Before acquiring a business in a regulated sector, you need to identify the regulatory risks that could affect the value, structure or completion timetable of the deal. Regulatory due diligence for a telecoms, data or payments business goes beyond standard legal DD. It covers the target’s authorisation status, compliance history, pending or potential enforcement action, regulatory capital requirements, data protection obligations, and any change of control approvals needed to complete the transaction. We conduct regulatory DD as a standalone workstream, reporting directly to the deal team and the board on risks that a generalist DD exercise would miss.

Who this is for

Acquiring or investing in a telecoms, data or payments business and need to understand the regulatory exposure? Regulatory due diligence identifies licence conditions, compliance gaps, enforcement history and pending regulatory change that affect valuation, deal structure and post-completion integration.

Sector	Key licences and registrations	Compliance areas to check	Common red flags
Telecoms	Ofcom General Conditions compliance; spectrum licences; code powers; numbering allocations	TSA 2021 security duties; lawful intercept obligations; universal service; switching compliance	Undisclosed Ofcom investigations; spectrum licence conditions not met; code powers disputes with landowners
Payments	FCA authorisation or registration (PI/EMI); passporting status; agent network registrations	Safeguarding arrangements; Consumer Duty compliance; AML/KYC framework; scheme membership terms	Safeguarding shortfalls; unresolved FCA supervisory actions; consumer complaints trends
Data-intensive / AI	ICO registration; DPIA portfolio; international transfer mechanisms (UK SCCs, adequacy)	Lawful basis documentation; data retention policies; automated decision-making compliance; AI governance	Incomplete DPIAs; reliance on consent without valid mechanism; no AI impact assessments

Typical triggers

• An investor is in exclusivity on a telecoms, payments or data-heavy target and needs a regulatory risk report before the long-stop date
• An acquirer’s internal legal team wants specialist regulatory input alongside their corporate lawyers’ workstream, instructing us directly
• A board is preparing for a sale and wants to clear regulatory issues before they reach the data room
• A lender needs comfort on the regulatory status of a borrower holding FCA authorisations or Ofcom obligations
• Post-completion, an acquirer discovers a regulatory issue missed in diligence and needs remediation advice
• A PE fund is considering acquiring a payments firm and needs to understand the FCA change of control approval process
• A telecoms acquisition involves spectrum licences that need to be transferred with Ofcom’s consent
• The target operates across both telecoms and payments, requiring multi-regime regulatory due diligence

What we deliver

• Regulatory due diligence report: covering authorisation status, condition compliance, enforcement history, contractual regulatory obligations and upcoming regulatory changes affecting the target
• Red flag memo: a summary of material regulatory risks for the investment committee or board
• Deal structure advice: where regulatory status has implications for completion mechanics, change of control notifications or condition transfers
• Remediation plan: where issues are identified pre- or post-completion, a plan to resolve them
• Condition precedent checklist: a schedule of regulatory consents, notifications or approvals required before or after completion, with indicative timescales for each
• Post-completion integration note: where the target operates under different regulatory conditions from the acquirer, a summary of the steps needed to align regulatory compliance after the deal closes

If you are considering a telecoms, payments or data acquisition and need regulatory due diligence, we can scope the work within days of receiving the data room. See all our direct legal advice services or get in touch.

Rob Bratby has conducted regulatory due diligence on telecoms and payments acquisitions for over two decades, drawing on experience at Oftel, Ofcom and as General Counsel to regulated operators. Bratby Law is ranked in Chambers UK (Band 2) for telecoms.

Related direct legal advice pages

See also our other direct legal advice pages:

• Do I need regulatory authorisation before offering my product in the UK?
• What should I do if a regulator is investigating my business?
• Payments Product, Safeguarding and Scheme Governance Advice
• Commercial and Technology Contract Support
• AI, Data and Governance Advice
• Telecoms Product Launch Advice
• Deal Structuring and Negotiation
• Direct Legal Advice (overview)

Representative experience

Recent and representative matters include:

• Conducted full regulatory due diligence on a UK MVNO target for a PE acquirer, covering General Conditions compliance and spectrum licence transferability, identifying a material compliance gap that informed price adjustment.
• Performed data protection due diligence on a health-tech acquisition, assessing lawful basis, international transfers and DPIA compliance, producing a post-completion remediation roadmap.
• Advised on regulatory due diligence for a payments aggregator acquisition, reviewing FCA authorisation status and safeguarding compliance, flagging a safeguarding shortfall that required pre-completion remediation.
• Conducted telecoms regulatory due diligence on a fibre network operator, assessing Electronic Communications Code rights and wayleave portfolio, confirming the asset base supported the acquisition thesis.
• Performed regulatory due diligence on a SaaS business processing telecoms data, covering PECR compliance and CA 2003 regulatory status, clearing the target for completion.
• NSIA Clearances

Frequently asked questions

How long does a regulatory DD report take?

