--- ticker: MA company: Mastercard Incorporated filing_type: 10-K year_current: 2024 year_prior: 2023 risks_added: 0 risks_removed: 1 risks_modified: 11 risks_unchanged: 21 source: SEC EDGAR url: https://riskdiff.com/ma/2024-vs-2023/ markdown_url: https://riskdiff.com/ma/2024-vs-2023/index.md generated: 2026-05-10 --- # Mastercard Incorporated: 10-K Risk Factor Changes 2024 vs 2023 > Source: U.S. Securities and Exchange Commission (EDGAR) > Generated: 2026-05-10 > All data extracted directly from official filings. No hallucinated content. > **[AI-Generated Summary]** The paragraph below was produced by a language > model and may contain errors. All other content on this page is deterministically > extracted from the original SEC filing. > Mastercard removed its COVID-19 pandemic risk disclosure, reflecting the transition from acute pandemic concerns to normal business operations. The company substantially modified 11 risk factors, with notable changes to disclosures regarding government protectionism in domestic payment services, regulatory barriers to acquisitions and strategic investments, and risks associated with government relationships, indicating heightened focus on regulatory and geopolitical challenges. --- ## Summary | Status | Count | |--------|-------| | New risks added | 0 | | Risks removed | 1 | | Risks modified | 11 | | Unchanged | 21 | --- ## No Match in Current: The global COVID-19 pandemic and measures taken in response have adversely impacted our business, results of operations and financial condition, and may continue to do so depending on future developments, which are uncertain. *This section from the 2023 filing does not have a high-confidence textual match in 2024. It may have been removed, merged, or substantially reworded.* While conditions related to the global COVID-19 pandemic generally improved in 2022, the pandemic continues to have negative effects on the global economy and has affected business activity, in particular, in areas such as travel and supply chains. These impacts have continued to adversely impact consumers, our customers, suppliers and business partners, as well as our workforce. Governments, businesses and consumers continue to react to changing conditions, including the emergence of variants of the virus, the severity of infections on a regional basis and the global administration of vaccines and boosters. Such reactions have included tightening or loosening safety measures and border restrictions or voluntarily making personal safety decisions, as applicable, based on the current environment of their location. The COVID-19 pandemic has adversely impacted our business, results of operations and financial condition. There are no comparable recent events which may provide guidance as to the future effects of a global pandemic such as COVID-19, and, as a result, the ultimate impact of this pandemic or a similar health epidemic in the future is uncertain and subject to change. The full extent to which the COVID-19 pandemic, and measures taken in response, further impacts our business, results of operations and financial condition will depend on future developments, which are uncertain, including, but not limited to, the duration of the pandemic and its impact on the global economy, including the extent to which we can continue to progress toward and maintain more consistent economic and operating conditions. Even after the COVID-19 pandemic has subsided, we may continue to experience materially adverse impacts to our business and our results of operations as a result of its global economic impact, including any recession that has occurred or may occur in the future. --- ## Modified: Preferential and protective government actions related to domestic payment services could adversely affect our ability to maintain or increase our revenues. **Key changes:** - Reworded sentence: "•Some jurisdictions have implemented, or are considering, requirements to collect, store and/or process data within their borders, as well as prohibitions on the transfer of data abroad, leading to technological and operational implications as well as increased compliance burdens and other costs." - Reworded sentence: "In addition, to the extent a jurisdiction determines us not to be in compliance with regulatory requirements (including those related to data localization), we have been, and may again in the future be, subject to resource and time pressures in order to come back into compliance." - Removed sentence: "MASTERCARD 2022 FORM 10-K 27 MASTERCARD 2022 FORM 10-K 27 MASTERCARD 2022 FORM 10-K 27 PART IITEM 1A." - Removed sentence: "RISK FACTORS PART I ITEM 1A." **Prior (2023):** Governments in some countries have acted, or in the future may act, to provide resources, preferential treatment or other protection to selected national payment and switching providers, or have created, or may in the future create, their own national provider. This action may displace us from, prevent us from entering into, or substantially restrict us from participating in, particular geographies, and may prevent us from competing effectively against those providers. For example: •Governments in some countries have implemented, or may implement, regulatory requirements that mandate switching of domestic payments either entirely in that country or by only domestic companies. •Some jurisdictions have implemented, or are considering, requirements to collect, process and/or store data within their borders, as well as prohibitions on the transfer of data abroad, leading to technological and operational implications as well as increased compliance burdens and other costs. •Geopolitical events (such as Russia's invasion of Ukraine) and resulting OFAC sanctions, adverse trade policies, enforcement of U.S. laws related to counter financing of terrorism, economic sanctions and anti-corruption, or other types of government actions could lead affected or other jurisdictions to take actions in response that could adversely affect our business. Moreover, given our decision to suspend business operations in Russia, other separate jurisdictions may decide to increase their focus on growing local payment networks and other solutions. •Regional groups of countries are considering, or may consider, efforts to restrict our participation in the switching of regional transactions. Such developments prevent us from utilizing our global switching capabilities for domestic or regional customers. In addition, to the extent a jurisdiction determines us not to be in compliance with regulatory requirements (including those related to data localization), we have, and may continue to be, subject to resource and time pressures in order to come back into compliance. Our inability to effect change in, or work with, these jurisdictions could adversely affect our ability to maintain or increase our revenues and extend our global brand. Additionally, some jurisdictions have implemented, or may implement, foreign ownership restrictions, which could potentially have the effect of forcing or inducing the transfer of our technology and proprietary information as a condition of access to their markets. Such restrictions could adversely impact our ability to compete in these markets. MASTERCARD 2022 FORM 10-K 27 MASTERCARD 2022 FORM 10-K 27 MASTERCARD 2022 FORM 10-K 27 PART IITEM 1A. RISK FACTORS PART I ITEM 1A. RISK FACTORS **Current (2024):** Governments in some countries have acted, or in the future may act, to provide resources, preferential treatment or other protection to selected national payment and switching providers, or have created, or may in the future create, their own national provider. This action may displace us from, prevent us from entering into, or substantially restrict us from participating in, particular geographies, and may prevent us from competing effectively against those providers. For example: •Governments in some countries have implemented, or may implement, regulatory requirements that mandate switching of domestic payments either entirely in that country or by only domestic companies. •Some jurisdictions have implemented, or are considering, requirements to collect, store and/or process data within their borders, as well as prohibitions on the transfer of data abroad, leading to technological and operational implications as well as increased compliance burdens and other costs. 28 MASTERCARD 2023 FORM 10-K 28 MASTERCARD 2023 FORM 10-K 28 MASTERCARD 2023 FORM 10-K PART IITEM 1A. RISK FACTORS PART I ITEM 1A. RISK FACTORS •Geopolitical events (such as Russia's invasion of Ukraine) and resulting OFAC sanctions, adverse trade policies, enforcement of U.S. laws related to countering the financing of terrorism, economic sanctions and anti-corruption, or other types of government actions could lead affected or other jurisdictions to take actions in response that could adversely affect our business. Moreover, given our decision to suspend business operations in Russia, other separate jurisdictions may decide to begin to or increase their focus on growing local payment networks and other solutions. •Regional groups of countries are considering, or may consider, efforts to restrict our switching of regional transactions. •Governments have been increasingly creating and expanding local payments structures (such as the Brazilian Instant Payment System-PIX, FedNow in the U.S. and UPI in India), which are increasingly being considered as alternatives to traditional domestic payment solutions and schemes such as ours. Such developments prevent us from utilizing our global switching capabilities for domestic or regional customers. In addition, to the extent a jurisdiction determines us not to be in compliance with regulatory requirements (including those related to data localization), we have been, and may again in the future be, subject to resource and time pressures in order to come back into compliance. Our inability to effect change in, or work with, these jurisdictions could adversely affect our ability to maintain or increase our