Fiserv Inc.: 10-K Risk Factor Changes

Our businesses are subject to state, federal, and foreign laws and regulations, including payment, cybersecurity, consumer protection, money transmission, data privacy, anti-money laundering, anti-bribery, economic and trade sanctions, payment institution, electronic money licensing, credit reporting and debt collection laws and regulations. Our clients are also subject to numerous laws and regulations applicable to banks, financial institutions and card issuers in the U.S. and abroad, and, consequently, we are at times affected by these federal, state, local and foreign laws and regulations. These laws and regulations are subject to change, and new laws, regulations and interpretations are regularly adopted. The volume and complexity of the regulations that impact our business, directly or indirectly, will continue to increase our cost of doing business. If we or third parties with whom we partner or contract fail to comply with applicable laws and regulations, we could be exposed to litigation or regulatory proceedings, our client relationships and reputation could be harmed, our ability to obtain new clients could be inhibited, we could be required to change the manner in which we conduct our business or suspend or terminate certain services, and we could incur significant fines, penalties, or losses, all of which could have a material adverse impact on our business, results of operations and financial condition.

Our businesses are subject to state, federal, and foreign laws and regulations, including payment, cybersecurity, consumer protection, money transmission, data privacy, anti-money laundering, economic and trade sanctions, payment institution, electronic money licensing, credit reporting and debt collection laws and regulations. Our clients are also subject to numerous laws and regulations applicable to banks, financial institutions and card issuers in the U.S. and abroad, and, consequently, we are at times affected by these federal, state, local and foreign laws and regulations. These laws and regulations are subject to change, and new laws, regulations and interpretations are regularly adopted. We operate our business around the world, including in certain foreign countries with developing economies where companies often engage in business practices that are prohibited by laws applicable to us, including the U.S. Foreign Corrupt Practices Act and the U.K. Bribery Act. These laws prohibit, among other things, improper payments or offers of payments to foreign governments and their officials and political parties for the purpose of obtaining or retaining business. We also derive revenue from transactions involving sales to U.S. federal, state and local governments and their respective agencies, and are subject to various procurement laws, regulations, and contract provisions relating to those contracts. We have implemented policies and training programs to comply with applicable laws, regulations and obligations; however, there can be no assurance that all of our employees, consultants and agents will comply with our policies and all applicable laws and any noncompliance could subject us to fines, penalties and loss of business. The volume and complexity of the regulations that impact our business, directly or indirectly, will continue to increase our cost of doing business. If we or third parties with whom we partner or contract fail to comply with applicable laws and regulations, we could be exposed to litigation or regulatory proceedings, our client relationships and reputation could be harmed, our ability to obtain new clients could be inhibited, we could be required to change the manner in which we conduct our business or suspend or terminate certain services, and we could incur significant fines, penalties, or losses, all of which could have a material adverse impact on our business, results of operations and financial condition.

The markets for our products and services are characterized by constant and rapid technological change, evolving industry standards, frequent introduction of new products and services, and increasing client expectations. Our ability to respond timely to these changes, including by enhancing our current products and services and developing and introducing new products and services, will significantly affect our future success. In addition, the success of certain of our products and services rely, in part, on financial institutions, business partners and other third parties promoting the use of or distributing our products and services. If we are unsuccessful in developing, marketing and selling products or services that gain market acceptance, or if third parties insufficiently promote or distribute our products and services, it would likely have a material adverse effect on our ability to retain existing clients, to attract new ones and to grow profitably. We believe that data, and the insights enabled by data, can be used to create or enhance the products and services that we offer to our clients. As a result, we are using, and expect to continue to expand our use of, artificial intelligence and machine learning in our product development processes, services and operations. Our use of artificial intelligence technologies carries inherent risks, and there can be no assurance that our use of artificial intelligence will enhance our products or services or achieve any improvements in innovation or efficiency. In addition, we could be exposed to liability as a result of any misuse of artificial intelligence and machine learning-technology by our personnel while carrying out company responsibilities. In addition, our competitors and other third parties may incorporate artificial intelligence into their products and offerings more quickly or more successfully than us, which could impair our ability to compete effectively and adversely affect our results of operations. If the content, analyses or recommendations that artificial intelligence applications assist in producing are or are alleged to be inaccurate, deficient or biased, our business, financial condition and results of operations may be adversely affected. Furthermore, the integration of third-party artificial intelligence models with our services relies on certain safeguards implemented by the third-party developers of the underlying artificial intelligence models, including those related to the accuracy, bias and other variables of the data, and these safeguards may be insufficient. Legislation and regulations governing the development or use of artificial intelligence have been implemented or are under consideration in the U.S. at the state and local level, as well as internationally. Such legislation and regulations may impose obligations related to our development, offering, and use of artificial intelligence and expose us to increased risk of regulatory enforcement and litigation. As a result, the ability to use artificial intelligence and machine learning may be constrained by current or future laws, regulatory or self-regulatory requirements.

The markets for our products and services are characterized by constant and rapid technological change, evolving industry standards, frequent introduction of new products and services, and increasing client expectations. Our ability to respond timely to these changes, including by enhancing our current products and services and developing and introducing new products and services, will significantly affect our future success. In addition, the success of certain of our products and services rely, in part, on financial institutions, business partners and other third parties promoting the use of or distributing our products and services. If we are unsuccessful in developing, marketing and selling products or services that gain market acceptance, or if third parties insufficiently promote or distribute our products and services, it would likely have a material adverse effect on our ability to retain existing clients, to attract new ones and to grow profitably. We believe that data, and the insights enabled by data, can be used to create or enhance the products and services that we offer to our clients. As a result, we are using, and expect to continue to expand our use of, artificial intelligence and machine learning. However, legislation that would govern the development or use of artificial intelligence is under consideration in the U.S. at the state and local level, as well as abroad. As a result, the ability to use artificial intelligence and machine learning may be constrained by current or future laws, regulatory or self-regulatory requirements.

