Global Payments Inc.: 10-K Risk Factor Changes

In order to provide our services, we process and store sensitive business and personal information, which may include credit and debit card numbers, bank account numbers, social security numbers, driver’s license numbers, names and addresses, and other types of personal information or sensitive business information. Some of this information is also processed and stored by financial institutions, merchants and other entities, as well as third-party service providers to whom we outsource certain functions and other agents, such as independent consultants and auditors, which we refer to collectively as our associated third parties. We may have responsibility to the card networks, financial institutions, regulators, and in some instances, our merchants, ISOs and/or individuals, for our failure or the failure of our associated third parties (as applicable) to protect this information. We are a regular target of malicious third-party attempts to identify and exploit system vulnerabilities, and/or penetrate or bypass our security measures, in order to gain unauthorized access to our networks and systems or those of our associated third parties. Such attempts at unauthorized access can lead, and occasionally have led, to the compromise of sensitive, business, personal or confidential information. To mitigate these risks, we follow a defense-in-depth model for cybersecurity, meaning we proactively seek to employ multiple methods at different layers to defend our systems against intrusion and attack and to protect the data we possess. We have adopted policies and procedures, involving an incident response plan and both the board of directors and management oversight of cybersecurity risks, that we believe are designed to facilitate the identification, assessment and management of those risks including any risks that have the potential to be material. Our information security program establishes technical, physical and administrative controls to maintain the confidentiality, integrity and availability of our information and technical assets. However, we cannot provide any assurance that these cybersecurity risk management processes will be fully complied with or effective and we cannot be certain that these measures or other will always be successful or will always be sufficient to counter, or to rapidly detect, contain, and remediate, all current and emerging technology threats. More particularly, our computer systems and/or our associated third parties’ computer systems have been, and we expect will continue to be, targeted for penetration on a regular basis, and our data protection measures may not prevent unauthorized access. The techniques used to obtain unauthorized access, disable or degrade service or sabotage systems change frequently, are often difficult to detect and continually evolve and become more sophisticated. Threats to our systems and our associated third parties’ systems can derive from human error, fraud or malice on the part of employees or third parties, including state-sponsored organizations with significant financial and technological resources. In addition, we have experienced and may continue to experience errors, interruptions or delays from computer viruses and other malware or vulnerabilities that could infect our systems or those of our associated third parties. Denial of service, ransomware or other attacks could be launched against us for a variety of purposes, including to interfere with our services or create a diversion for other malicious activities. Our defensive measures may not prevent downtime, unauthorized access or use of sensitive data. We have experienced such incidents in the past, and we cannot guarantee that we will be able to anticipate or detect all attacks or vulnerabilities or implement adequate preventative measures in the future. While we maintain first- and third-party insurance coverage that may cover certain aspects of cyber risks, such insurance coverage may be insufficient to cover all losses. Companies we acquire may require implementation of additional cyber defense methods to align with our standards and, as a result, there may be a period 18 18 18 Table of Contents Table of Contents of heightened risk between the acquisition date and the completion of such implementation. Furthermore, certain of our third-party relationships are subject to our vendor management program and are governed by written contracts. We believe we have designed our risk identification, assessment, and management processes and procedures to account for cybersecurity risks associated with our use of third-party service providers; however, we do not control the actions of our associated third parties, and any problems experienced by these third parties, including those resulting from breakdowns or other disruptions in the services provided by such parties or cyberattacks, targeted attacks against our employees and associated third parties and security breaches, could adversely affect our ability to service our customers or otherwise conduct our business. In addition, we impose contractual requirements on our counterparties, including vendors and other third parties, related to the use and security of personal data and other confidential information, along with compliance with applicable privacy and security laws. We cannot provide any assurance that these contractual requirements related to those who have access to this data will be followed or will be adequate to prevent the misuse of this data. We have occasionally received notifications from vendors and other third parties regarding the exposure of or unauthorized access to our data stored on their information systems, and any future misuse or compromise of personal information stored on those systems, or any other failure by a vendor or other third party to abide by our contractual requirements, could expose us to regulatory fines, third-party liability, protracted and costly litigation and, with respect to misuse of the personal information of our customers, lost revenue and reputational harm. Any type of security breach, attack or misuse of data described above or otherwise, whether experienced by us or an associated vendor or other third party, could harm our reputation; deter existing and prospective customers from using our services or from making digital payments generally; increase our operating expenses in order to contain and remediate the incident; expose us to unanticipated or uninsured liability; disrupt our operations (including potential service interruptions); distract our management; increase our risk of litigation or regulatory scrutiny; result in the imposition of penalties and fines under state, federal and foreign laws or by the card networks; and adversely affect our continued card network registration or membership and financial institution sponsorship. Removal from the networks' lists of Payment Card Industry Data Security Standard compliant service providers could mean that existing customers, sales partners or other third parties could cease using or referring others to our services. Also, prospective merchant customers, financial institutions, sales partners or other third parties could choose to terminate negotiations with us, or delay or choose not to consider us for their processing needs. In addition, the card networks could refuse to allow us to process through their networks. Any of the foregoing could adversely affect our business, financial condition or results of operation.