revenues and extend our global brand. Additionally, some jurisdictions have implemented, or may implement, foreign ownership restrictions, which could potentially have the effect of forcing or inducing the transfer of our technology and proprietary information as a condition of access to their markets. Such restrictions could adversely impact our ability to compete in these markets. --- ## Modified: Our efforts to enter into acquisitions, strategic investments or new businesses could be impacted or prevented by regulatory scrutiny and could otherwise result in issues that could disrupt our business and harm our results of operations or reputation. **Key changes:** - Reworded sentence: "We continue to evaluate our strategic acquisitions of, and investments in, complementary businesses, products or technologies." - Reworded sentence: "Such an integration also may divert management's time and resources from our core business and disrupt our operations." - Reworded sentence: "Additionally, targets that we acquire have had, and may in the future have, data practices that do not initially conform to our privacy, data protection and information security standards and data governance model, which could lead to regulatory scrutiny and reputational harm." **Prior (2023):** We continue to evaluate our strategic acquisitions of complementary businesses, products or technologies, as well as acquiring interests in related joint ventures or other entities. As we do so, we face increasing regulatory scrutiny with respect to antitrust, national security and other considerations that could impact these efforts. We also face competition for acquisition targets due to the nature of the market for technology companies. As a result, we could be prevented from successfully completing such acquisitions in the future. If we are not successful in these efforts, we could lose strategic opportunities that are dependent, in part, on inorganic growth. To the extent we do make these acquisitions, we may not be able to successfully partner with or integrate them, despite original intentions and focused efforts. In addition, such an integration may divert management's time and resources from our core business and disrupt our operations. Moreover, we may spend time and money on acquisitions or projects that do not meet our expectations or increase our revenue. To the extent we pay the purchase price of any acquisition in cash, it would reduce our cash reserves available to us for other uses, and to the extent the purchase price is paid with our stock, it could be dilutive to our stockholders. Furthermore, we may inherit litigation risk which may increase our post-acquisition costs of operations and impact our ability to successfully finance that business. Any acquisition or entry into a new business could subject us to new regulations, both directly as a result of the new business as well as in the other existing parts of our business, with which we would need to comply. This compliance could increase our costs, and we could be subject to liability or reputational harm to the extent we cannot meet any such compliance requirements. Additionally, targets that we acquire may have data practices that do not initially conform to our privacy and data protection standards and data governance model, which could lead to regulatory scrutiny and reputational harm. **Current (2024):** We continue to evaluate our strategic acquisitions of, and investments in, complementary businesses, products or technologies. As we do so, we face increasing regulatory scrutiny with respect to antitrust, national security and other considerations that could impact these efforts. We also face competition for acquisition targets due to the nature of the market for technology companies. As a result, we could be prevented from successfully completing such acquisitions in the future. If we are not successful in these efforts, we could lose strategic opportunities that are dependent, in part, on inorganic growth. To the extent we do make these acquisitions, we may not be able to successfully partner with or integrate them, despite original intentions and focused efforts. Such an integration also may divert management's time and resources from our core business and disrupt our operations. Moreover, we have spent, and may continue to spend, time and money on acquisitions or projects that do not sufficiently meet our expectations (either strategically or financially), which has resulted (and may in the future result) in divesting from or otherwise exiting these investments or businesses. Additionally, to the extent we pay the purchase price of any acquisition in cash, it would reduce our cash reserves available to us for other uses, and to the extent the purchase price is paid with our stock, it could be dilutive to our stockholders. Furthermore, we have inherited and may in the future inherit litigation risk which has or may increase our post-acquisition costs of operations and/or impact our ability to successfully finance that business. Any acquisition, investment or entry into a new business could subject us to new regulations, both directly as a result of the new business as well as in the other existing parts of our business, with which we would need to comply. This compliance could increase our costs, and we could be subject to liability or reputational harm to the extent we cannot meet any such compliance requirements. Additionally, targets that we acquire have had, and may in the future have, data practices that do not initially conform to our privacy, data protection and information security standards and data governance model, which could lead to regulatory scrutiny and reputational harm. These targets also have resulted in, and may in the future lead to, information security vulnerabilities for us. --- ## Modified: Our work with governments exposes us to unique risks that could have a material impact on our business and results of operations. **Key changes:** - Reworded sentence: "•Our work with governments is heavily regulated, subjecting us to additional potential exposure under U.S." - Reworded sentence: "Bribery Act), as well as compliance with various procurement and other laws, regulations, standards and contract terms." **Prior (2023):** As we increase our work with national, state and local governments, both indirectly through financial institutions and with them directly as our customers, we may face various risks inherent in associating or contracting directly with governments. These risks include, but are not limited to, the following: •Governmental entities typically fund projects through appropriated monies. Changes in governmental priorities or other political developments, including disruptions in governmental operations, could impact approved funding and result in changes in the scope, or lead to the termination, of the arrangements or contracts we or financial institutions enter into with respect to our payment products and services. •Our work with governments subjects us to U.S. and international anti-corruption laws, including the U.S. Foreign Corrupt Practices Act and the U.K. Bribery Act. A violation and subsequent judgment or settlement under these laws could subject us to substantial monetary penalties and damages and have a significant reputational impact. •Working or contracting with governments, either directly or via our financial institution customers, can subject us to heightened reputational risks, including extensive scrutiny and publicity, as well as a potential association with the policies of a government as a result of a business arrangement with that government. Any negative publicity or negative association with a government entity, regardless of its accuracy, may adversely affect our reputation. **Current (2024):** As we increase our work with national, state and local governments, both indirectly through financial institutions and with them directly as our customers, we may face various risks inherent in associating or contracting directly with governments. These risks include, but are not limited to, the following: •Governmental entities typically fund projects through appropriated monies. Changes in governmental priorities or other political developments, including disruptions in governmental operations, could impact approved funding and result in changes in the scope, or lead to the termination, of the arrangements or contracts we or financial institutions enter into with respect to our payment products and services. •Our work with governments is heavily regulated, subjecting us to additional potential exposure under U.S. and international anti-corruption laws (including the U.S. Foreign Corrupt Practices Act and the U.K. Bribery Act), as well as compliance with various procurement and other laws, regulations, standards and contract terms. Any violation and subsequent judgment or settlement related to the above could subject us to substantial monetary penalties and damages and have a significant reputational impact. Moreover, as a government contractor, we are subject to a government's right to conduct audits and investigations into both our contract performance and our compliance with applicable laws, regulations and contract terms. Any adverse finding could subject us to civil or criminal penalties, sanctions, or suspension or disbarment. •Working or contracting with governments, either directly or via our financial institution customers, can subject us to heightened reputational risks, including extensive scrutiny and publicity, as well as a potential association with the policies of a government as a result of a business arrangement with that government. Any negative publicity or negative association with a government entity, regardless of its accuracy, may adversely affect our reputation. --- ## Modified: Information security incidents or account data compromise events could disrupt our business, damage our reputation, increase our costs and cause losses. **Key changes:** - Reworded sentence: "Information security risks