How should companies be doing proper due diligence to vet acquisitions?
We started thinking about this a lot after the news broke that JPMorgan Chase & Co. was suing the founder of Frank, a startup it had acquired, for $175 million.
Frank claimed to have a product that radically simplified the complex process of filling out college financial aid paperwork, and that they already had 4.25 million active users. J.P. Morgan alleged that Frank had only a fraction of these users, and laid out a case in its lawsuit that Frank’s CEO had created fake users and also bought lists to dupe the acquirer’s due diligence team. JP Morgan only figured out the scam when it sent a test email to the user list of Frank and got a tiny fraction of the expected response.
J.P. Morgan’s due diligence team likely examined the email list and probably the company source code at the time of the acquisition, but clearly, they missed any signs of fraud.
In acquiring digital products and companies, there are numerous sources of telltale “digital exhaust” — that is, evidence of digital activity that can be hard or time-consuming to fake. For example, this might be Google Analytics data or log files of system activity on a database. Digital exhaust sources can, either singly or in combination, indicate that something is amiss.
Here’s a list that we ask for when we do acquisition research:
- Cloud spend data — It is pretty straightforward to correlate how much money is spent on cloud computing to how many users and what systems a company is supporting with cloud infrastructure. In general, companies don’t elect to overspend on cloud to demonstrate fake users; the rarely enter the game intending to deceive and only do it after the fact. As a result, either levels of spending or big shifts in spending (either up or down) can give clues as to how many users they have or their growth (or shrinkage)
- Traffic data from original sources such as Google Analytics — Asking for direct access to traffic and analytics data can often provide granular insights into how many actual users a product has. This is likely even more applicable in products like Frank, which are highly seasonal.
- Infrastructure deployment manifests — Related to cloud spend, seeing how much infrastructure is deployed and in what configuration is a useful indicator of product usage and capacity requirements
- Historical usage and user data from third-party services — It is likely that Frank used a third-party email service like MailChimp or SendGrid. These services allow users to keep records of how many new subscribers are added and the size of email runs as well as response rate and unsubscribe requests.
- Database logs — Log files record activity in a given system. Databases are adding and removing records and the logs should show suspicious activity – such as a massive increase in new users or a purge of fake users. It is possible to fake log files but the due diligence team should ask to view the live systems and logs
These are five telltales but there are many more. The great thing about digital due diligence is that digital exhaust is everywhere, coming in so many forms and from so many systems. Ignore it at your own peril.