In order to provide our services, we process and store sensitive business and personal information, which may include credit and debit card numbers, bank account numbers, social security numbers, driver’s license numbers, names and addresses, and other types of personal information or sensitive business information. Some of this information is also processed and stored by financial institutions, merchants and other entities, as well as third-party service providers to whom we outsource certain functions and other agents, which we refer to collectively as our associated third parties. We may have responsibility to the card networks, financial institutions, and in some instances, our merchants, ISOs and/or individuals, for our failure or the failure of our associated third parties (as applicable) to protect this information. We are a regular target of malicious third-party attempts to identify and exploit system vulnerabilities, and/or penetrate or bypass our security measures, in order to gain unauthorized access to our networks and systems or those of our associated third parties. Such access could lead to the compromise of sensitive, business, personal or confidential information. As a result, we follow a defense-in-depth model for cybersecurity, meaning we proactively seek to employ multiple methods at different layers to defend our systems against intrusion and attack and to protect the data we possess. However, we cannot be certain that these measures will be successful or will be sufficient to counter all current and emerging technology threats. Our computer systems and/or our associated third parties’ computer systems have been, and we expect to continue to be, targeted for penetration, and our data protection measures may not prevent unauthorized access. The techniques used to obtain unauthorized access, disable or degrade service or sabotage systems change frequently, are often difficult to detect and continually evolve and become more sophisticated. Threats to our systems and our associated third parties’ systems can derive from human error, fraud or malice on the part of employees or third parties, including state-sponsored organizations with significant financial and technological resources. In addition, we have experienced and may continue to experience errors, interruptions or delays from computer viruses and other malware that could infect our systems or those of our associated third parties. Denial of service, ransomware or other attacks could be launched against us for a variety of purposes, including to interfere with our services or create a diversion for other malicious activities. Our defensive measures may not prevent downtime, unauthorized access or use of sensitive data. While we maintain first- and third-party insurance coverage that may cover certain aspects of cyber risks, such insurance coverage may be insufficient to cover all losses. Companies we acquire may require implementation of additional cyber defense methods to align with our standards and, as a result, there may be a period of increased risk between the acquisition date and the completion of such implementation. Furthermore, certain of our third-party relationships are subject to our vendor management program and governed by written contracts; however, we do not control the actions of our associated third parties, and any problems experienced by these third parties, including those resulting from breakdowns or other disruptions in the services provided by such parties or cyberattacks, targeted attacks against our employees and associated third parties and security breaches, could adversely affect our ability to service our customers or otherwise conduct our business. In addition, we cannot provide assurance that the contractual requirements related to use, security and privacy that we impose on our associated third parties who have access to this data will be followed or will be adequate to prevent the misuse of this data. Any misuse or compromise of personal information or failure to adequately abide by these contractual requirements could result in liability, protracted and costly litigation and, with respect to misuse of personal information of our customers, lost revenue and reputational harm. Any type of security breach, attack or misuse of data described above or otherwise, whether experienced by us or an associated third party, could harm our reputation; deter existing and prospective customers from using our services or from making digital payments generally; increase our operating expenses in order to contain and remediate the incident; expose us to unanticipated or uninsured liability; disrupt our operations (including potential service interruptions); distract our management, increase our risk of litigation or regulatory scrutiny; result in the imposition of penalties and fines under state, federal and 17 17 17 Table of Contents Table of Contents foreign laws or by the card networks, and adversely affect our continued card network registration or membership and financial institution sponsorship. Our removal from the networks' lists of Payment Card Industry Data Security Standard compliant service providers could mean that existing customers, sales partners or other third parties may cease using or referring others to our services. Also, prospective merchant customers, financial institutions, sales partners or other third parties may choose to terminate negotiations with us, or delay or choose not to consider us for their processing needs. In addition, the card networks could refuse to allow us to process through their networks. Any of the foregoing could adversely affect our business, financial condition or results of operation.