for payments and technology companies such as ours have significantly increased in recent years in part because of the proliferation of new technologies, the use of the Internet and telecommunications technologies to conduct financial transactions, and the increased sophistication and activities of organized crime, hackers, "hacktivists", terrorists, nation-states, state-sponsored actors and other external parties." - Reworded sentence: "In addition, to access our products and services, our customers and account holders increasingly use personal smartphones, tablet PCs and other mobile devices that may be beyond our control." - Reworded sentence: "Geopolitical events and resulting government activity could also lead to information security threats and attacks by affected or sympathizing jurisdictions or other actors, which could put our information and assets at risk, as well as result in network disruption." - Reworded sentence: "However, future attacks or breaches could lead to security breaches of the networks, systems (including third-party provider systems) or devices that our customers use to access our products and services, which in turn could result in the unauthorized disclosure, release, gathering, monitoring, misuse, loss or destruction of confidential, proprietary, sensitive and personal information (including account data information) or data security compromises." - Reworded sentence: "If such attacks are not detected immediately, or disclosed as required by law, their effect could be compounded." **Prior (2023):** Information security risks for payments and technology companies such as ours have significantly increased in recent years in part because of the proliferation of new technologies, the use of the Internet and telecommunications technologies to conduct financial transactions, and the increased sophistication and activities of organized crime, hackers, terrorists and other external parties. These threats may derive from fraud or malice on the part of our employees or third parties, or may result from human error or accidental technological failure. These threats include cyber-attacks such as computer viruses, malicious code (including ransomware), phishing attacks or information security breaches and could lead to the misappropriation of consumer account and other information and identity theft. These types of threats have risen significantly due to a significant portion of our workforce working in a remote or hybrid environment. Our operations rely on the secure processing, transmission and storage of confidential, proprietary and other information and technology in our computer systems and networks, as well as the systems of our third-party providers. Our customers and other parties in the payments value chain, as well as account holders, rely on our digital technologies, computer systems, software and networks to conduct their operations. In addition, to access our integrated products and services, our customers and account holders increasingly use personal smartphones, tablet PCs and other mobile devices that may be beyond our control. We, like other financial technology organizations, routinely are subject to cyber-threats and our technologies, systems and networks, as well as the systems of our third-party providers, have been subject to attempted cyber-attacks. Because of our position in the payments value chain, we believe that we are likely to continue to be a target of such threats and attacks. In response to U.S. and European sanctions against Russia earlier this year, we saw increased information security threats from state sponsored actors. Other geopolitical events and resulting government activity could also lead to information security threats and attacks by affected or sympathizing jurisdictions or other actors, which could put our information and assets at risk, as well as result in network disruption. To date, we have not experienced any material impact relating to cyber-attacks or other information security breaches. However, future attacks or breaches could lead to security breaches of the networks, systems (including third-party provider systems) or devices that our customers use to access our integrated products and services, which in turn could result in the unauthorized disclosure, release, gathering, monitoring, misuse, loss or destruction of confidential, proprietary and other information (including account data information) or data security compromises. Such attacks or breaches could also cause service interruptions, malfunctions or other failures in the physical infrastructure or operations systems that support our businesses and customers (such as the lack of availability of our value-added services), as well as the operations of our customers or other third parties. In addition, they could lead to damage to our reputation with our customers, other stakeholders and the broader payments ecosystem, additional costs to us (such as repairing systems, adding new personnel or protection technologies or compliance costs), regulatory penalties, financial losses to both us and our customers and partners and the loss of customers and business opportunities. These consequences could be further pronounced in jurisdictions in which we are deemed critical national infrastructure. If such attacks are not detected immediately, their effect could be compounded. Despite various mitigation efforts that we undertake, there can be no assurance that we will be immune to these risks and not suffer material breaches and resulting losses in the future, or that our insurance coverage would be sufficient to cover all losses. Our risk and exposure to these matters remain heightened because of, among other things, the evolving nature of these threats, our prominent size and scale and our role in the global payments and technology industries, our plans to continue to implement our digital and mobile channel strategies and develop additional remote connectivity solutions to serve our customers and account holders when and how they want to be served, our global presence, our extensive use of third-party vendors and future joint venture and merger and acquisition opportunities. As a result, information security and the continued development and enhancement of our controls, processes and practices designed to protect our systems, computers, software, data and networks from attack, damage or unauthorized access remain a priority for us. As cyber-threats continue to evolve, we may be required to expend significant additional resources to continue to modify or enhance our protective measures or to investigate and remediate any information security vulnerabilities. Any of the risks described above could materially adversely affect our overall business and results of operations. MASTERCARD 2022 FORM 10-K 33 MASTERCARD 2022 FORM 10-K 33 MASTERCARD 2022 FORM 10-K 33 PART IITEM 1A. RISK FACTORS PART I ITEM 1A. RISK FACTORS In addition to information security risks for our systems, we also routinely encounter account data compromise events involving merchants and third-party payment processors that process, store or transmit payment transaction data, which affect millions of Mastercard, Visa, Discover, American Express and other types of account holders. Further events of this type may subject us to reputational damage and/or lawsuits involving payment products carrying our brands. Damage to our reputation or that of our brands resulting from an account data breach of either our systems or the systems of our customers, merchants and other third parties could decrease the use and acceptance of our integrated products and services. Such events could also slow or reverse the trend toward electronic payments. In addition to reputational concerns, the cumulative impact of multiple account data compromise events could increase the impact of the fraud resulting from such events by, among other things, making it more difficult to identify consumers. Moreover, while most of the lawsuits resulting from account data breaches do not involve direct claims against us and while we have releases from many issuers and acquirers, we could still face damage claims, which, if upheld, could materially and adversely affect our results of operations. Such events could have a material adverse impact on our transaction volumes, results of operations and prospects for future growth, or increase our costs by leading to additional regulatory burdens being imposed on us. **Current (2024):** Information security risks for payments and technology companies such as ours have significantly increased in recent years in part because of the proliferation of new technologies, the use of the Internet and telecommunications technologies to conduct financial transactions, and the increased sophistication and activities of organized crime, hackers, "hacktivists", terrorists, nation-states, state-sponsored actors and other external parties. These threats may derive from fraud or malice on the part of our employees or third parties, or may result from human error, software bugs, server malfunctions, software or hardware failure or other technological failure. These threats include cyber-attacks such as computer viruses, denial-of-service attacks, malicious code (including ransomware), social-engineering attacks (including phishing attacks) or information security breaches and could lead to the misappropriation or loss of consumer account and other information and identity theft. These types of threats have risen significantly due to a significant portion of our workforce working in a hybrid environment. These threats also may be further enhanced in frequency or effectiveness through threat actors' use of AI. Our operations rely on the secure transmission, storage and other processing of confidential, proprietary, sensitive and personal information and technology in our computer systems and networks, as well as the systems of our third-party providers. Our customers and other parties in the payments value chain, as well as account holders, rely