Article

Pre-acquisition due diligence for corporate investors: a sobering reminder

June 26, 2025

The U.S. Attorney’s 28 March guilty verdict against Charlie Javice is a stark reminder to corporate investors and their advisors of the importance of conducting thorough risk-based due diligence prior to acquisitions and investments.^[1] Javice tricked JPMorgan Chase into buying her student-loan startup, Frank, for $175 million by deceptively misrepresenting its customer base. The fraud is yet another due diligence disaster to hit the headlines, adding to a list of cautionary tales that includes Autonomy and Theranos, where members of senior leadership of both companies were convicted of grossly and fraudulently inflating company values to woo investors.^[2]

Frank’s phantom customers

The Court heard that Javice had hired a data scientist to create nearly 4 million fake “synthetic” customer profiles, when in fact less than 300,000 customers existed.^[3] Whilst JPMorgan Chase sensibly hired a third-party vendor to review Frank’s customer list, Javice requested that individual records not be scrutinized on privacy grounds.^[4] The review was therefore limited to simply confirming the list size rather than cross-checking phone numbers, names, and addresses for individual entries, using standard techniques such as reverse phone lookups.

It was only after the bank integrated Frank’s bogus customer data into its systems post-acquisition that the fraud was identified. When JPMorgan Chase tried to contact Frank’s customers to sell products as part of a test marketing campaign, it received far fewer responses than expected.^[5] Allegedly, only 28% of emails sent in the campaign were delivered to an inbox – in contrast, the average for a JPMorgan Chase marketing campaign was 99%.^[6] This case clearly demonstrates the importance of validating information pre-acquisition, especially when the value of a company is largely driven by a key asset such as a customer list.

More tales of undetected deception

Many cases of pre-acquisition deception will understandably never be publicized, given the potential for reputational damage and preference in many instances for settling disputes privately. However, four notable public fallouts serve as further warnings to corporate investors about the need to conduct robust due diligence and the potential for being held liable for failing to do so.

The sudden collapse in May this year of Builder.ai underlines the significant risk to investors of backing high-growth AI start-ups. The British Microsoft-backed app development start-up once valued at $1.5 billion is now on the verge of insolvency after most of its cash was recalled by a major creditor following tip-offs from ex-employees concerning alleged accounting fraud.^[7] By purportedly colluding with social media start-up VerSe Innovation to bill each other reciprocal sales with no commercial basis, thereby falsely inflating both companies’ performance in a practice known as “round tripping”, Builder.ai was committing accounting fraud.^[8] This follows separate accusations that the start-up obscured how it was developing its apps for customers; despite claiming to use automated AI technology to build apps, these were instead built manually by several hundred engineers and developers in India.^[9] How much investors and creditors stand to recoup from Builder.ai remains to be seen as insolvency proceedings continue.
Another case involving multiple forms of deceit concerns Momentus, an early-stage space transportation company charged $7 million by the U.S. Securities and Exchange Commission (SEC) in 2021 for lying to investors on two separate counts. First, despite repeatedly claiming it had “successfully tested” its propulsion technology in space, the test had in fact failed and was therefore not commercially viable. Second, Momentus failed to disclose that it could not secure the required governmental licenses to operate, given national security risks surrounding its Russian founder and former CEO, Mikhail Kokorich. Notably the SEC also fined the investor, Stable Road Acquisition Company, $1 million for both its due diligence failings and unwittingly repeating the “false and misleading information to investors". ^[10] ^[11] This case shows that investors themselves can also be punished for due diligence failings if they fail to uphold a duty of care to other stakeholders.
An ongoing tussle between two global Private Equity firms underlines the risk of relying upon target company data without performing sufficient independent validation. The case concerns H.I.G. Capital’s $915 million acquisition in 2022 of a majority stake in Audax Private Equity’s portfolio company, Mobileum, a telecommunications software business which later went bankrupt. H.I.G. Capital’s lawsuit claims that it unwittingly overpaid Audax by $250 million given Audax’s “carefully coordinated, systematic effort intended to deceive”, allegations which Audax rejected.^[12] Similar to JPMorgan, the alleged fraud only became apparent following a post-acquisition investigation which apparently revealed that Audax had created the false impression of a rapidly growing business. H.I.G. Capital claimed that Mobileum “created and recorded sham bookings and new orders” and “prematurely [recognised] revenues, and thus earnings, on long-term projects”, thereby misrepresenting the company’s financial performance.^[13] As the dispute continues, PE firms will be anxiously watching to see whether this case sets a new legal precedent that might ultimately lift the “corporate veil” that PE has until now used to shield itself from successor liability. ^[14]‍
Meanwhile in Australia, the sudden collapse of medtech start-up StrongRoom AI underscores the importance of due diligence in venture capital investing. According to papers filed at a federal court by one of its investors, the start-up’s CEO and co-founder, Max Mito, allegedly confessed to fraudulently misrepresenting its financial performance to secure investment as part of a recent A$17 million capital raise. Whilst the start-up had claimed to have already reached profitability, according to a tip-off from its ex-CFO, it was in fact losing A$800,000 per month, with debts concealed and revenue figures fraudulently inflated to include prior capital raises.^[15] The start-up has since been sold to a private entrepreneur for a knock-down price of A$3 million, following a period in administration after legal proceedings brought by a majority contributor to the capital raise.^[16] With secured creditors first in line for compensation, it remains to be seen how much, if any, of the combined A$32 million in venture funding investors will ultimately be able to recoup, with administrators recently estimating recoveries at around 14% or potentially nothing.^[17] ^[18]