We have potential liability for fraudulent digital payment transactions or credits initiated by merchants or others. Criminals are using increasingly sophisticated methods to engage in illegal activities such as counterfeiting and fraud. Failure to effectively manage risk and prevent fraud could increase our chargeback losses or cause us to incur other liabilities. It is possible that incidents of fraud could increase in the future. Increases in chargebacks or other liabilities could have a material adverse effect on our financial condition, results of operations and cash flows. The accompanying consolidated financial statements reflect management’s estimates and assumptions related to allowances for transaction and credit losses utilizing the most currently available information. Actual losses could differ materially from those estimates.

We have potential liability for fraudulent digital payment transactions or credits initiated by merchants or others, and our prepaid card programs expose us to threats involving the misuse of cards, collusion, fraud and identity theft. Criminals are using increasingly sophisticated methods to engage in illegal activities such as counterfeiting and fraud. Failure to effectively manage risk and prevent fraud could increase our chargeback losses or cause us to incur other liabilities. It is possible that incidents of fraud could increase in the future. Increases in chargebacks or other liabilities could have a material adverse effect on our financial condition, results of operations and cash flows. Additionally, the COVID-19 pandemic, as well as macroeconomic conditions such as rising inflation and higher costs for labor and supplies, have negatively affected or may continue to affect the financial viability and operations of certain merchants. The accompanying consolidated financial statements reflect management’s estimates and assumptions related to allowances for transaction and credit losses utilizing the most currently available information. Actual losses could differ materially from those estimates.

Changes in tax laws or their interpretations could result in changes to enacted tax rates and may require complex computations to be performed that were not previously required, significant judgments to be made in interpretation of the new or revised tax regulations and significant estimates in calculations, as well as the preparation and analysis of information not previously relevant or regularly produced. Future changes in enacted tax rates could negatively affect our results of operations. In December 2022, the EU Member States formally adopted the EU’s Pillar Two Directive, which generally provides for a minimum effective tax rate of 15%, as established by the Organization for Economic Co-operation and Development Pillar Two Framework. The EU effective dates are January 1, 2024, and January 1, 2025, for different aspects of the directive. A significant number of other countries are expected to implement similar legislation with varying effective dates in the future. We are continuing to evaluate the potential effect on future periods of the Pillar Two Framework, pending legislative adoption by additional individual countries; however, we do not expect the directive to have a material effect on our financial condition or results of operations. Our tax returns and positions are subject to review and audit by federal, state, local and international taxing authorities. An unfavorable outcome to a tax audit could result in higher tax expense, thereby negatively affecting our results of operations and cash flows. We have recognized estimated liabilities on the balance sheet for material known tax exposures relating to deductions, transactions and other matters involving some uncertainty as to the proper tax treatment of the item. These liabilities reflect what we believe to be reasonable assumptions as to the likely final resolution of each issue if raised by a taxing authority. While we believe that the liabilities are adequate to cover reasonably expected tax risks, there can be no assurance that, in all instances, an issue raised by a tax authority will be finally resolved at a financial amount not significantly more than any related liability on the balance sheet.

Changes in tax laws or their interpretations could result in changes to enacted tax rates and may require complex computations to be performed that were not previously required, significant judgments to be made in interpretation of the new or revised tax regulations and significant estimates in calculations, as well as the preparation and analysis of information not previously relevant or regularly produced. Future changes in enacted tax rates could negatively affect our results of operations. In August 2022, the Inflation Reduction Act of 2022 was signed into law. This law, among other things, provides for a corporate alternative minimum tax on adjusted financial statement income (effective for us in 2023), and an excise tax on corporate stock repurchases (effective for our share repurchases after December 31, 2022), and we are continuing to evaluate the effect it may have on our financial condition and results of operations. Future changes in enacted tax rates could negatively affect our results of operations. Our tax returns and positions are subject to review and audit by federal, state, local and international taxing authorities. An unfavorable outcome to a tax audit could result in higher tax expense, thereby negatively affecting our results of operations and cash flows. We have recognized estimated liabilities on the balance sheet for material known tax exposures relating to deductions, transactions and other matters involving some uncertainty as to the proper tax treatment of the item. These liabilities reflect what we believe to be reasonable assumptions as to the likely final resolution of each issue if raised by a taxing authority. While we believe that the liabilities are adequate to cover reasonably expected tax risks, there can be no assurance that, in all instances, an issue raised by a tax authority will be finally resolved at a financial amount no more than any related liability.