on our digital technologies, computer systems, software and networks to conduct their operations. In addition, to access our products and services, our customers and account holders increasingly use personal smartphones, tablet PCs and other mobile devices that may be beyond our control. We, like other financial technology organizations, routinely are subject to cyber-threats and our technologies, systems and networks, as well as the systems of our third-party providers, have been subject to attempted cyber-attacks. Because of our position in the payments value chain, we believe that we are likely to continue to be a target of such threats and attacks. Geopolitical events and resulting government activity could also lead to information security threats and attacks by affected or sympathizing jurisdictions or other actors, which could put our information and assets at risk, as well as result in network disruption. To date, we have not experienced any material impact relating to cyber-attacks or other information security breaches. However, future attacks or breaches could lead to security breaches of the networks, systems (including third-party provider systems) or devices that our customers use to access our products and services, which in turn could result in the unauthorized disclosure, release, gathering, monitoring, misuse, loss or destruction of confidential, proprietary, sensitive and personal information (including account data information) or data security compromises. Such attacks or breaches could also cause service interruptions, malfunctions or other failures in the physical infrastructure, networks or operations systems that support our business and customers (such as the lack of availability of our value-added services), as well as the operations of our customers or other third parties. In addition, they could lead to damage to our reputation with our customers, other stakeholders and the broader payments ecosystem, additional costs to us (such as repairing systems, adding new personnel or protection technologies or compliance costs), regulatory penalties, financial losses to both us and our customers and partners and the loss of customers and business opportunities. These consequences could be further pronounced in jurisdictions in which we are deemed critical national infrastructure. If such attacks are not detected immediately, or disclosed as required by law, their effect could be compounded. 34 MASTERCARD 2023 FORM 10-K 34 MASTERCARD 2023 FORM 10-K 34 MASTERCARD 2023 FORM 10-K PART IITEM 1A. RISK FACTORS PART I ITEM 1A. RISK FACTORS In addition to information security risks for our systems and networks, we also routinely encounter account data compromise events involving merchants and third-party payment processors that process, store or transmit payment transaction data, which affect millions of Mastercard, Visa, Discover, American Express and other types of account holders. Further events of this type may subject us to reputational damage and/or lawsuits involving payment products carrying our brands. Damage to our reputation or that of our brands resulting from an account data breach of either our systems and networks or the systems and networks of our customers, merchants and other third parties could decrease the use and acceptance of our products and services. Such events could also slow or reverse the trend toward electronic payments. In addition to reputational concerns, the cumulative impact of multiple account data compromise events could increase the impact of the fraud resulting from such events by, among other things, making it more difficult to identify consumers. Moreover, while most of the lawsuits resulting from account data breaches do not involve direct claims against us and while we have releases from many issuers and acquirers, we could still face damage claims, which, if upheld, could materially and adversely affect our results of operations. While we offer cyber and intelligence products that are designed to prevent, detect and respond to fraud and cyber-attacks, there can be no assurance that such security solutions will perform as expected or address all possible security threats. Real or perceived defects, failures, errors or vulnerabilities in our security solutions, such as our cyber and intelligence products, could adversely impact our reputation, customer confidence in our solutions and our business and may subject us to litigation, governmental audits and investigation or other liabilities. Such events could have a material adverse impact on our transaction volumes, results of operations and prospects for future growth, or increase our costs by leading to additional regulatory burdens being imposed on us. In addition, fraudulent activity and increasing cyber-attacks have encouraged legislative and regulatory intervention, and could damage our reputation and reduce the use and acceptance of our products and services or increase our compliance costs. Criminals are using increasingly sophisticated methods to capture consumer personal information to engage in illegal activities such as counterfeiting or other fraud and may see their effectiveness enhanced by the use of AI. As outsourcing and specialization become common in the payments industry, there are more third parties involved in processing transactions using our payment products. While we are continuing to take measures to make card and digital payments more secure, increased fraud levels involving our products and services, or misconduct or negligence by third parties switching or otherwise servicing our products and services, could lead to legislative or regulatory intervention, such as enhanced security requirements and liabilities, as well as damage to our reputation. See "Risk Factors - Privacy, Data Protection, AI and Information Security Compliance" in this Part I, Item 1A for more detail concerning related legal risks and obligations. Despite various mitigation efforts that we undertake, there can be no assurance that we will not suffer material breaches and resulting losses in the future. While we maintain insurance coverage, such coverage may not be adequate to protect us from such losses as well as any liabilities or damages with respect to claims alleging compromises of our confidential, proprietary, sensitive or personal information or our technologies, systems or networks. In addition, we cannot be sure that our existing insurance coverage will continue to be available on acceptable terms or at all, or that our insurers will not deny coverage as to any future claim. Our risk and exposure to these matters remain heightened due to, among other things, the evolving nature of these threats, our prominent role in the global payments ecosystem, our continued implementation of our strategic priorities, our extensive use of third-party vendors and potential vulnerabilities from previous and future acquisitions, strategic investments or related opportunities. As a result, information security and the continued development and enhancement of our controls, processes and practices designed to protect our computer systems, software, data and networks from attack, damage or unauthorized access remain a priority for us. As cyber-threats continue to evolve, we may be required to expend significant additional resources to continue to modify or enhance our protective measures or to investigate and remediate any information security vulnerabilities. Any of the risks described above could materially adversely affect our overall business and results of operations. --- ## Modified: Substantial and intense competition worldwide in the global payments industry may materially and adversely affect our overall business and results of operations. **Key changes:** - Reworded sentence: "We compete against general purpose payments networks, debit and local networks, ACH and real-time account-based payments systems, digital wallets and other fintechs (focused on online activity across various channels and processing payments using in-house capabilities), government-backed networks and digital currencies." - Reworded sentence: "Certain of our competitors to our core payment network operate three-party payments systems with direct connections to both merchants and consumers, potentially providing competitive advantages." - Reworded sentence: "Certain of our competitors have developed alternative payments systems, e-commerce payments systems and payments systems for mobile devices, as well as physical store locations." - Reworded sentence: "Our failure to compete effectively against any of the foregoing threats could materially and adversely affect our overall business and results of operations." **Prior (2023):** The global payments industry is highly competitive. Our payment programs compete against competitors both within and outside of the global payments industry and compete in all payment categories, including paper-based payments and all forms of electronic payments. We compete against general purpose payments networks, debit and local networks, ACH and real-time account-based payments systems, alternative payments systems and new entrants (focused on online activity across various channels and processing payments using in-house capabilities), government-backed networks and digital currencies. We also face competition from companies that provide alternatives to our value-added services and new adjacent network capabilities (including open banking and digital identity). Our traditional competitors may have substantially greater financial and other resources than we have, may offer a wider range of programs, services, and payment capabilities than we offer or may use more effective advertising and marketing strategies to achieve broader brand recognition and merchant acceptance than we have. They may also introduce their own innovative programs, value-added services and capabilities that adversely impact our growth. Certain of our competitors to our core payment network operate three-party payments systems with direct connections to both merchants and consumers and these competitors may derive competitive advantages from their business models. If we continue to attract more regulatory scrutiny than these competitors because we operate a four-party system, or we are regulated because of the system we operate in a way in which our competitors are not, we could lose business to these competitors. See "Business - Competition" in Part I, Item 1. New entrants against whom we compete have developed alternative payments systems, e-commerce payments systems and payments systems for mobile devices, as well as physical store locations. A number of these new entrants rely principally on technology to support their services that provides cost advantages, and as a result may enjoy lower costs than we do, which could put us at a competitive disadvantage. Our ability to compete may also be affected by regulatory and legislative initiatives, as well as the outcomes of litigation, competition-related regulatory proceedings and central bank activity and legislative activity. Moreover, the suspension of our business operations in Russia may provide the opportunity for competitors to grow their business and increase their market share and relative competitive position in other jurisdictions. If we are not able to differentiate ourselves from our competitors, drive value for our customers and/or effectively align our resources with our goals and objectives, we may not be able to compete effectively against these threats. Our failure to compete effectively against any of the foregoing competitive threats could materially and adversely affect our overall business and results of operations. **Current (2024):** The global payments industry is highly competitive. Our payment programs compete against competitors both within and outside of the global payments industry and compete in all payment categories, including paper-based payments and all forms of electronic payments. We compete against general purpose payments networks, debit and local networks, ACH and real-time account-based payments systems, digital wallets and other fintechs (focused on online activity across various channels and processing payments using in-house capabilities), government-backed networks and digital currencies. We also face competition from companies that provide alternatives to our value-added services and new adjacent network capabilities (including open banking and digital identity). Our traditional competitors may have substantially greater financial and other resources than we have, may offer a wider range of programs, services, and payment capabilities than we offer or may use more effective advertising and marketing strategies to achieve broader brand recognition and merchant acceptance than we have. They may also introduce their own innovative programs, value-added services and capabilities that adversely impact our growth. Certain of our competitors to our core payment network operate three-party payments systems with direct connections to both merchants and consumers, potentially providing competitive advantages. If we continue to attract more regulatory scrutiny than these competitors because we operate a four-party system, or we are regulated because of the system we operate in a way in which our competitors are not, we could lose business to these competitors. See "Business - Competition" in Part I, Item 1. Certain of our competitors have developed alternative payments systems, e-commerce payments systems and payments systems for mobile devices, as well as physical store locations. A number of these competitors rely principally on technology to support their services that provides cost advantages, and as a result may enjoy lower costs than we do. Many of these competitors are also able to use existing payment networks without being subject to many of the associated costs. Moreover, these competitors also occupy various roles in the payments ecosystem that enable them to influence payment choice of other participants. Any of these factors could put us at a competitive disadvantage. Our ability to compete may also be affected by regulatory and legislative initiatives, as well as the outcomes of litigation, competition-related regulatory proceedings and both central bank and legislative activity. If we are not able to differentiate ourselves from our competitors, drive value for our customers and/or effectively align our resources with our goals and objectives, we may not be able to compete effectively against these threats. Our failure to compete effectively against any of the foregoing threats could materially and adversely affect our overall business and results of operations. MASTERCARD 2023 FORM 10-K 31 MASTERCARD 2023 FORM 10-K 31 MASTERCARD 2023 FORM 10-K 31 PART IITEM 1A. RISK FACTORS PART I ITEM 1A. RISK FACTORS --- ## Modified: Global economic, political, financial and societal events or conditions could result in a material and adverse impact on our overall business and results of operations. **Key changes:** - Reworded sentence: "Such impact may include, but is not limited to, the following: •Customers mitigating their economic exposure by limiting the issuance of new Mastercard products and requesting greater incentive or greater cost stability from us •Consumers and businesses lowering spending, which could impact domestic and cross-border spend •Debt limit and budgetary discussions in the U.S." - Reworded sentence: "These include or have included: •the global COVID-19 pandemic (and the potential of any post-pandemic global economic impact) and potential separate outbreaks of flu, viruses and other diseases (any of which could result in future epidemics or pandemics) •current and potential future geopolitical conflicts, as well as expansion into regional or global conflicts, and the resulting impacts to our business (this includes Russia's invasion of Ukraine and the actions taken by the U.S., the EU, other governments and Mastercard in response) •the threat of terrorism and major environmental and extreme weather events (including those related to climate change) The impact of and uncertainty that could result from any of these events or factors could ultimately decrease cross-border activity." - Reworded sentence: "In addition to the cross-border impacts described above, our compliance with sanctions and our decision to suspend our business operations in Russia has led, and could further lead, to other legal ramifications and operational challenges, including fines, the nationalization of our subsidiary and any resulting impacts, and/or lawsuits." - Reworded sentence: "Factors such as those discussed above have adversely impacted our business, results of operations and financial condition, and any of these developments potentially could have a material adverse impact on our overall business and results of operations." **Prior (2023):** Adverse economic trends. Adverse economic trends in key countries in which we operate may adversely affect our financial performance. Such impact may include, but is not limited to, the following: •Customers mitigating their economic exposure by limiting the issuance of new Mastercard products and requesting greater incentive or greater cost stability from us •Consumers and businesses lowering spending, which could impact domestic and cross-border spend •Government intervention (including the effect of laws, regulations and/or government investments on or in our financial institution customers), as well as uncertainty due to changing political regimes in executive, legislative and/or judicial branches of government, that may have potential negative effects on our business and our relationships with customers or otherwise alter their strategic direction away from our products •Tightening of credit availability that could impact the ability of participating financial institutions to lend to us under the terms of our credit facility Cross-border transactions. We switch substantially all cross-border transactions using Mastercard, Maestro and Cirrus-branded cards and generate a significant amount of revenue from cross-border volume fees and fees related to switched transactions. Revenue from switching cross-border and currency conversion transactions for our customers fluctuates with the levels and destinations of cross-border travel and our customers' need for transactions to be converted into their base currency. Cross-border activity has, and may continue to be, adversely affected by world geopolitical, economic, health, weather and other conditions. These include COVID-19, as well as the threat of terrorism and separate outbreaks of flu, viruses and other diseases (any of which could result in future epidemics or pandemics), as well as major environmental and extreme weather events, including those related to climate change. The impact of and uncertainty that could result from any of these events or factors could ultimately decrease cross-border activity. Additionally, any regulation of interregional interchange fees could also negatively impact our cross-border activity (for example, the targets announced by the G20 Financial Stability Board related to cross-border payments). In each case, decreased cross-border activity could decrease the revenue we receive. Russia's invasion of Ukraine. In response to the Russian invasion of Ukraine, the United States, the European Union and other governments imposed sanctions and other restrictive measures on certain Russian-related entities and individuals and we suspended our business operations in Russia. We have experienced loss of revenue in this fast-growing market as a result of both the implementation of sanctions and the suspension of our business operations, as well as related impacts in Ukraine and throughout the region. Future developments (including the expansion or extension of the war, future sanctions and/or actions taken by others globally, and other macroeconomic factors) could result in further negative impacts on our business and financial results. As customers, merchants and other business partners are impacted by the invasion, it can further negatively affect the environment in which we operate. Moreover, our compliance with sanctions and our decision to suspend business operations has led, and could further lead, to other legal ramifications and operational challenges, including fines, the nationalization of our subsidiary and any resulting impacts, and/or lawsuits. 