Safeguarding stakeholders from risk

Whilst pre-acquisition due diligence is not designed to or able to guarantee with absolute certainty that everything is as it appears, it is a crucial risk mitigation exercise that stakeholders expect. Common risks that pre-acquisition due diligence helps to mitigate include financial risk (for example, where past or predicted financial performance is misstated or unrealistic), compliance risk (for example, where elements of the target’s business activities contravene regulations and / or internal company policies, or have the potential to do so), and product risk (for example, where the target misrepresents the ownership, control or feasibility of its flagship technology).

Company boards, shareholders, and investors will naturally expect pre-acquisition due diligence, given their direct financial interest, but what about regulators? The U.S. Department of Justice expects compliance programmes to “include comprehensive due diligence of any acquisition targets” and warns that not doing so “can allow misconduct to continue…causing resulting harm to a business’s profitability and reputation and risking civil and criminal liability”. ^[19] The UK Serious Fraud Office for its part expects “relevant organisations” (i.e., those qualifying as “large” according to section 201 of the Economic Crime and Corporate Transparency Act 2023) to “conduct due diligence in relation to mergers or acquisitions” as part of fraud prevention. This due diligence may be conducted internally or externally (for example, by consultants) but, as with all fraud prevention procedures, should be “proportionate to the identified risk.” ^[20]

To reduce the risk of encountering costly fallouts like the cases discussed above companies looking to make investments – irrespective of geography, sector, target company maturity or deal quantum – should consider these three best practices for identifying red flags in investment targets up front, before it is too late.

Assessing cooperation

Submit enquiries to the seller / target and request supporting evidence for independent review. To support the authenticity and reliability of the target’s reported credentials it is vital to independently verify the authenticity and reasonableness of the information provided, rather than accepting explanations at face value. For example, financial due diligence should include not only reconciling detailed breakdowns to significant balances and metrics (known as completeness procedures) but also agreeing a sample of records to supporting evidence. Investors should also challenge assumptions about current or future customer numbers, sales, financial performance, contract renewal rates, problematic contracts, and current and future obligations.

Any attempts to hold back or discourage investors from independently validating information (as in the Frank case) should immediately raise concerns and warrant more caution and additional procedures when proceeding with due diligence. For example, proactively interviewing key customers, hiring corporate intelligence investigators to identify specific red flags, and consulting technical experts to assess technology feasibility can help to mitigate financial, compliance and product risks associated with the investment.

Enhanced risk-based due diligence

Consider going beyond standard industry practices for due diligence for added assurance. Quality of Earnings (QOE) analyses (and Financial Due Diligence (FDD) procedures in the UK) provide important insights on a target company’s current and future financial health and performance (helping to justify valuations), going some way to help mitigate financial risk. Review the reports critically to understand what questions were asked, what information was validated (and how), and whether any concerns were identified and explained. Understanding these points will help investors avoid risky investments such as Builder.ai, Momentus, Mobileum and StrongRoom AI, where financial red flags were concealed and not identified. Where there are specific areas of heightened non-financial risk, a deeper review should be considered.