The global payments technology industry depends heavily on the overall level of consumer, business and government spending. We are exposed to general economic conditions, including but not limited to, recessions, inflation, rising interest rates, high unemployment, currency fluctuations, and rising energy prices, that affect consumer confidence, discretionary income and changes in consumer purchasing and spending habits. Adverse economic conditions have at times affected and may continue to negatively affect our financial performance by reducing the number or average purchase amount of transactions made using digital payments. A reduction in the amount of consumer spending could result in a decrease in our revenues and profits. If our merchants make fewer sales to consumers using digital payments, or consumers using digital payments spend less per transaction, we will have fewer transactions to process or lower transaction amounts, each of which would contribute to lower revenues. Additionally, credit card issuers may reduce credit limits and become more selective in their card issuance practices. When such conditions arise, we evaluate where we may be able to implement cost-saving measures, including those related to headcount and discretionary expenses. While economic conditions have shown moderate improvement in recent months, any of these developments could have a material adverse effect on our financial condition and results of operations. Adverse macroeconomic conditions in any of our markets could force merchants, financial institutions or other customers to cease operations or petition for bankruptcy protection, resulting in lower revenue and earnings for us and greater exposure to potential credit losses and future transaction declines. We also have a certain amount of fixed costs, including rent, debt service, and salaries, which could limit our ability to quickly adjust costs and respond to changes in our business and the economy. Changes in economic conditions could also adversely affect our future revenues and profits and have a materially adverse effect on our business, financial condition, results of operations and cash flows. In most markets, we collect our fees from our merchants on the first day after the monthly billing period, which results in the build-up of substantial receivable from our customers. If a merchant were to go out of business during the billing period, we may be unable to collect such fees, which could negatively affect our business, financial condition, results of operations and cash flows. In addition, our business, growth, financial condition or results of operations could be materially adversely affected by public health emergencies, such as the COVID-19 pandemic, political and economic instability or changes in a country’s or region’s economic conditions, changes in laws or regulations or in the interpretation of existing laws or regulations, whether caused by a change in government or otherwise, increased difficulty of conducting business in a country or region due to actual or potential political or military conflict or action by the United States or foreign governments that may restrict our ability to transact business in a foreign country or with certain foreign individuals or entities. Risks associated with heightened geopolitical and economic instability, include among others, reduction in consumer, government or corporate spending, international sanctions, embargoes, heightened inflation and actions taken by central banks to counter inflation, volatility in global financial markets, increased cyber disruptions or attacks, higher supply chain costs and increased tensions between countries in which we may operate, which could result in charges related to the recoverability of assets, including financial assets, long-lived assets and goodwill, and other losses, and could adversely affect our financial condition and results of operations. Climate-related events, including extreme weather events and natural disasters and their effects on critical infrastructure in the U.S. or internationally, could have adverse effects on our operations, customers or third-party suppliers. Furthermore, our shareholders, customers and other stakeholders have begun to consider how corporations are addressing sustainability matters, which include environmental and corporate responsibility issues. Government regulators, investors, customers and the general public are increasingly focused on sustainability practices and disclosures, and views on this topic are diverse and rapidly changing. These shifts in investing priorities may result in adverse effects on the trading price of the Company's common stock if investors determine that the Company has not made sufficient progress on sustainability matters. Furthermore, developing and acting on these initiatives, and collecting, measuring and reporting related information and metrics can be costly, difficult and time consuming, and are subject to evolving reporting standards and/or contractual obligations. The standards and laws by which sustainability efforts are tracked and measured are in many cases new, have not been harmonized, and continue to evolve. We could also face potential negative sustainability related publicity in traditional media or social media if shareholders or other stakeholders determine that we have not adequately considered or addressed sustainability and governance matters. We have been the recipient of proposals from shareholders to promote their corporate responsibility positions, and we may receive 29 29 29 Table of Contents Table of Contents other such proposals in the future. Such proposals may not be in the long-term interests of the Company or our shareholders and may divert management’s attention away from operational matters or create the impression that our practices are inadequate.

