Engagement: Pre-Acquisition Technical Due Diligence | Sector: Lending-as-a-Service | Duration: 18 Days
The Setup
A mid-market PE fund based in Mumbai, with co-investors in Singapore and the UAE was evaluating a distressed digital lending platform under India’s IBC process. The target was a Lending-as-a-Service company that had built a white-label platform used by three NBFCs to originate and manage retail loans. At its peak, the platform processed around 15,000 loan applications monthly and managed a book of approximately ₹400 crore across its NBFC partners.
On paper, it was a compelling deal. The technology was the asset, proprietary credit scoring models, a loan management system, integration layers with credit bureaus and bank APIs and a mobile-first borrower interface. The resolution professional’s information memorandum described it as a “fully proprietary, regulator-ready digital lending stack.” The asking price was aggressive and the PE fund’s investment committee had already approved a preliminary bid.
Then they called us.
The fund’s managing partner had been burned once before, a portfolio company acquisition where the technology turned out to be far more fragile than the pitch deck suggested. This time, he wanted a pre-bid technical due diligence. Not a post-acquisition cleanup. Not a quick architecture review. A proper, pre-commitment assessment of what the code was actually worth.
What We Found?
We deployed a three-person team, a senior technical architect, a security and compliance specialist and a DevOps infrastructure analyst, for an 18-day engagement. What we uncovered wasn’t in the information memorandum.
Finding 1: Unaudited Third-Party Data Integrations
The platform’s credit decisioning engine pulled data from four external sources: two credit bureaus, a bank statement analyser and a government identity verification API. Three of these four integrations were operating on expired or lapsed service agreements. The contracts had either terminated during the company’s financial distress or contained change-of-control clauses that would void them upon acquisition.
More critically, the data-sharing arrangements with the credit bureaus had never been formally audited for compliance with RBI’s Digital Lending Guidelines (originally issued in 2022 and substantially tightened through the 2025 Directions). The platform was pulling borrower data through API endpoints that had been set up in 2020, before the current regulatory framework existed and nobody had revisited the consent architecture, data localisation requirements, or the mandatory audit trail that the RBI now requires.
The platform was also sharing certain borrower data fields with an analytics vendor based outside India without explicit, need-based borrower consent as required under the Digital Personal Data Protection Act, 2023 (DPDP Act). This wasn’t a hypothetical compliance gap. It was an active violation that the acquirer would inherit on Day 1.
| 🚨 Risk Quantification Estimated regulatory liability: ₹3–4 Cr in potential penalties and mandatory remediation costs to bring data integrations into compliance with RBI’s 2025 Directions and the DPDP Act. Estimated re-contracting cost: ₹60–80 lakhs to renegotiate lapsed service agreements with credit bureaus and API providers with no guarantee that all providers would agree to new terms. |
Finding 2: Licensing Gaps in Core Platform Dependencies
The loan management system relied on a commercial workflow orchestration engine that was licensed under a per-seat enterprise agreement. That agreement was tied to the original company entity and was non-transferable. The vendor’s standard terms included a change-of-control clause that would require a new licence negotiation post-acquisition, at current market rates, which had increased roughly 2.5x since the original deal was signed.
Additionally, we found that the credit scoring models used a statistical modelling library that was licensed under a dual-licence scheme: free for open-source use, but requiring a commercial licence for proprietary deployment. The company had been using the open-source version in a commercial product for over two years without ever purchasing the commercial licence. This wasn’t a grey area, it was a straightforward licensing violation that exposed the acquirer to legal action from the library’s maintainers.
| 🚨 Risk Quantification Workflow engine re-licensing: ₹1.2–1.5 Cr at current vendor pricing, plus 3–4 months of migration effort if the vendor declined to re-licence. Statistical library compliance: ₹30–50 lakhs for back-payment plus ongoing annual licence, or 4–6 months of engineering time to replace the library. |
Finding 3: Infrastructure That Wouldn’t Survive a Compliance Audit
The platform was running on a cloud infrastructure setup that pre-dated the RBI’s data localisation mandates for payment system operators. Certain borrower data was being processed through a cloud region outside India, a clear violation of the storage requirements that the RBI has enforced since 2018 for payment system data and reinforced through the 2025 Digital Lending Directions.
The CI/CD pipeline had been inactive for four months. The last deployment had been done manually by the former CTO, who had resigned six months earlier. The staging environment was out of sync with production by over 200 commits. And the backup system? It was configured, but nobody had tested a restore in over a year.
| 🚨 Risk Quantification Infrastructure remediation: ₹2–3 Cr for data migration to compliant Indian cloud regions, CI/CD pipeline reconstruction and backup verification. Operational risk: Without a working deployment pipeline and with no CTO, the acquirer would be unable to ship product updates for an estimated 8–12 weeks post-acquisition. |
The Total Picture
We presented our findings to the PE fund’s investment committee in a structured risk register, using Dextra Labs’ RCOI framework to map every finding against its deal-level impact:
| Risk Category | Finding | Financial Impact | Timeline to Remediate |
| Regulatory Compliance | Non-compliant data integrations; DPDP Act and RBI Digital Lending Direction violations | ₹3–4 Cr | 6–9 months |
| Licensing | Lapsed vendor agreements; unlicensed commercial library usage | ₹1.5–2 Cr | 3–6 months |
| Infrastructure | Data localisation violations; broken CI/CD; untested backups | ₹2–3 Cr | 4–8 months |
| Key-Person Risk | CTO departed; no documentation of deployment process or architecture decisions | Indirect (delays + hiring) | Immediate |
Total estimated hidden cost: ₹7–12 Cr in remediation, re-licensing, compliance rectification and operational stabilisation, on top of the acquisition price. Against the asking price, this would have wiped out the fund’s projected ROI for the first three years.
The Outcome
The PE fund didn’t walk away from the deal entirely. But they did something that would have been impossible without the pre-bid tech DD: they renegotiated.
Armed with our risk register and cost estimates, the fund’s deal team went back to the resolution professional with a revised bid that was ₹8 Cr lower than their original offer, with the specific remediation items attached as justification. The bid was accepted. The fund acquired the asset at a price that accounted for the actual technology risk, not the aspirational description in the information memorandum.
Post-acquisition, the fund engaged Dextra Labs for a 90-day technology stabilisation programme. We rebuilt the CI/CD pipeline, migrated the non-compliant data flows to Indian cloud regions, renegotiated the lapsed vendor contractsR and helped recruit a replacement CTO. Six months in, the platform was back to processing loan applications, this time on a compliant, auditable foundation.
| Impact Summary: ₹12 Cr in hidden tech liability identified before the bid was finalised Bid repriced by ₹8 Cr downward based on documented remediation costs 90-day stabilisation programme restored operational capability on a compliant foundation Fund’s ROI model preserved by pricing the deal correctly from the start |
Also Explore:
