To read or download the article, please click the following link.
Phase 3: Deep-Dive Review — Where Legal Due Diligence Becomes Deal Craft
In any buyer-side M&A, Phase 0 sets the machine, Phase 1 defines the thesis, Phase 2 brings in the information. But Phase 3 is where you actually earn your keep. It’s where documents stop being “uploads” and become evidence, risk, and—most importantly—deal leverage.
Many junior lawyers think Phase 3 is “reading everything.” That is not diligence; that is document consumption. Phase 3 is a disciplined process: you read with a thesis, extract facts in a repeatable way, evaluate impact, and translate findings into actions the buyer can use in the SPA/APA and the closing plan.
The purpose is simple and non-negotiable:
- create a defensible factual record (what exists, what it says, what’s missing);
- build a risk view (impact and probability); and
- convert both into deal actions (price, CPs, covenants, indemnities, escrows, and integration fixes).
If you run Phase 3 properly, you can build a red-flag memo almost directly from your Issue Register. If you run it poorly, you will spend the last week before signing rewriting everything—under pressure, with gaps, and with avoidable mistakes.
The Phase 3 mindset: you are not summarising, you are engineering a transaction
One line should guide your work every day in Phase 3:
Your job is not to summarise documents. Your job is to identify what can go wrong—and how the buyer can fix it in the deal.
That means every review must connect to at least one of the buyer’s Thesis Questions and at least one of the buyer’s crown jewels (contracts, licenses, IP, land, data, brand, or key people). When a document does not answer a thesis question, you do not “go deep” by default. You either (i) classify it as lower priority, or (ii) extract only what’s needed to confirm it’s irrelevant.
A universal method: how to review any document in Phase 3
Whether you are reading a facility agreement, a software licence, a labour CBA, or an environmental permit, the method stays the same. Juniors often ask, “How do I know what to look for?”—the answer is: follow the steps and the issues reveal themselves.
Step 1 — Identify what the document is doing.
Start with the function. Is it creating rights, imposing obligations, restricting transfer, or allocating liability? Capture parties and capacity (who signed and as what), effective date, term, renewal, governing law, and dispute forum. A contract you can’t place in context is a contract you can’t evaluate.
Step 2 — Extract metadata into the schedule (for anything material).
This is where Phase 3 becomes professional. You capture: Doc ID and filename, signing entity, counterparty, value, term/renewal/termination, assignment/COC position, any security/lien implications, operational must-dos (SLAs, audits, reporting), and unusual risk clauses (indemnities, penalties, caps, warranties, limitation of liability). If you skip metadata, your “analysis” will never be consistently actionable.
Step 3 — Read with a thesis question in mind.
Ask yourself—explicitly—what thesis question this document answers. Does it protect or threaten a crown jewel? Does it create a closing blocker (consent, filing, regulatory approval)? Does it create economic drag (hidden rebates, penalties, under-pricing, step-ups)? When you read without a thesis, you miss what matters and over-weight what doesn’t.
Step 4 — Write the finding in the Issue Register immediately.
This is the habit that separates strong deal lawyers from “review lawyers.” Every issue must contain: (i) the fact (what it says), (ii) why it matters (impact on closing/value/operations), (iii) evidence (Doc ID + clause/page), (iv) a proposed lever (price, CP, covenant, indemnity, escrow, R&W, integration action), and (v) the next step (Q&A, missing doc request, registry check, rewrite request). If you can’t propose a lever, you haven’t completed the thought.
Step 5 — Decide Green / Amber / Red, and justify it.
Green is standard/no meaningful impact. Amber is fixable/manageable. Red is a deal-stopper or a high-probability/high-impact exposure that you can’t fix pre-close at acceptable cost. Most mistakes happen when juniors mark everything “Amber” because they fear being wrong. The right standard is not “what looks scary,” but “what changes the deal.”
Step 6 — Escalate early—especially Reds.
A Red should be escalated within 24 hours with two things: a clear explanation and at least one mitigation path. Seniors don’t want surprises; buyers don’t forgive late surprises.
Workstreams in Phase 3: how to apply the method across the company
Phase 3 is not one monolith. It is multiple parallel reviews, each with its own outputs, typical traps, and deal levers. A good team runs them consistently, but not identically.
A. Corporate, cap table, governance, group structure
Corporate diligence is about one question: can the seller deliver clean title and authority to close?
In Phase 3, you are not “reading charters.” You are building a group structure chart, a cap table schedule (equity, options, convertibles, warrants, ESOP), an authority pack (who can sign and what approvals are required), and an encumbrances summary (pledges/charges).