The global payments technology industry depends heavily on the overall level of consumer, business and government spending. We are exposed to general economic conditions, including but not limited to, recessions, inflation, rising interest rates, high unemployment, currency fluctuations, and rising energy prices, that affect consumer confidence, spending, and discretionary income and changes in consumer purchasing habits. Adverse economic conditions may negatively affect our financial performance by reducing the number or average purchase amount of transactions made using digital payments. A reduction in the amount of consumer spending could result in a decrease in our revenues and profits. If our merchants make fewer sales to consumers using digital payments, or consumers using digital payments spend less per transaction, we will have fewer transactions to process or lower transaction amounts, each of which would contribute to lower revenues. Additionally, credit card issuers may reduce credit limits and become more selective in their card issuance practices. Any of these developments could have a material adverse effect on our financial condition and results of operations. Adverse macroeconomic conditions in any of our markets could force merchants, financial institutions or other customers to close or petition for bankruptcy protection, resulting in lower revenue and earnings for us and greater exposure to potential credit losses and future transaction declines. We also have a certain amount of fixed costs, including rent, debt service, and salaries, which could limit our ability to quickly adjust costs and respond to changes in our business and the economy. Changes in economic conditions could also adversely affect our future revenues and profits and have a materially adverse effect on our business, financial condition, results of operations and cash flows. Credit losses arise from the fact that, in most markets, we collect our fees from our merchants on the first day after the monthly billing period. This results in the build-up of a substantial receivable from our customers. If a merchant were to go out of business during the billing period, we may be unable to collect such fees, which could negatively affect our business, financial condition, results of operations and cash flows. In addition, our business, growth, financial condition or results of operations could be materially adversely affected by outbreaks of illnesses, pandemics like COVID-19 or other political and economic instability or changes in a country’s or region’s economic conditions, changes in laws or regulations or in the interpretation of existing laws or regulations, whether caused by a change in government or otherwise, increased difficulty of conducting business in a country or region due to actual or potential political or military conflict or action by the United States or foreign governments that may restrict our ability to transact business in a foreign country or with certain foreign individuals or entities. Although the immediate effects of the COVID-19 pandemic have been assessed, the long-term effects of the COVID-19 pandemic on our business, results of operations, financial condition and cash flows will depend on future developments, which are highly uncertain and are difficult to predict at this time. Such developments include, but are not limited to, the effectiveness of preventative measures implemented to help limit the spread of the virus, including vaccine administration rates and efficacy, emergence of new virus variants and new waves of infection and the direction or extent of future restrictive actions that may be imposed by governments or public health authorities. The COVID-19 pandemic caused an economic slowdown in the U.S. and other markets in which we operate. It may also continue to affect financial markets and corporate credit markets which could adversely affect our access to financing or the terms of any such financing. Moreover, the global macroeconomic effects of the pandemic may persist for an indefinite period, even after the pandemic has subsided. Risks associated with heightened geopolitical and economic instability, such as those resulting from the invasion of Ukraine by Russia, include among others, reduction in consumer, government or corporate spending, international sanctions, embargoes, heightened inflation and actions taken by central banks to counter inflation, volatility in global financial markets, increased cyber disruptions or attacks, higher supply chain costs and increased tensions between the United States and countries in which we operate, which could result in charges related to the recoverability of assets, including financial assets, long-lived assets and goodwill and other losses, and could adversely affect our financial condition and results of operations. Climate-related events, including extreme weather events and natural disasters and their effect on critical infrastructure in the U.S. or internationally, could have similar adverse effects on our operations, customers or third-party suppliers. Furthermore, our shareholders, customers and other stakeholders have begun to consider how corporations are addressing environmental, social and governance ("ESG") issues. Government regulators, investors, customers and the general public are increasingly focused on ESG practices and disclosures, and views about ESG are diverse and rapidly changing. These shifts in investing priorities may result in adverse effects on the trading price of the Company's common stock if investors determine that the Company has not made sufficient progress on ESG matters. Furthermore, developing and acting on initiatives within the scope of ESG, and collecting, measuring and reporting ESG-related information and metrics can be costly, difficult and time 28 28 28 Table of Contents Table of Contents consuming, and are subject to evolving reporting standards and/or contractual obligations. We could also face potential negative ESG-related publicity in traditional media or social media if shareholders or other stakeholders determine that we have not adequately considered or addressed ESG matters. We have been the recipient of proposals from shareholders to promote their governance positions. Shareholders are increasingly submitting proposals related to a variety of ESG issues to public companies, and we may receive other such proposals in the future. Such proposals may not be in the long-term interests of the Company or our stockholders and may divert management’s attention away from operational matters or create the impression that our practices are inadequate.

We experience attrition in merchant credit and debit card processing volume resulting from several factors, including merchant closures, loss of merchant accounts to our competitors, unsuccessful contract renewal negotiations and account closures that we initiate for various reasons, such as heightened credit risks or contract breaches by merchants. Our referral partners are a significant source of new business. If a referral partner switches to another transaction processor, terminates our services, internalizes payment processing functions that we perform, merges with or is acquired by one of our competitors, or shuts down or becomes insolvent, we may no longer receive new merchant referrals from such referral partner, and we risk losing existing merchants that were originally enrolled by the referral partner. We cannot predict the level of attrition in the future and it could increase. Higher than expected attrition could negatively affect our results, which could have a material adverse effect on our business, financial condition, results of operations and cash flows. 21 21 21 Table of Contents Table of Contents

We experience attrition in merchant credit and debit card processing volume resulting from several factors, including merchant closures, loss of merchant accounts to our competitors, unsuccessful contract renewal negotiations and account closures that we initiate for various reasons, such as heightened credit risks or contract breaches by merchants. Our referral partners are a significant source of new business. If a referral partner or an ISO switches to another transaction processor, terminates our services, internalizes payment processing functions that we perform, merges with or is acquired by one of our competitors, or shuts down or becomes insolvent, we may no longer receive new merchant referrals from such referral partner, and we risk losing existing merchants that were originally enrolled by the referral partner or ISO. We cannot predict the level of attrition in the future and it could increase. Higher than expected attrition could negatively affect our results, which could have a material adverse effect on our business, financial condition, results of operations and cash flows.

As a payments technology company, our business is affected by laws and complex regulations and examinations that affect us and our industry in the countries in which we operate. Regulation and proposed regulation of the payments industry have continued to increase significantly in recent years. Failure to comply with regulations or guidelines may result in the suspension or revocation of a license or registration, the limitation, suspension or termination of service, and the imposition of civil and criminal penalties, including fines, or may cause customers or potential customers to be reluctant to do business with us, any of which could have an adverse effect on our financial condition. 24 24 24 Table of Contents Table of Contents Interchange fees are subject to intense legal, regulatory and legislative scrutiny worldwide. For instance, the Dodd-Frank Act restricts the amounts of debit card fees that certain issuing institutions can charge merchants and allows merchants to set minimum amounts for the acceptance of credit cards and to offer discounts for different payment methods. These types of restrictions could negatively affect the number of debit transactions, which would adversely affect our business. The Dodd-Frank Act also created the CFPB, which has responsibility for enforcing federal consumer protection laws, and the Financial Stability Oversight Council, which has the authority to determine whether any nonbank financial company, like us, should be supervised by the Board of Governors of the Federal Reserve on the ground that it is "systemically important" to the U.S. financial system. Any such designation would result in increased regulatory burdens on our business, which increases our risk profile and may have an adverse effect on our business, financial condition, results of operations and cash flows. Because we directly or indirectly offer or provide financial services to consumers, we are subject to prohibitions against unfair, deceptive, or abusive acts or practices under the Dodd-Frank Act. More generally, all persons engaged in commerce, including, but not limited to, us and our merchant and financial institution customers, are subject to Section 5 of the FTC Act prohibiting unfair or deceptive acts or practices ("UDAP"). We also have businesses that are subject to credit reporting and debt collection laws and regulations in the U.S. Various federal and state regulatory enforcement agencies, including the FTC, the CFPB and the states’ attorneys general, may seek to take action against nonbanks that engage in UDAP or violate other laws, rules or regulations and, to the extent we are in violation of these laws, rules or regulations or are processing payments for a merchant that may be in violation of these laws, rules or regulations, we may be subject to enforcement actions and as a result may incur losses and liabilities. We are also subject to examination by the FFIEC as a result of our provision of data processing services to financial institutions. As the regulatory environment remains unpredictable and subject to rapid change, new obligations could increase the cost and complexity of compliance. Evolving regulations also increase the risk of investigations, fines, nonmonetary penalties and litigation. Because of our services in relation to the banking industry, much of our business is obligated, either under law or via contracts with our customers, to comply with anti-money laundering regulations. Noncompliance with these regulations could lead to substantial regulatory fines and penalties or damages from private causes of action. The effect of the regulations could be detrimental to our financial condition. In addition, we and our sponsor financial institutions are subject to the laws and regulations enforced by the Office of Foreign Assets Control, which prohibit U.S. persons from engaging in transactions with certain prohibited persons or entities. Similar requirements apply in other countries. Furthermore, certain of our businesses are regulated as money transmitters or otherwise require licensing in one or more states or jurisdictions, subjecting us to various licensing, supervisory and other requirements. Continuing developments in privacy and data protection regulation globally, combined with the rapid pace of technology innovation, have created risks and operational challenges for many of our business activities as described in "Item 1 - Business." It is possible that these laws may be interpreted and applied