When assessing compliance risk corporate investors should consider the following factors:

Geography – does the target operate in high-risk jurisdictions with heightened risk of bribery, corruption or other illegal activity? The current U.S. administration’s much-publicized prioritization of enforcement activities against cartels and transnational criminal organizations (TCOs) significantly heightens the risk for companies operating in regions prone to such criminal organizations, such as Central America.
Industry – does the target operate in a regulated industry, such as financial services or healthcare? Companies operating in regulated industries will already have had to maintain a strong culture of compliance, whereas companies operating in less regulated or evolving regulatory environments will likely have less mature compliance programmes.
Sanctions – does the target’s operations or wider corporate structure involve countries subject to sanctions, such as Russia (as in the Momentus case)? Utilizing corporate intelligence research tools and techniques can reveal any opaque or complex corporate structures that may conceal transactions with sanctioned entities (as well as any hidden liabilities and losses). Screening members of the target’s senior management will also help assess potential exposure to sanctions risk.

When assessing product risk, corporate investors should consider whether the target deploys or relies upon evolving technology such as AI or modern payment systems such as cryptocurrency, where regulation is still developing. If so, does the target have proper protocols in place to manage those risks? Especially for early-stage, technology-dependent companies such as Builder.ai and StrongRoom AI, is there sufficient evidence to support the technology’s value to the business? In January, the SEC issued a consent order against restaurant drive-thru technology company Presto Automation Inc. for falsely claiming exclusive ownership and control of its technology and misrepresenting its capabilities, demonstrating increasing regulator focus on “AI washing” by public companies. For corporate investors, it also serves as a reminder of the importance of understanding and vetting a target’s products and underlying technology.

Where corporate investors do not have the time or expertise to complete these enhanced risk assessment activities themselves, they should consider hiring external experts to conduct targeted pre-acquisition due diligence reviews. These reviews will be independent of any conscious or unconscious biases towards closing the deal quickly, whilst enabling the investor to prioritize more practical elements of the acquisition or investment process.

Continue due diligence post-acquisition

After gaining full access to the target’s books and records, conduct a thorough post-acquisition review to address any gaps not covered by the pre-acquisition review. Prioritize immediate remediation efforts in these areas, informed by targeted risk and control assessments. In certain jurisdictions reporting the post-acquisition review findings and resulting action plans to regulators can absolve the company from incurring successor liability. For example, the U.S.’s 2023 M&A Safe Harbor Policy grants companies six months to disclose misconduct identified following the transaction, and a further six months to fully remediate the misconduct. Continuous monitoring and testing, key features of a robust compliance programme, help to further reduce the risk. As with pre-acquisition due diligence, consider seeking external expertise for assistance with independent post-acquisition and continuous assessments.

Back to Top

[1] https://www.justice.gov/usao-sdny/pr/statement-acting-us-attorney-matthew-podolsky-convictions-charlie-javice-and-oliver

[2] Autonomy’s former Chief Financial Officer, Sushovan Hussain, was charged in 2016 on 16 counts of fraud. Theranos’ founder, Elizabeth Holmes, and former Chief Operating Officer, Ramesh “Sunny” Balwani, were each charged in 2020 on 12 counts of fraud. All three defendants were found guilty of all or, in the case of Holmes, most charges.

[3] https://www.bloomberg.com/news/articles/2025-03-24/jpmorgan-chose-not-to-verify-javice-s-user-data-witness-says

[4] https://fortune.com/2023/04/11/synthetic-data-millennial-founder-charlie-javice-frank-jpmorgan-fake-customers-fraud-trial

[5] https://www.reuters.com/legal/charlie-javice-founder-startup-bought-by-jpmorgan-found-guilty-fraud-trial-2025-03-28/

[6] https://podcasts.apple.com/gb/podcast/the-journal/id1469394914?i=1000701955507

[7] https://www.bloomberg.com/news/articles/2025-05-20/microsoft-backed-builder-ai-to-enter-insolvency-proceedings

[8] https://www.bloomberg.com/news/articles/2025-05-30/builder-ai-faked-business-with-indian-firm-verse-to-inflate-sales-sources-say

[9] https://www.ft.com/content/16ee837a-1d89-448b-8a33-9741025334d6

[10] https://www.sec.gov/newsroom/press-releases/2021-124

[11] https://www.sec.gov/files/litigation/admin/2024/34-99688.pdf

[12] https://www.transacted.io/hig-capital-sues-audax-mobileum-acquisition

[13] https://www.ft.com/content/d5a436b3-a041-4cfb-ad71-56f0890fa263

[14] https://www.axios.com/2025/02/24/private-equity-feud-hig-audax