The deeper skill is to hunt for “hidden control” and “leakage”—supermajority reserved matters, veto rights, ROFR/ROFO, drag/tag mechanics, negative covenants, and informal equity promises outside formal plans. Convertibles are a classic DD landmine: maturity, default triggers, conversion mechanics, valuation caps, MFNs, and any rights that change the economics at closing.
Red flags in corporate DD are rarely dramatic—but they are fatal: missing approvals, defective issuances or transfers, unclear beneficial ownership, security over shares blocking transfer, and option acceleration that blows up the buyer’s model.
Deal levers are straightforward: CPs for clean-up and releases, special indemnities for title/cap table defects, escrows/holdbacks tied to releases/ratifications, and purchase price adjustments for acceleration and debt-like items.
B. Material contracts
Contracts diligence answers the question: what is the business actually made of, and can the buyer keep it after closing?
Juniors often start with “what the contract says.” Start instead with a structure: business terms, risk allocation, control/exit, and enforceability. For each material contract, produce a schedule and a consent tracker, and extract a “key clauses table”: scope, pricing/rebates, exclusivity/MFN, SLAs, warranties, indemnities, limitation of liability, term/renewal, termination (cause and convenience), assignment/COC, audit rights, subcontracting limits, governing law, forum/arbitration, and survival.
What separates high-quality Phase 3 work is spotting the silent killers: termination for convenience, short renewal windows, unilateral price changes, broad audit rights, or customer SOW language that quietly transfers ownership of deliverables to the customer. Combine those with customer concentration and you have a real value risk.
Red flags include major revenue contracts terminable on short notice, COC triggers requiring hostile consents, non-assignability for critical contracts, and cross-defaults in financing triggered by the acquisition.
Deal levers are the classic toolkit: CPs for consents/novations, covenants to preserve relationships and avoid pre-close triggers, price chips or earn-outs where retention is uncertain, and special indemnities for undisclosed rebates, penalties, or audit liabilities.
C. IP, technology, software, and open-source
This is where many deals win or die silently. The key question is: does the target own what it thinks it owns, and is it free to operate and keep shipping?
Your outputs should be tangible: an IP register with status and owner, a chain-of-title file (assignments from founders/employees/contractors), inbound/outbound licence schedules, and an OSS/SBOM/code scan summary if it’s a software business.
The review discipline is to separate four buckets: ownership, inbound rights, outbound monetisation, and open-source compliance. Pay particular attention to contractor-created code and “customer owns deliverables” clauses in SOWs. If AI is in scope, the modern equivalent of chain of title is data provenance and usage rights.
Red flags are clear: missing assignments, copyleft exposure in shipped products without compliance, core IP owned by individuals or affiliates outside the perimeter, and non-transferable inbound licences essential to operations.
Deal levers tend to be surgical and strong: CPs to obtain/record assignments and cure OSS gaps, special IP/OSS indemnities, escrows tied to title perfection, and covenants to implement scanning and governance post-close.
D. Privacy, data protection, and cybersecurity
Privacy/cyber diligence is not a policy review. It answers one question: can the buyer legally use and safely hold what it is buying—especially the data—and what is the incident risk profile?
Your required outputs include a data map summary (types/purposes/locations/transfers), a vendor list with DPAs/security terms, an incident summary (breaches, near misses, ransomware, regulator contacts), and a control-maturity snapshot (policies, IAM, IR plan).
Approach the review in three layers: lawful processing/transparency (does notice match reality?), cross-border transfers (mechanism and localisation constraints), and security posture (controls, IR plan, testing, insurance).
A recurring Phase 3 mistake is ignoring deal intent: if the buyer plans database merging or cross-sell, your review must assess whether that is lawful post-close. That is the difference between “compliance” and “deal viability.”
Red flags include material breach history without remediation, missing DPAs for key processors, weak access controls (no MFA, shared accounts), and inability to transfer or repurpose data lawfully.
Deal levers often combine pre-close and post-close actions: CPs or covenants to implement controls and complete audits, holdbacks tied to remediation, special indemnities for known incidents/investigations, and targeted reps with tight disclosure schedules.
E. Employment, benefits, labour, immigration
Employment diligence is not a headcount list—it is an exposure and transfer analysis: what liabilities exist, and can the buyer keep the people and legally transition them?
Your outputs should be structured: headcount schedule by entity/role/location with key persons flagged; CIC/vesting summary for executives and equity plans; benefits/accrued liabilities summary; union/works council consultation plan where applicable.
Review through the lens of classification (employee vs contractor), compensation liabilities (bonus/commission/severance/accruals), collective arrangements (CBAs and consultation obligations), transfer-of-undertakings regimes, and immigration.
Red flags include automatic CIC vesting/severance that changes the economics, unresolved labour disputes, benefits or payroll compliance gaps, and consultation duties ignored that can delay closing or trigger penalties.