in a manner that is inconsistent with our data privacy practices or operations model, which could result in potential liability for fines, damages or a need to incur substantial costs to modify our operations. Compliance with these laws and regulations can be costly and time consuming, adding a layer of complexity to business practices and innovation. As with other regulatory schemes, our failure to comply could result in public or private enforcement action and accompanying litigation costs, losses, fines and penalties, which could adversely affect our business, financial condition, results of operations and cash flows. In addition, U.S. banking agencies and the SEC have adopted or proposed enhanced cyber risk management standards that could apply to us and our financial institution clients and that would address cyber risk governance and management, management of internal and external dependencies, and incident response, cyber resilience and situational awareness. Several states and foreign countries also have adopted or proposed new privacy and cybersecurity laws targeting these issues. Legislation and regulations on cybersecurity, data privacy and data localization may compel us to enhance or modify our systems, invest in new systems or alter our business practices or our policies on data governance and privacy. If any of these outcomes were to occur, our operational costs could increase significantly. The rise in the use of generative artificial intelligence has dramatically altered the corporate landscape. Incorporating artificial intelligence, including machine learning technologies, into our businesses presents numerous risks and uncertainties. Furthermore, the global regulatory framework has not kept pace with the rapid developments in the generative artificial intelligence technology field, creating uncertainties regarding compliance with upcoming laws and regulations. Beyond legal considerations in the development and deployment of these models there exists an ethical consideration given the potential risk of generating misleading or harmful content. The unpredictable nature of outputs further amplifies this risk, potentially leading to unintended consequences and biases. Additionally, the absence of clear requirements pertaining to explainability and the data used to train these models, introduces the risk of intellectual property disputes, including the inability to protect or potential infringement claims regarding the artificially generated content. We are exploring opportunities to expand our portfolio with artificial intelligence capabilities to strengthen our market position, amplify our teams' capabilities, and enhance our customers' 25 25 25 Table of Contents Table of Contents experiences. If we are unsuccessful in doing so, we may have a competitive disadvantage in developing new products and operating our business and our customers may prefer different solutions. Changes to legal rules and regulations, or interpretation or enforcement thereof, even if not directed at us, may require significant efforts to change our systems and services and may require changes to how we price our services to customers, adversely affecting our business. Even an inadvertent failure to comply with laws and regulations, as well as rapidly evolving social expectations of corporate fairness, could damage our business or our reputation. As varying or conflicting regulations come into existence across the jurisdictions in which we operate, we may have difficulty aligning our operations to comply with all applicable laws.

As a payments technology company, our business is affected by laws and complex regulations and examinations that affect us and our industry in the countries in which we operate. Regulation and proposed regulation of the payments industry have increased significantly in recent years. Failure to comply with regulations or guidelines may result in the suspension or revocation of a license or registration, the limitation, suspension or termination of service, and the imposition of civil and 23 23 23 Table of Contents Table of Contents criminal penalties, including fines, or may cause customers or potential customers to be reluctant to do business with us, any of which could have an adverse effect on our financial condition. Interchange fees are subject to intense legal, regulatory and legislative scrutiny worldwide. For instance, the Dodd-Frank Act restricts the amounts of debit card fees that certain issuing institutions can charge merchants and allows merchants to set minimum amounts for the acceptance of credit cards and to offer discounts for different payment methods. These types of restrictions could negatively affect the number of debit transactions, which would adversely affect our business. The Dodd-Frank Act also created the CFPB, which has responsibility for enforcing federal consumer protection laws, and the Financial Stability Oversight Council, which has the authority to determine whether any nonbank financial company, such as us, should be supervised by the Board of Governors of the Federal Reserve on the ground that it is "systemically important" to the U.S. financial system. Any such designation would result in increased regulatory burdens on our business, which increases our risk profile and may have an adverse effect on our business, financial condition, results of operations and cash flows. Because we directly or indirectly offer or provide financial services to consumers, we are subject to prohibitions against unfair, deceptive, or abusive acts or practices under the Dodd-Frank Act. More generally, all persons engaged in commerce, including, but not limited to, us and our merchant and financial institution customers, are subject to Section 5 of the Federal Trade Commission ("FTC") Act prohibiting unfair or deceptive acts or practices ("UDAP"). We also have businesses that are subject to credit reporting and debt collection laws and regulations in the U.S. Various federal and state regulatory enforcement agencies, including the FTC, the CFPB and the states’ attorneys general, may seek to take action against nonbanks that engage in UDAP or violate other laws, rules or regulations and, to the extent we are in violation of these laws, rules or regulations or processing payments for a merchant that may be in violation of these laws, rules or regulations, we may be subject to enforcement actions and as a result may incur losses and liabilities. Continuing developments in privacy and data protection regulation globally, combined with the rapid pace of technology innovation, have created risks and operational challenges for many of our business activities as described in "Item 1 - Business." As the regulatory