Legal Due Diligence Checklist for M&A Transactions in India

The Purpose and Scope of Legal Due Diligence

Legal due diligence is the systematic investigation of a target entity's legal affairs conducted by a potential acquirer, investor, or merger counterparty before a transaction is consummated. Its primary function is to identify legal risks that are not apparent from the financial statements or the representations of the target's management — and to do so early enough that those risks can be priced into the transaction, addressed through transaction documentation, or, where they are sufficiently serious, used as grounds to renegotiate or withdraw.

In the Indian M&A context, legal due diligence is particularly important because the regulatory environment is multi-layered, sector-specific approvals are frequently required, and historical compliance gaps — particularly in FEMA filings, labour law compliances, and environmental clearances — are common even in well-managed businesses. A Delhi NCR-based acquirer evaluating a target in the logistics, real estate, or healthcare sector will encounter a range of regulatory and statutory obligations that require specialist review beyond standard corporate due diligence.

Corporate and Constitutional Diligence

The corporate diligence workstream verifies that the target exists as it represents itself and that its governance structure is clean. The documents to be reviewed include: Certificate of Incorporation, Memorandum of Association and Articles of Association (including all amendments); DIN records and disqualification searches for all current and recent directors; all board resolutions and shareholders' resolutions from incorporation (or, for established companies, from a reasonable look-back period of five to seven years); all shareholder agreements, subscription agreements, side letters, and letters of intent that remain in force or that create continuing obligations; register of members and register of beneficial owners under Section 90 of the Companies Act 2013; all share transfer instruments, transmission documents, and court orders affecting share capital; and NCLT orders, CLB orders, or other regulatory orders affecting the company's corporate status or governance.

A search of the MCA21 portal will reveal all ROC filings, charges registered against the company's assets, and any default notices. A search of the National Company Law Tribunal's cause list and the CBI and ED databases will identify any insolvency, fraud, or money laundering proceedings. For companies that have received foreign investment, FEMA compliance diligence is a non-negotiable component of corporate diligence.

Regulatory and Licensing Diligence

Every business operates under a set of regulatory licences, permits, and approvals without which it cannot legally carry on its activities. The due diligence exercise must identify all such licences, verify their validity, check their transferability (many licences are non-transferable and will need to be re-obtained after a change of control), and assess whether the target is in compliance with the conditions attached to each licence.

The scope of regulatory diligence varies significantly by sector. For a financial services company, it will include RBI registration certificates, SEBI registrations, payment aggregator licences, and insurance broker licences. For a manufacturing company, it will include factory licences, pollution control board consent to establish and consent to operate, explosive licences, and drug manufacturing licences. For a real estate developer in Delhi NCR, it will include RERA registration, environmental clearances under the Environment Impact Assessment Notification, and municipal building plan approvals.

IP, Employment, and Litigation Workstreams

Three workstreams that frequently generate high-risk findings — and that require specialist expertise beyond general corporate law — are intellectual property chain of title, employment and ESOP diligence, and litigation mapping.

IP Chain of Title Diligence

The IP diligence exercise must verify that the target owns — not merely uses — the intellectual property that is central to its business. For a technology company, this means reviewing: all patent filings and their assignment history; all trademark registrations and any opposition or cancellation proceedings; all software development agreements, freelancer agreements, and open-source licence compliance records; employment contracts for key technical employees to verify IP assignment clauses; and any IP licences received from third parties, with particular attention to change-of-control provisions that may terminate the licence upon acquisition.

A common finding in technology company diligence in India is that software developed in the early stages of the company's history was created by founders or early employees without a formal IP assignment to the company. This creates a gap in the chain of title that must be remedied before closing — typically by obtaining an assignment deed from the relevant individuals. If those individuals are no longer accessible or cooperative, the gap may require a warranty and indemnity mechanism in the transaction documentation.

Employment and ESOP Diligence

Employment diligence covers: a review of the standard employment contract and any deviations for key employees; all service agreements with the KMP including notice periods, non-compete restrictions, and IP assignment obligations; ESOP scheme documentation including the ESOP plan, all grant letters, vesting schedules, exercise prices, and the cap table impact of full vesting and exercise; historical and current PF, ESIC, and professional tax compliance; compliance with the applicable state Shops and Establishments Act (the Delhi Shops and Establishments Act 1954 for NCT of Delhi, the Haryana Shops and Establishments Act for Gurgaon, and the UP Shops and Establishments Act for Noida); gratuity liability calculation and funding status; and any pending or threatened employment disputes.

The Labour Codes — the Code on Wages, 2019; the Industrial Relations Code, 2020; the Code on Social Security, 2020; and the Occupational Safety, Health and Working Conditions Code, 2020 — have been passed by Parliament but remain pending state notification. The compliance review must address both the legacy labour statutes (which remain in force pending Code notification) and the organisation's readiness for Code implementation.