Deal levers usually include CPs to complete consultations and secure key-person retention, price adjustments for accruals and CIC costs, indemnities for pre-close employment claims/misclassification, and carefully drafted covenants on pre-close changes (without triggering control/gun-jumping issues).
F. Real estate
Real estate diligence is about continuity: will the buyer control the sites it needs, and can it legally use them?
Your outputs: property schedule (owned/leased, use, term, rent, options), title/encumbrances summary, and lease consent/COC summary.
For owned properties, review title, mortgages/charges, zoning/land-use, building permits, occupancy certificates, and easements/rights of way. For leases, focus on assignment/subletting restrictions, landlord consents, term/renewals/breaks, rent escalation, CAM, and handback obligations.
Red flags include non-transferable leases for critical sites, use in breach of zoning/permit, and undisclosed liens or title disputes.
Deal levers are typically CPs for consents and lien releases, escrows for restoration/disputes, and special indemnities for title defects or illegal use.
G. Environmental, health, safety (EHS)
EHS diligence answers the question: are there legacy liabilities or compliance gaps that can cost heavily or shut down operations?
Outputs should include a permit register, notices/enforcement summary, incident/spill/accident summary, and remediation obligations schedule.
Review permits for validity, scope, renewal, and transferability; check inspection reports and corrective actions; validate waste handling documentation; assess worker safety records and training logs.
Red flags are the hard ones: known contamination without funded remediation, repeated serious accidents, or operating without required permits.
Deal levers often involve escrows sized to remediation cost, special environmental indemnities, and CPs for permits/renewals/transfers and remediation milestones.
H. Regulatory and licensing
In regulated businesses, this workstream can be the deal’s spine. The question is simple: is the target legally permitted to operate now, and will it remain permitted after closing?
Outputs: a license inventory (issuer, holder entity, expiry, renewal, transfer/COC rules), regulator correspondence summary, and an ownership cap/fit-and-proper analysis where relevant.
The review requires discipline: identify regulated activities independently; confirm required approvals and conditions; check transferability/COC triggers and timelines; analyse inspection/enforcement history.
Red flags include non-transferable core licences, ongoing investigations or serious notices, wrong-entity licence holding, and expiring licences with uncertain renewal.
Deal levers include CPs (or split closings) for approvals, covenants to maintain compliance and renewals pre-close, and special indemnities for known gaps.
I. Competition, merger control, foreign investment
This is not just filing mechanics—it is closing feasibility and remedy risk. The output should be a filing matrix, overlap summary, and clean team boundaries for competitively sensitive data.
Review turnover/sales/assets data needed for thresholds, identify sensitive sector triggers, and document competitor relationships and information-sharing risks.
Red flags are obvious but frequently missed: mandatory filings overlooked, likely Phase II or remedy risk, and foreign investment sensitivities (data, telecom, defence, critical infrastructure).
Deal levers include risk allocation clauses (remedy cooperation, reverse break fees, hell-or-high-water), long-stop adjustments, and carve-out/divestment rights if remedies are required.
J. Sanctions, export controls, trade compliance
The question is: are we inheriting a sanctions/export problem that becomes the buyer’s enforcement exposure?
Outputs: compliance program summary, high-risk counterparties list, and export classification/restricted item summary where relevant.
Review policies, training, screening logs; check high-risk geographies and end-use/end-user controls; identify government inquiries or blocked transactions.
Red flags include evidence of restricted-party dealings, no screening process, and controlled products shipped without classification discipline.
Deal levers: special indemnities and remediation covenants, CPs to terminate prohibited relationships, and post-close compliance uplift with audits.
K. Anti-bribery, corruption, AML, compliance culture
This is “integrity DD”: a small issue can become catastrophic. Outputs should include an intermediary map, government touchpoints summary, and investigations/whistleblowing log.
Review policies, registers, third-party due diligence files, and agent contracts (commission rates, scope, audit, termination). Interface with finance to spot unusual payment structures.
Red flags: unvetted agents in high-risk markets, large commissions with vague scope, internal allegations not investigated, and missing whistleblowing processes.
Deal levers: special indemnities for known investigations, covenants to upgrade compliance and terminate high-risk third parties, and escrows tied to clean audit outcomes.
L. Litigation, disputes, investigations
The question: what is the real exposure, and could it stop the business?
Outputs: disputes schedule (forum, amount, status, next dates, counsel view), settlement obligations summary, and regulatory investigations summary.
Review pleadings, key orders, settlements, and correspondence; assess injunctive risk; detect patterns (repeated claims).
Red flags: injunction risk affecting operations, criminal investigations or debarment exposure, and large contingent liabilities not managed.