environment remains unpredictable and subject to rapid change, new obligations could increase the cost and complexity of compliance. Evolving regulations also increase the risk of investigations, fines, non-monetary penalties, and litigation. Much of our business is obligated, either under law or via contracts with our customers, to comply with anti-money laundering regulations. Noncompliance with these regulations could lead to substantial regulatory fines and penalties or damages from private causes of action. The effect of the regulations could harm our business and financial condition. In addition, we and our sponsor financial institutions are subject to the laws and regulations enforced by the Office of Foreign Assets Control, which prohibit U.S. persons from engaging in transactions with certain prohibited persons or entities. Similar requirements apply in other countries. Furthermore, certain of our businesses are regulated as money transmitters or otherwise require licensing in one or more states or jurisdictions, subjecting us to various licensing, supervisory and other requirements. We are also subject to examination by the Federal Banking Agencies as a result of our provision of data processing services to financial institutions. It is possible that these laws may be interpreted and applied in a manner that is inconsistent with our data privacy practices or operations model, which could result in potential liability for fines, damages or a need to incur substantial costs to modify our operations. Compliance with these laws and regulations can be costly and time consuming, adding a layer of complexity to business practices and innovation. As with other regulatory schemes, our failure to comply could result in public or private enforcement action and accompanying litigation costs, losses, fines and penalties, which could adversely affect our business, financial condition, results of operations and cash flows. With respect to our Consumer Solutions segment, because each distributor offers prepaid cards, reload services and/or money remittance services as an agent of Consumer Solutions, or another third party, we do not believe that the distributors themselves are required to become licensed as money transmitters in order to engage in such activity. However, there is a risk that a federal or state regulator will take a contrary position and initiate enforcement or other proceedings against a distributor, us, our issuing banks or our other service providers. If we are unsuccessful in making a persuasive argument that a distributor should not be subject to such licensing requirements, it could result in the imposition of fines, the suspension of the distributor’s ability to offer some or all of our related services in the relevant jurisdiction, civil liability and criminal liability, each of which could negatively affect our financial condition and results of operations. Furthermore, if the federal government or one or more state governments impose additional legislative or regulatory requirements on our Consumer Solutions segment, the issuing banks or the distributors, or prohibit or limit the activities of our Consumer Solutions segment as currently conducted, we may be required to modify or terminate some or all of our Consumer Solutions services offered in the relevant jurisdiction or certain of the issuing banks may terminate their relationship with us. Moreover, as a number of our Consumer Solutions distributors are engaged in offering payday, title and/or installment loans, current and future legislative and regulatory restrictions that negatively affect their ability to continue their operations could have a corresponding negative effect on our revenue and 24 24 24 Table of Contents Table of Contents earnings from these relationships, potentially resulting in a significant decline in revenue from the Consumer Solutions segment. Changes to legal rules and regulations, or interpretation or enforcement thereof, even if not directed at us, may require significant efforts to change our systems and services and may require changes to how we price our services to customers, adversely affecting our business. Even an inadvertent failure to comply with laws and regulations, as well as rapidly evolving social expectations of corporate fairness, could damage our business or our reputation. If varying or conflicting regulations come into existence across the jurisdictions in which we operate, we may have difficulty aligning our operations to comply with all applicable laws.

Our core services are based on software and computing systems that may encounter development delays, and the underlying software may contain undetected errors, viruses, defects or vulnerabilities. The hardware infrastructure on which our systems run may have a faulty component or fail. Defects in our software services, underlying hardware, or errors or delays in our processing of digital transactions could result in additional development costs, diversion of technical and other resources from our other development efforts, and could result in loss of credibility with current or potential customers, harm to our reputation and exposure to liability claims. In instances in which we rely on third-party software, our services are occasionally affected by defects, viruses, vulnerabilities, security incidents or other failures that take place at the vendor level. Depending on the circumstances, a vendor failure could cause delays, disruption or data loss or damage, and therefore cause harm to our credibility, reputation or financial condition. In addition, our insurance may not be adequate to compensate us for all losses or failures that may occur.

Our core services are based on software and computing systems that often encounter development delays, and the underlying software may contain undetected errors, viruses or defects. Defects in our software services or errors or delays in our processing of digital transactions could result in additional development costs, diversion of technical and other resources from our other development efforts, loss of credibility with current or potential customers, harm to our reputation and exposure to liability claims. In instances in which we rely on third-party software in conjunction with any disaster recovery functions, we could be adversely affected by the vendor’s unresponsiveness or other failures. We rely on technologies and software supplied by third parties that may also contain undetected errors, viruses or defects that could have a material adverse effect on our business, financial condition and results of operations. In addition, our insurance may not be adequate to compensate us for all losses or failures that may occur.