36 MASTERCARD 2022 FORM 10-K 36 MASTERCARD 2022 FORM 10-K 36 MASTERCARD 2022 FORM 10-K PART IITEM 1A. RISK FACTORS PART I ITEM 1A. RISK FACTORS Standards. Our operations as a global payments network rely in part on global interoperable standards to help facilitate safe and simple payments. To the extent geopolitical events result in jurisdictions no longer participating in the creation or adoption of these standards, or the creation of competing standards, the products and services we offer could be negatively impacted. Any of these developments could have a material adverse impact on our overall business and results of operations. **Current (2024):** Adverse economic trends. Adverse economic trends in key countries in which we operate may adversely affect our financial performance. Such impact may include, but is not limited to, the following: •Customers mitigating their economic exposure by limiting the issuance of new Mastercard products and requesting greater incentive or greater cost stability from us •Consumers and businesses lowering spending, which could impact domestic and cross-border spend •Debt limit and budgetary discussions in the U.S. has affected, and could further affect, the U.S. credit rating, impacting consumer confidence and spending •Government intervention (including the effect of laws, regulations and/or government investments on or in our financial institution customers), as well as uncertainty due to changing political regimes in executive, legislative and/or judicial branches of government, that may have potential negative effects on our business and our relationships with customers or otherwise alter their strategic direction away from our products MASTERCARD 2023 FORM 10-K 37 MASTERCARD 2023 FORM 10-K 37 MASTERCARD 2023 FORM 10-K 37 PART IITEM 1A. RISK FACTORS PART I ITEM 1A. RISK FACTORS •Tightening of credit availability that could impact the ability of participating financial institutions to lend to us under the terms of our credit facility Cross-border transactions. We switch substantially all cross-border transactions using Mastercard, Maestro and Cirrus-branded cards and generate a significant amount of revenue from cross-border volume fees and fees related to switched transactions. Revenue from switching cross-border and currency conversion transactions for our customers fluctuates with the levels and destinations of cross-border travel and our customers' need for transactions to be converted into their base currency. Cross-border activity has, and may continue to be, adversely affected by world geopolitical, economic, health, weather and other conditions. These include or have included: •the global COVID-19 pandemic (and the potential of any post-pandemic global economic impact) and potential separate outbreaks of flu, viruses and other diseases (any of which could result in future epidemics or pandemics) •current and potential future geopolitical conflicts, as well as expansion into regional or global conflicts, and the resulting impacts to our business (this includes Russia's invasion of Ukraine and the actions taken by the U.S., the EU, other governments and Mastercard in response) •the threat of terrorism and major environmental and extreme weather events (including those related to climate change) The impact of and uncertainty that could result from any of these events or factors could ultimately decrease cross-border activity. Additionally, any regulation of interregional interchange fees could also negatively impact our cross-border activity (for example, the targets announced by the G20 Financial Stability Board related to cross-border payments). In each case, decreased cross-border activity could decrease the revenue we receive. Russia's invasion of Ukraine. In addition to the cross-border impacts described above, our compliance with sanctions and our decision to suspend our business operations in Russia has led, and could further lead, to other legal ramifications and operational challenges, including fines, the nationalization of our subsidiary and any resulting impacts, and/or lawsuits. Standards. Our operations as a global payments network rely in part on global interoperable standards to help facilitate safe and simple payments. To the extent geopolitical events result in jurisdictions no longer participating in the creation or adoption of these standards, or the creation of competing standards, the products and services we offer could be negatively impacted. Factors such as those discussed above have adversely impacted our business, results of operations and financial condition, and any of these developments potentially could have a material adverse impact on our overall business and results of operations. --- ## Modified: Mastercard Foundation's substantial stock ownership, and restrictions on its sales, may impact corporate actions or acquisition proposals favorable to, or favored by, the other public stockholders. **Key changes:** - Reworded sentence: "As of February 8, 2024, Mastercard Foundation owned 97,543,508 shares of Class A common stock, representing approximately 10.5% of our general voting power." - Reworded sentence: "The ownership of Class A common stock by Mastercard Foundation, together with the seven-year diversification plan, could discourage or make more difficult acquisition proposals favored by the other holders of the Class A common stock." **Prior (2023):** As of February 8, 2023, Mastercard Foundation owned 101,253,283 shares of Class A common stock, representing approximately 10.7% of our general voting power. Currently, Mastercard Foundation may not sell or otherwise transfer its shares of Class A common stock prior to May 1, 2027, except to the extent necessary to satisfy its charitable disbursement requirements, for which purpose earlier sales are permitted and have occurred. Based on that timing, Mastercard Foundation would be permitted to sell all of its remaining shares beginning May 1, 2027, subject to certain conditions. The directors of Mastercard Foundation are required to be independent of us and our customers. The ownership of Class A common stock by Mastercard Foundation, together with the restrictions on transfer, could discourage or make more difficult acquisition proposals favored by the other holders of the Class A common stock. In addition, because Mastercard Foundation is restricted from selling its shares for an extended period of time, it may not have the same interest in short or medium-term movements in our stock price as, or incentive to approve a corporate action that may be favorable to, our other stockholders. **Current (2024):** As of February 8, 2024, Mastercard Foundation owned 97,543,508 shares of Class A common stock, representing approximately 10.5% of our general voting power. Historically, Mastercard Foundation had been restricted from selling or otherwise transferring its shares of Class A common stock prior to May 1, 2027, except to the extent necessary to satisfy its charitable disbursement requirements, for which purpose earlier sales were permitted and had occurred. In July 2023, pursuant to an application in consultation with Mastercard, Mastercard Foundation received court approval to advance that date to January 1, 2024. As a result, Mastercard Foundation is now permitted to sell all or part of its remaining shares, subject to certain conditions. Mastercard Foundation would do so pursuant to an orderly and structured plan to diversify its Mastercard shares over a seven-year period, while remaining a long-term Mastercard stockholder and retaining a significant holding of Mastercard shares in its portfolio. The directors of Mastercard Foundation are required to be independent of us and our customers. The ownership of Class A common stock by Mastercard Foundation, together with the seven-year diversification plan, could discourage or make more difficult acquisition proposals favored by the other holders of the Class A common stock. In addition, because Mastercard Foundation intends to sell its shares over an extended period of time, it may not have the same interest in short or medium-term movements in our stock price as, or incentive to approve a corporate action that may be favorable to, our other stockholders. --- ## Modified: Global regulatory and legislative activity related to the payments industry may have a material adverse impact on our overall business and results of operations. **Key changes:** - Reworded sentence: "Central banks and similar regulatory bodies have increasingly established or further expanded their authority over certain aspects of payments systems such as ours, including obligations or restrictions with respect to the types of products and services that we may offer, the countries in which our products and services may be used, the way we structure and operate our business and the types of consumers and merchants who can obtain or accept our products or services." - Reworded sentence: "This type of regulation and oversight is related to switching activities (authorization, clearing and settlement), and includes policies, procedures and requirements related to risk management, collateral, participant default, timely switching of financial transactions, and capital and financial resources." - Reworded sentence: "In addition, any regulation that is enacted related to the type and level of network fees MASTERCARD 2023 FORM 10-K 27 MASTERCARD 2023 FORM 10-K 27 MASTERCARD 2023 FORM 10-K 27 PART IITEM 1A." - Removed sentence: "Such changes could lead to new or different criteria for participation in and access to our payments system by financial