Management

What Bank Boards Aren’t Asking Before They Sign

Deal activity is returning, but the frameworks used to evaluate technology assets aren’t keeping pace.

Aaron Cheiffetz is Executive Strategist and Field CIO of Financial Services for CDW. Find him on LinkedIn.

Bank merger activity is picking up again. A more permissive regulatory climate, narrowing valuation gaps and pent-up demand are bringing boards back to the table. For many institutions, the case for consolidation is clearer than it has been in years, particularly as banks look to scale investments in areas such as digital transformation and cloud-based infrastructure.

But one part of the deal process hasn’t kept up.

Most due diligence frameworks still treat technology as an integration issue: Can systems connect? What will core conversion cost? Are there cybersecurity risks? These are important questions, but they’re no longer enough. Today, the bigger issue is whether the software-driven economics inside a target institution will actually hold up over time — a challenge that mirrors broader concerns around aligning IT strategy with business outcomes.

That’s a different kind of risk — and one many boards aren’t fully accounting for.

Click the banner below to sign up for our newsletter and receive more business IT insights.

Software value is shifting unevenly. Some assets remain highly defensible, while others are proving far more fragile than their pricing once suggested. This shift is already showing up in vendor stacks and fee-based revenue streams, especially as organizations reassess their use of cloud platforms and data-driven services. Yet it’s often invisible in traditional diligence models and financial statements.

Two software platforms can look identical on paper. Both may show recurring revenue and appear deeply embedded in operations. But one may be durable, while the other relies on legacy inertia that’s starting to erode. The difference usually comes down to control — specifically, who owns the workflow — a distinction that’s becoming clearer as banks adopt more complex hybrid and multicloud environments.

Platforms anchored in proprietary data, embedded compliance processes or high switching costs tend to retain value. For example, systems tied closely to regulatory reporting or credit decisioning often become core to operations. Replacing them introduces risk, which reinforces their staying power — much like the role cloud platforms now play in enabling scalable, resilient development environments.

By contrast, many point solutions were never built for long-term defensibility. They automate narrow tasks, often priced per user, and succeeded when alternatives were limited. As artificial intelligence-driven tools become more capable, those solutions are easier to replicate or bypass. What once looked like stable revenue may turn out to be far more exposed, particularly as the relationship between cloud and AI continues to evolve, as explored in cloud-ready AI strategies.

EXPLORE: Why is automation the key to smarter operations?

Why Traditional IT Due Diligence Falls Short in Bank M&A

This is where traditional diligence falls short. It’s designed to identify integration challenges — not competitive fragility.

For boards, this isn’t a technical detail. It’s a governance issue.

Approving a transaction means validating assumptions about earnings durability and operational resilience. If part of that value depends on software, directors should be asking a simple but critical question: At what point does this margin compress if the underlying technology becomes a commodity?

That question belongs in diligence — not after the deal closes.

Many teams aren’t ignoring this risk. Their frameworks were built for a different era, when technology issues surfaced after closing. Today, technology durability directly affects valuation before a deal is signed. As organizations rethink their approach to cloud adoption, they’re also recognizing the importance of planning cloud migration strategically from the outset.

At the same time, IT leaders are under pressure to manage increasingly complex environments in which integration is only part of the challenge. Visibility, governance and collaboration across platforms are becoming just as important as connectivity itself, particularly in multicloud operating models.

Click the banner below to learn how organizations are unlocking artificial intelligence’s potential.

Key Questions Bank Boards Should Ask About Technology Value

Boards should expect deal teams to address four areas:

Map AI substitution risk. Identify which parts of the business rely on software categories that may be disrupted or commoditized and whether the underlying contracts allow the acquiring institution to restructure its cost base if a vendor’s pricing power weakens. This analysis requires input from technology leadership, not only legal and finance.
Separate technology-dependent revenue. A fee stream attached to a service model the institution controls is a fundamentally different asset than one that depends on a third-party platform it cannot easily replace or renegotiate. That distinction belongs in the valuation model, not in a post-close integration memo.
Look beyond headline retention metrics. A vendor may retain most of its accounts while quietly losing depth and relevance inside those relationships. That trajectory rarely surfaces in summary churn data, but it matters considerably when the acquired earnings depend on that vendor layer remaining intact and competitively positioned.
Answer build-vs.-buy early. If a capability that once required ownership or a dedicated vendor relationship can now be accessed more cheaply through emerging tooling, the board should know that while valuation is still being negotiated. Discovering it 12 months after close does not reopen the purchase price.

The strongest acquirers in this cycle won’t just move quickly. They’ll ask better questions.

The real risk is no longer just whether a target can be integrated. It’s whether parts of that business are already losing value in ways traditional diligence wasn’t designed to catch — particularly as institutions adapt to broader shifts in cyber resilience and risk management.

This article is part of BizTech's EquITy blog series.