Cybersecurity and data privacy risks have received heightened legislative and regulatory attention. In Europe and the U.K., their respective General Data Protection Regulations (collectively, “GDPR”) extends the scope of their data protection laws to all companies processing data of individuals within the E.U. and the U.K., regardless of the company’s location, subject to certain limitations. The law requires companies to meet stringent requirements regarding the handling of personal data. E.U. and U.K. data protection law continuously develops and requires significant changes to our policies and procedures. GDPR imposes strict rules on the transfer of personal data out of the E.U. or U.K. to a “third country,” including the United States, unless particular transfer mechanisms are implemented. The mechanisms that we and many other companies rely upon for such data transfers are the subject of legal challenge, regulatory interpretation, and judicial decisions. In the E.U., U.K. and other markets, potential new rules and restrictions on the flow of data across borders could increase the cost and complexity of doing business in those regions. Additionally, we are subject to the E.U. Regulation known as the Digital Operational Resilience Act (“DORA”). DORA is intended to strengthen the information technology systems of covered financial entities to mitigate risks associated with operational disruptions. Our efforts to comply with E.U., U.K. and other cybersecurity, privacy and data protection laws around the world that apply to our businesses could involve substantial expenses, divert resources from other initiatives and projects and limit the services we are able to offer. There is also increased focus on data localization requirements around the world in countries such as the United Arab Emirates, China and India which could impact our business model with respect to our storage and transfer of personal data. In addition, U.S. regulators, including the U.S. Federal Banking Agencies and the U.S. Federal Trade Commission (“FTC”) have adopted or proposed enhanced cyber and privacy security standards that apply to us and our financial institution clients and address privacy requirements for processing data of individuals, cyber risk governance and management, management of internal and external dependencies, and incident response, cyber resilience and situational awareness. The FTC and many state attorneys general are also interpreting federal and state consumer protection laws as imposing standards for the collection, use, dissemination, and security of data. Additionally, over a third of U.S. states have proposed or enacted comprehensive consumer privacy laws (such as the California Consumer Privacy Act) that have taken effect or will take effect in coming years. We 16 16 16 Table of Contents Table of Contents cannot fully predict the impact of recently proposed or enacted laws or regulations on our business or operations, but compliance may require us to modify our data processing practices and policies incurring costs and expense. Legislation and regulations on cybersecurity, data privacy and data localization may compel us to enhance or modify our systems, invest in new systems or alter our business practices or our policies on how we process personal information, data governance and privacy. If any of these outcomes were to occur, our operational costs could increase significantly. Failure to comply with applicable laws in this area could also result in significant fines, penalties and reputational damage.

Cybersecurity and data privacy risks have received heightened legislative and regulatory attention. In Europe, the General Data Protection Regulation (“GDPR”) extends the scope of the E.U. data protection law to all companies processing data of individuals within the E.U., regardless of the company’s location, subject to certain limitations. The law requires companies to meet stringent requirements regarding the handling of personal data. E.U. data protection law continuously develops and requires significant changes to our policies and procedures. We are also subject to U.K. GDPR following the U.K.’s exit from the E.U. Single Market and Customs Union. Our efforts to comply with E.U., U.K. and other privacy and data protection laws around the world that apply to our businesses could involve substantial expenses, divert resources from other initiatives and projects and limit the services we are able to offer. There is also increased focus on data localization requirements around the world in countries such as the United Arab Emirates, China and India which could impact our business model with respect to our storage and transfer of personal data. In addition, U.S. regulators, including the U.S. Federal Banking Agencies and the U.S. Federal Trade Commission have adopted or proposed enhanced cyber and privacy security standards that apply to us and our financial institution clients and address cyber risk governance and management, management of internal and external dependencies, and incident response, cyber resilience and situational awareness. Legislation and regulations on cybersecurity, data privacy and data localization may compel us to enhance or modify our systems, invest in new systems or alter our business practices or our policies on data governance and privacy. If any of these outcomes were to occur, our operational costs could increase significantly. Failure to comply with applicable laws in this area could also result in significant fines, penalties and reputational damage.

The U.S. has imposed tariffs, and may impose new or increased tariffs, on certain imports from other countries, which may lead to retaliatory tariffs imposed by other governments. If the U.S. administration or other countries impose new or increased tariffs, trade restrictions or restrictions on the cross-border flow of data, our manufacturing of hardware devices, supply of raw materials and access to certain markets, could be impacted. Although it is difficult to predict how current or future tariffs on items imported from other countries will impact our business, the cost of our products manufactured in other countries and imported into the U.S. or elsewhere could increase, which could adversely affect the demand for these products and have a material adverse effect on our business and results of operations.

The U.S. has imposed tariffs on certain imports from China, including on some of our hardware devices manufactured in China. If the U.S. administration imposes additional tariffs, or if additional tariffs or trade restrictions are implemented by the U.S. or 15 15 15 Table of Contents Table of Contents other countries, our hardware devices produced in China could be impacted. Although it is difficult to predict how current or future tariffs on items imported from China or elsewhere will impact our business, the cost of our products manufactured in China and imported into the U.S. or other countries could increase, which in turn could adversely affect the demand for these products and have a material adverse effect on our business and results of operations.