institutions or other customers." **Prior (2023):** Jurisdictions increasingly have regulated or established and expanded authority over certain aspects of payments systems such as ours, or have sought to do so. These efforts established, and potentially further expand, obligations or restrictions with respect to the types of products and services that we may offer, the countries in which our integrated products and services may be used, the way we structure and operate our business and the types of consumers and merchants who can obtain or accept our products or services. New regulations and oversight could also relate to our clearing and settlement activities (including policies, procedures and requirements related to risk management, collateral, participant default, timely switching of financial transactions, and capital and financial resource). Several jurisdictions have also inquired about the network fees we charge to our customers (in some cases as part of broader market reviews of retail payments). Several central banks or similar regulatory bodies around the world have also increased, or are seeking to increase, their formal oversight of the electronic payments industry. In several jurisdictions, we have been designated as a "systemically important payment system", with other regulators considering similar designations. Parts of our business have also been deemed as a "specified service provider" and considered critical national infrastructure. These obligations, designations and restrictions result in heightened regulatory oversight and scrutiny. They may further expand and could conflict with each other as more jurisdictions impose oversight of payments systems. Moreover, these efforts may influence the approaches of other regulators around the world that are increasingly looking to replicate similar regulation of payments and other industries. Similarly, jurisdictions that regulate a particular product may extend their regulation to similar products (for example, debit regulations could lead to regulation of credit products or network fees). As a result, the risks to our business created by any one new law or regulation are magnified by the potential it has to be replicated in other jurisdictions or involve other products within any particular jurisdiction. The expansion of our products and services as part of our multi-rail strategy have also created the need for us to obtain new types and increasing numbers of regulatory licenses, resulting in increased supervision and additional compliance burdens distinct from those imposed on our core payment network activities. For example, certain of our subsidiaries maintain money transfer licenses to support certain activities. These licenses typically impose supervisory and examination requirements, as well as capital, safeguarding, risk management and other business obligations. Increased regulation and oversight of payments systems, as well as increased exposure to regulation resulting from changes to our products and services, have resulted and may continue to result in significant compliance and governance burdens or otherwise increase our costs. As a result, customers could be less willing to participate in our payments system and/or use our other products or services, reduce the benefits offered in connection with the use of our products (making our products less desirable to consumers), reduce the volume of domestic and cross-border transactions or other operational metrics, disintermediate us, impact our profitability and/or limit our ability to innovate or offer differentiated products and services, all of which could materially and adversely impact our financial performance. In addition, any regulation that is enacted related to the type and level of network fees we charge our customers could also materially and adversely impact our results of operations. Regulators could also require us to obtain prior approval for changes to our system rules, procedures or operations, or could require customization with regard to such changes, which could negatively impact us. Such changes could lead to new or different criteria for participation in and access to our payments system by financial institutions or other customers. Moreover, failure to comply with the laws and regulations to which we are subject could result in fines, sanctions, civil damages or other penalties, which could materially and adversely affect our overall business and results of operations, as well as have an impact on our brand and reputation. **Current (2024):** Central banks and similar regulatory bodies have increasingly established or further expanded their authority over certain aspects of payments systems such as ours, including obligations or restrictions with respect to the types of products and services that we may offer, the countries in which our products and services may be used, the way we structure and operate our business and the types of consumers and merchants who can obtain or accept our products or services. Similarly, jurisdictions that regulate a particular product may consider extending their jurisdiction to other products. For example, debit regulations could lead to regulation of credit products. Moreover, several jurisdictions are demonstrating increased interest about the network fees we charge to our customers (in some cases as part of broader market reviews of retail payments), which could in the future lead to regulation of our network fees. In several jurisdictions, we have been designated as a "systemically important payment system", with other regulators considering similar designations. This type of regulation and oversight is related to switching activities (authorization, clearing and settlement), and includes policies, procedures and requirements related to risk management, collateral, participant default, timely switching of financial transactions, and capital and financial resources. Parts of our business have also been deemed as a "specified service provider" or considered "critical infrastructure". The impact to our business created by any new law, regulation or designation is magnified by the potential it has to be replicated in, or conflict with, other jurisdictions, or involve other products within any particular jurisdiction. The expansion of our products and services as part of our multi-rail strategy has also created the need for us to obtain new types and increasing numbers of regulatory licenses, resulting in increased supervision and additional compliance burdens distinct from those imposed on our core payment network activities. For example, certain of our subsidiaries maintain money transfer licenses to support certain activities. These licenses typically impose supervisory and examination requirements, as well as capital, safeguarding, risk management and other business obligations. Increased regulation and oversight of payments systems, as well as increased exposure to regulation resulting from changes to our products and services, have resulted and may continue to result in significant compliance and governance burdens or otherwise increase our costs. As a result, customers could be less willing to participate in our payments system and/or use our other products or services, reduce the benefits offered in connection with the use of our products (making our products less desirable to consumers), reduce the volume of domestic and cross-border transactions or other operational metrics, disintermediate us, impact our profitability and/or limit our ability to innovate or offer differentiated products and services, all of which could materially and adversely impact our financial performance. In addition, any regulation that is enacted related to the type and level of network fees MASTERCARD 2023 FORM 10-K 27 MASTERCARD 2023 FORM 10-K 27 MASTERCARD 2023 FORM 10-K 27 PART IITEM 1A. RISK FACTORS PART I ITEM 1A. RISK FACTORS we charge our customers could also materially and adversely impact our results of operations. Regulators could also require us to obtain prior approval for changes to our system rules, procedures or operations, or could require customization with regard to such changes, which could negatively impact us. Moreover, failure to comply with the laws and regulations to which we are subject could result in fines, sanctions, civil damages or other penalties, which could materially and adversely affect our overall business and results of operations, as well as have an impact on our brand and reputation. --- ## Modified: We may not be able to attract and retain a highly qualified and diverse workforce, or maintain our corporate culture, which could harm our overall business and results of operations. **Key changes:** - Reworded sentence: "Our performance largely depends on the skills, capabilities and motivation of our employees (including our people leaders), as well as the environment we create for them to enable them to perform their jobs effectively." - Reworded sentence: "RISK FACTORS changes in and enforcement of immigration and work permit laws and visa regulations have made it difficult for employees to work in, or transfer among, jurisdictions where we operate, potentially impairing our ability to attract and retain talent." **Prior (2023):** Our performance largely depends on the talents and efforts of our employees (including our people leaders), as well as the environment we create for them to enable them to perform their jobs effectively. The market for specialized skill-sets is highly competitive, particularly in technology and other areas that are important to the growth of our business. Our inability to meet candidate demands has led in recent years, and may continue to lead, to an increase in declined offers. In addition, high inflation has impacted both cost structure and employee demand for wage growth, which may lead to talent attrition. Moreover, changes in and enforcement of immigration and work permit laws and visa regulations have made it difficult for employees to work in, or transfer among, jurisdictions where we operate, potentially impairing our ability to attract and retain talent. In the wake of the global COVID-19 pandemic and the influence of work flexibility on candidate decisions, we have adapted our policies and practices to allow for flexible team-driven work arrangements (including both remote and hybrid). This approach may impact the nature of relationships among our workforce, which in turn could have a negative impact on the quality of our corporate culture and our ability to innovate. To the extent the arrangements we provide do not meet candidate or employee expectations for flexibility, this could also impact our ability to attract and retain talent. 