A focused regulatory due diligence report on a single-regime target typically takes 2 to 3 weeks from data room access. Multi-regime targets covering telecoms, payments and data protection take longer. We agree a scope and timeline at the outset, aligned to your deal timetable, and can prioritise where signing deadlines are tight.

What does telecoms regulatory DD cover?

The scope depends on the target’s regulated activities. For telecoms targets, we review Ofcom obligations, General Conditions compliance, spectrum holdings and interconnection arrangements. For payments targets, we assess FCA authorisation status, safeguarding compliance and scheme memberships. We tailor the scope to the deal rationale and the buyer’s risk appetite.

What does payments regulatory DD cover?

The scope depends on the target’s regulated activities. For telecoms targets, we review Ofcom obligations, General Conditions compliance, spectrum holdings and interconnection arrangements. For payments targets, we assess FCA authorisation status, safeguarding compliance and scheme memberships. We tailor the scope to the deal rationale and the buyer’s risk appetite.

Can you work alongside our transaction lawyers?

A focused regulatory due diligence report on a single-regime target typically takes 2 to 3 weeks from data room access. Multi-regime targets covering telecoms, payments and data protection take longer. We agree a scope and timeline at the outset, aligned to your deal timetable, and can prioritise where signing deadlines are tight.

How does this differ from the Transactions practice area page?

The Transactions page explains the types of deal we work on and the regulatory context for each. This page is for a live deal where you need a regulatory diligence report. We work to your deal timetable and coordinate with your transaction counsel to ensure the regulatory workstream does not hold up signing or completion.

We are acquiring a target that holds spectrum licences. Does that need separate regulatory due diligence?

Yes. Spectrum licences are granted by Ofcom and carry specific conditions, including use-it-or-lose-it obligations and coverage requirements. A change of control may require Ofcom consent or trigger licence review. We cover spectrum licensing as part of our telecoms regulatory due diligence and identify any conditions that could affect the deal structure or post-completion obligations.

The investor needs regulatory DD before signing heads of terms. Can you deliver to that timeline?

We regularly deliver regulatory due diligence reports to transaction timescales. For a single-regime target, we can typically deliver within two to three weeks of receiving data room access. For multi-regime targets (telecoms and payments, or telecoms and data protection), allow three to four weeks. We can provide a red flag memo earlier if the deal timeline requires an interim view before the full report.

Do you cover data protection compliance as part of regulatory due diligence?

Yes. Data protection due diligence is relevant for most acquisitions in the telecoms and payments sectors given the volume of personal data these businesses process. We review the target’s UK GDPR compliance, data processing agreements, international transfer mechanisms and any ICO correspondence. This is included within our regulatory due diligence report alongside sector-specific regulatory analysis.

What happens if the due diligence reveals material regulatory issues?

We set out the issues, quantify the risk where possible and advise on the options. Material issues may lead to price adjustments, specific indemnities in the SPA, conditions precedent requiring remediation before completion, or in some cases a decision not to proceed. Our red flag memo is designed to give the deal team an early view so that regulatory issues do not derail the transaction at a late stage.

What is the difference between regulatory due diligence and standard legal due diligence?

Standard legal DD covers corporate, commercial and employment matters. Regulatory DD is a specialist workstream that examines the target’s position under sector-specific regulation: its authorisation status, compliance record, pending enforcement action, regulatory reporting obligations, and any conditions attached to its licence or authorisation. For a telecoms business, this means examining compliance with Ofcom’s General Conditions. For a payments firm, it means reviewing the FCA authorisation, safeguarding arrangements and capital adequacy. These risks are typically outside the scope of a generalist DD exercise.

Independent directory rankings

Our specialist expertise is recognised in major independent legal directories:

• Chambers & Partners: Rob Bratby is ranked as a band 2 lawyer in the UK Guide 2026 in the “Telecommunications” category: Chambers
• The Legal 500: Rob Bratby is listed as a “Leading Partner – Telecoms” in London (TMT – IT & Telecoms): The Legal 500
• Lexology: Rob Bratby is featured on Lexology’s expert profiles as a Global Elite Thought Leader for data: Lexology