Litigation and Arbitration Mapping

The litigation workstream requires a complete inventory of all current and threatened legal proceedings in which the target is a party — as plaintiff, defendant, respondent, petitioner, or intervener. This includes civil suits, writ petitions, criminal complaints, consumer forum proceedings, regulatory investigations, tax demands under assessment or appeal, GST disputes, customs and DGFT proceedings, and any arbitrations whether domestic or international.

Each proceeding must be assessed for: the quantum of claim or demand; the probability of an adverse outcome based on legal merits; the likely timeline to resolution; and whether the matter constitutes a contingent liability requiring disclosure in the financial statements. The aggregate of unprovisioned litigation liabilities is a key number in transaction pricing; acquirers typically seek a litigation warranty backed by indemnity for undisclosed proceedings.

FEMA, Environment, and Data Privacy Diligence

FEMA Compliance Diligence

Any target that has received foreign investment — whether as FDI in equity shares, compulsorily convertible instruments, or through an FPI — requires FEMA compliance diligence. The key filings to verify are: Form FC-GPR (advance reporting and allotment reporting for fresh FDI); Form FC-TRS (for secondary transfers of shares between residents and non-residents); Annual Return on Foreign Liabilities and Assets (FLA); ODI filings if the company has overseas subsidiaries or joint ventures; and any compounding applications made to the RBI for historical FEMA violations.

FEMA violations by the target do not automatically block a transaction, but they require regularisation either before or after closing. Uncompounded FEMA violations create a liability that must be disclosed to the acquirer and addressed in the indemnity provisions of the Share Purchase Agreement.

Data Privacy Diligence Under the DPDP Act

With the Digital Personal Data Protection Act, 2023 now in force, data privacy diligence has become a standard component of M&A due diligence for any target that processes personal data at scale. The diligence exercise should assess: whether the target has mapped its personal data processing activities; whether it has a lawful basis for each processing activity; whether its privacy notices are compliant with the DPDP Act's notice requirements; whether it has Data Processing Agreements with all processors; whether it has experienced any personal data breaches and, if so, how those breaches were handled; and whether there are any pending investigations by the Data Protection Board.

Red Flag Rating Methodology and Transaction Protection

The due diligence report should rate each material finding on a three-tier risk scale: High (matters that could result in termination or material re-pricing of the transaction, that involve criminal liability, or that are not capable of remedy within the transaction timetable); Medium (matters that require remedy within a specified post-closing period, that are quantifiable and can be addressed by price adjustment or indemnity, or that carry regulatory risk that can be mitigated by a consent-seeking exercise); and Low (matters that represent best practice gaps without material legal risk, or immaterial deviations from contractual standards).

Transaction protection mechanisms that address due diligence findings include: representations and warranties in the SPA backed by an indemnity for breach; warranty and indemnity insurance, which has become standard in private equity transactions above a threshold size; a deferred consideration mechanism under which a portion of the purchase price is held back pending satisfaction of post-closing conditions; an escrow arrangement under which the holdback amount is deposited with an escrow agent; a material adverse effect clause that permits the acquirer to walk away if a specified category of adverse event occurs between signing and closing; and specific indemnities for identified high-risk items that fall outside the scope of the general representations and warranties.

Due Diligence Checklist: Key Action Points

• Establish a virtual data room before beginning diligence and populate it with the full document list before the acquirer's counsel commences review — incomplete document production is the single largest cause of due diligence delay.
• Conduct MCA21, court record, and ED/CBI searches in parallel with document review; do not rely solely on the target's self-disclosure.
• Verify all statutory registers against the MCA21 filing history — discrepancies between the physical register and the ROC filings indicate historical compliance gaps.
• Review all SHA and SSA change-of-control provisions before signing the term sheet; many investor agreements require consent to an acquisition and carry pre-emption rights on share transfer.
• Obtain a FEMA compliance certificate from the target's statutory auditor or a FEMA specialist; do not rely on management representations alone.
• Conduct a cap table analysis that models the fully diluted equity position after ESOP vesting, warrant exercise, and anti-dilution adjustments.
• Map all regulatory licences for transferability; budget sufficient time pre-closing for non-transferable licences to be re-obtained.
• Size the litigation reserve based on the probability-weighted outcome of all pending proceedings, not merely on the amount at which proceedings are provisioned in the accounts.
• Incorporate DPDP Act compliance status as a standard due diligence workstream for all targets processing personal data.
• Negotiate specific indemnities for all High-rated findings; do not attempt to price unquantifiable regulatory risk into a general purchase price reduction.