolved gaps that make the deal untenable Active enforcement action, license revocation risk
Pricing issues Quantifiable gaps reflected in deal economics Purchase price adjustments, escrow holdbacks, R&W insurance
Post-close issues Remediable gaps with a defined remediation path 100-day compliance buildout plan

Three-tier compliance gap classification framework threshold pricing and post-close issues

The cost to remediate, timeline to remediate, and probability of regulatory action against an unaddressed gap should all be quantified before closing, not assumed away.

Common Red Flags That Should Pause or Stop a Deal

Not every red flag kills a deal — but each one demands an explanation. The three categories below cover the most common issues that surface during diligence and, left unaddressed, create real post-close risk.

Financial Red Flags

  • Revenue heavily concentrated in one or two customers with expiring or non-exclusive contracts
  • Significant, unexplained adjustments between reported GAAP earnings and Q of E EBITDA
  • Unusual related-party transactions that inflate reported profitability
  • Inconsistent revenue recognition practices across periods

Legal and Compliance Red Flags

  • Unresolved litigation with material financial exposure
  • Evidence of regulatory non-compliance in a licensed business — especially gaps in BSA/AML program documentation or licensing coverage
  • IP ownership disputes or assets that are not cleanly assigned to the target entity
  • Change-of-control provisions in key contracts that trigger termination rights upon acquisition

Management and Operational Red Flags

  • High turnover at the senior management level in the 12–24 months prior to the sale process
  • Over-reliance on a single founder with no documented succession plan and no second-tier leadership
  • Inability to produce clean, timely financial data during the diligence process itself
  • Operational processes that are entirely person-dependent and undocumented — common in founder-led businesses that scaled fast

When multiple flags cluster in the same category — especially legal and operational — that pattern often signals deeper structural problems than any single item would suggest on its own.

Building Your PE Due Diligence Checklist

An effective checklist is organized by workstream — financial, commercial, legal, compliance, operational, IT — and tailored to the specific industry and risk profile of the target. A generic template will miss the most material risks for almost any specific deal.

Define a comprehensive document request list at the start of confirmatory diligence, track outstanding items systematically, and treat slow or incomplete responses as a signal. Sellers who are organized and responsive tend to run organized businesses. The inverse is also frequently true.

Once documents are flowing, the team needs a method to sort what actually matters. A three-tier framework keeps specialist time focused where it belongs:

Tier Category Action
Threshold Unresolved gap = no deal Must be resolved before closing
Pricing Quantified, reflected in deal terms Purchase price adjustment, escrow, or R&W coverage
Post-close Addressed via 100-day plan Milestone-based remediation with accountability

PE due diligence three-tier issue classification framework threshold pricing and post-close actions

This tiering lets the deal team manage specialist time efficiently across a compressed timeline. Threshold items should surface in preliminary diligence — waiting until full confirmatory workstreams are running to discover a deal-breaker is expensive and avoidable.

Frequently Asked Questions

What is due diligence for private equity?

PE due diligence is the structured investigation a private equity firm conducts before acquiring or investing in a company, covering financial, legal, operational, commercial, and compliance dimensions. The goal is to confirm investment assumptions and surface risks before capital is committed.

What is an example of due diligence in private equity?

A PE firm evaluating a fintech payments company would typically work through several parallel workstreams:

  • Review three years of audited financials and commission a Quality of Earnings report
  • Assess the target's BSA/AML compliance program and licensing status
  • Interview management to pressure-test the revenue growth assumption in the deal model

What is the difference between commercial due diligence and vendor due diligence?

Commercial due diligence (CDD) is buyer-commissioned — an independent assessment of the target's market position, competitive dynamics, and revenue sustainability. Vendor due diligence (VDD) is commissioned by the seller in advance and shared with prospective buyers, typically to accelerate and control the sale process.

How long does private equity due diligence typically take?

Exploratory diligence runs two to four weeks. Confirmatory diligence for a mid-market deal takes six to twelve weeks. Regulated-sector targets — particularly fintech, payments, and crypto — require additional time for compliance and licensing reviews.

What are the biggest red flags in private equity due diligence?

The most common deal-pausing findings include:

  • High customer concentration with fragile contract structures
  • Material Q of E adjustments management can't explain
  • Unresolved regulatory or litigation exposure
  • Management unable to produce reliable financial data during the process itself