Deal levers: special indemnities and escrow, CPs to settle or dismiss specific matters, and price adjustments for quantified expected losses.
M. Insurance
Insurance DD is a reality check: is the risk insured, and will coverage follow the deal?
Outputs: coverage map (limits/deductibles/exclusions/insureds), claims/denials history, and COC/assignment restrictions.
Pay attention to gaps (cyber, product, environmental), claims-made retro dates, and whether coverage continues post-closing.
Red flags: material uninsured exposures and major claims denied due to exclusions.
Deal levers: covenants to maintain cover to closing, Day 1 replacement plan, and price/escrow for known gaps.
N. Tax-legal interface
Even if tax advisers lead the modelling, legal DD must identify legal documents that create tax exposure or change economics.
Outputs: tax-risk pointers list (with evidence), intercompany agreement schedule, and tax sharing/indemnity review.
Look for tax gross-ups, PE risk in agency structures, transfer pricing signals (related party fees), and tax indemnities owed to prior owners.
Red flags: undocumented intercompany flows, inherited tax indemnities, pending audits with large exposure.
Deal levers: tax indemnities and escrow, pre-close restructuring CPs (if feasible), and tight disclosure schedule discipline.
O. ESG and human rights supply chain diligence
ESG DD is increasingly contractual and regulatory. The question: does the target’s supply chain and practices create legal/commercial exposure the buyer cannot carry?
Outputs: supplier code and audit program summary, high-risk supply chain map, claims/allegations summary and remediation actions.
Red flags: no supplier standards in high-risk categories, unresolved forced labor/environmental allegations, and customer contracts with ESG warranties the target cannot meet.
Deal levers: covenants to implement programs and audits, special indemnities for known allegations, and customer/commercial mitigation plans.
The “focus dial”: Phase 3 is universal, but emphasis shifts by deal reality
A sophisticated DD team does not treat every company the same. You must ask: what is the buyer really buying?
- If the deal is IP/software-heavy, your highest effort goes to chain of title, OSS posture, inbound licences, customer IP clauses, and data rights.
- If the deal is regulated, licences and regulator correspondence become the critical path; transferability and ownership caps may decide closing.
- If the deal is real estate/asset-heavy, title, encumbrances, zoning, environmental legacy, and lease COC restrictions dominate.
- If the deal value is customer-concentration, the top customer contracts and termination/COC mechanics are your “value protection.”
- If it’s an asset deal, focus on transfer mechanics (novation/assignments, permits, employees, IP) and stranded liabilities. If it’s a share deal, focus on hidden liabilities inside the box.
This is not theory. It is how you avoid spending 30% of your time on documents that contribute 3% of the deal outcome.
Quality control: how seniors keep Phase 3 reliable (and defensible)
Phase 3 fails most often due to process problems, not legal ignorance. A senior-led team runs quality gates that prevent predictable errors.
Two-pass review for Priority A documents.
Pass 1: the junior extracts and logs issues. Pass 2: the senior verifies the key clauses and the proposed deal levers. This is how you avoid “we missed the one clause that mattered.”
Evidence standard.
Every Amber/Red must cite Doc ID and clause/page. No “it seems” without evidence. If evidence is missing, the issue becomes an “Information Gap” with a request logged.
Consistency checks across systems.
Corporate: cap table vs share register vs ESOP vs financial statements.
Contracts: schedule vs executed agreement and amendments.
IP: registry owner vs internal schedule vs assignments.
Privacy: notice vs data map and vendor DPAs.
No orphan issues.
Every Amber/Red has an owner and a next step. If not, it will not get solved.
When Phase 3 is “done”: the exit checklist that protects you
You can say Phase 3 is complete only when these are true:
- Priority A documents are reviewed and scheduled.
- Consent and filing needs are identified with realistic timelines.
- Issue Register contains RAG and proposed levers for every Amber/Red.
- Missing critical information is clearly listed as “Information Gaps” and requested.
- Senior verification is complete for all Reds.
- A draft red-flag memo outline can be produced from the Issue Register without rewriting facts.
If you cannot generate a red-flag memo from your register, you do not have Phase 3 output—you have Phase 3 activity.
Closing coaching cues (the rules I want juniors to internalise)
Phase 3 is where you build your professional habit set. The best juniors are not those who read fastest; they are those who think in a deal format.
Keep these lines close:
- Always answer three questions: what does it say, why does it matter, what do we do about it?
- Be precise and boring. Precision beats eloquence in DD.
- Separate facts from judgment. First line: what the document says. Second line: why it matters.
- Escalate early with options. A Red without a mitigation idea is not a professional escalation.
- Write for the SPA. If it cannot become a rep, covenant, CP, indemnity, escrow, or integration action, your finding is incomplete.