38 MASTERCARD 2022 FORM 10-K 38 MASTERCARD 2022 FORM 10-K 38 MASTERCARD 2022 FORM 10-K PART IITEM 1A. RISK FACTORS PART I ITEM 1A. RISK FACTORS Failure to attract, hire, develop, motivate and retain highly qualified and diverse employee talent could leave us vulnerable to not anticipating or identifying emerging customer or market opportunities. We also rely on our people leaders to display integrity and decency. To the extent our leaders behave in a manner that is not consistent with our values, we could experience significant impact to our brand and reputation, as well as to our corporate culture. Any one or more of the above could harm our overall business and results of operations. **Current (2024):** Our performance largely depends on the skills, capabilities and motivation of our employees (including our people leaders), as well as the environment we create for them to enable them to perform their jobs effectively. While attrition and pace of hiring has slowed due to economic uncertainty, the market for specialized skill-sets remains highly competitive, particularly in technology and other areas that are important to the growth of our business. To the extent we are unable to differentiate our value proposition in the market, effectively develop leaders and build robust succession pipelines, it could impact our ability to deliver for our customers. To the extent we cannot design our processes and practices to support equitable outcomes, our ability to attract talent may be significantly impacted and we may experience talent attrition. In addition, escalations in global conflict and a rise in mental health needs are also impacting the well-being of our people. To the extent we are unable to communicate effectively on these issues and provide support to our employees, we could experience a significant impact on our business, reputation and culture. Further, MASTERCARD 2023 FORM 10-K 39 MASTERCARD 2023 FORM 10-K 39 MASTERCARD 2023 FORM 10-K 39 PART IITEM 1A. RISK FACTORS PART I ITEM 1A. RISK FACTORS changes in and enforcement of immigration and work permit laws and visa regulations have made it difficult for employees to work in, or transfer among, jurisdictions where we operate, potentially impairing our ability to attract and retain talent. Our flexibility policies and programs (in particular, those related to work arrangements) may impact the well-being and productivity of our workforce, which in turn could have a negative impact on the quality of our corporate culture and our ability to innovate. To the extent these policies (including our team-based agreements) do not meet candidate or employee expectations for flexibility, this could also impact our ability to attract and retain talent. Failure to attract, hire, develop, motivate and retain highly qualified and diverse employee talent could leave us vulnerable to not anticipating or identifying emerging customer or market opportunities. We also rely on our people leaders to display integrity and decency. To the extent our leaders behave in a manner that is not consistent with our values, we could experience significant impact to our brand and reputation, as well as to our corporate culture. Any one or more of the above could harm our overall business and results of operations. --- ## Modified: Our role as guarantor, as well as other contractual obligations and discretionary actions, expose us to risk of loss or illiquidity. **Key changes:** - Reworded sentence: "We are a guarantor of certain third-party obligations, including those of certain of our customers and service providers." - Reworded sentence: "The recent increased speed of bank failures as recently seen in the U.S." - Reworded sentence: "40 MASTERCARD 2023 FORM 10-K 40 MASTERCARD 2023 FORM 10-K 40 MASTERCARD 2023 FORM 10-K PART IITEM 1A." **Prior (2023):** We are a guarantor of certain third-party obligations, including those of certain of our customers. In this capacity, we are exposed to credit and liquidity risk from these customers and certain service providers. We may incur significant losses in connection with transaction settlements if a customer fails to fund its daily settlement obligations due to technical problems, liquidity shortfalls, insolvency or other reasons. Concurrent settlement failures of more than one of our larger customers or of several of our smaller customers either on a given day or over a condensed period of time may exceed our available resources and could materially and adversely affect our results of operations. We have significant contractual indemnification obligations with certain customers. Should an event occur that triggers these obligations, such an event could materially and adversely affect our overall business and results of operations. Class A Common Stock and Governance Structure **Current (2024):** We are a guarantor of certain third-party obligations, including those of certain of our customers and service providers. In this capacity, we are exposed to credit and liquidity risk. We may incur significant losses in connection with transaction settlements if a customer fails to fund its daily settlement obligations due to technical problems, liquidity shortfalls, insolvency or other reasons. The recent increased speed of bank failures as recently seen in the U.S. could increase the potential for such losses. Concurrent settlement failures of more than one of our larger customers or of several smaller customers either on a given day or over a condensed period of time may exceed our available resources. Additionally, certain non-guaranteed transactions as well as chargebacks to acquirers in the event of acquirer default could result in elevated brand risk and the potential for financial loss. These impacts could materially and adversely affect our results of operations. We have significant contractual indemnification obligations with certain customers. Should an event occur that triggers these obligations, such an event could materially and adversely affect our overall business and results of operations. 40 MASTERCARD 2023 FORM 10-K 40 MASTERCARD 2023 FORM 10-K 40 MASTERCARD 2023 FORM 10-K PART IITEM 1A. RISK FACTORS PART I ITEM 1A. RISK FACTORS Class A Common Stock and Governance Structure --- ## Modified: Regulation and enforcement of privacy, data, AI, information security and the digital economy could increase our costs and lead to legal claims and fines, as well as negatively impact our growth and reputation. **Key changes:** - Reworded sentence: "We are subject to increasingly complex, fragmented and divergent laws and regulations related to privacy and data protection, data use and governance, AI and information security in the jurisdictions in which we do business." - Reworded sentence: "In addition, these requirements may increase the costs to our customers of issuing payment MASTERCARD 2023 FORM 10-K 29 MASTERCARD 2023 FORM 10-K 29 MASTERCARD 2023 FORM 10-K 29 PART IITEM 1A." - Removed sentence: "In addition, fraudulent activity and increasing cyberattacks have encouraged legislative and regulatory intervention, and could damage our reputation and reduce the use and acceptance of our integrated products and services or increase our compliance costs." - Removed sentence: "Criminals are using increasingly sophisticated methods to capture consumer personal information to engage in illegal activities such as counterfeiting or other fraud." - Removed sentence: "As outsourcing and specialization become common in the payments industry, there are more third parties involved in processing transactions using our payment products." **Prior (2023):** We are subject to increasingly complex regulations related to privacy, data and information security in the jurisdictions in which we do business. These regulations could result in negative impacts to our business. As we continue to develop integrated and personalized products and services to meet the needs of a changing marketplace (as well as acquire new companies), we have expanded our information profile through the collection of additional data from additional sources and across multiple channels. This expansion has amplified the impact of these regulations on our business. This regulation requires monitoring of and changes to our data practices in regard to the collection, use, disclosure, storage, transfer and/or protection of personal and sensitive information, as well as increased care in our data management, governance and quality practices. We are also subject to enhanced compliance and operational requirements in the European Union, and policymakers around the globe are or are considering adopting new or updated privacy laws that have resulted or could result in similar or stricter requirements in other jurisdictions. For example, some jurisdictions have implemented or are otherwise considering requirements to collect, process and/or store data within their borders, as well as prohibitions on the transfer of data abroad, leading to technological and operational implications. Other jurisdictions have adopted or are otherwise considering adopting sector-specific regulations for the payments industry, including forced data sharing requirements or additional verification requirements, as well as regulations on artificial intelligence and data governance, that overlap or conflict with, or diverge from, general privacy rules. Failure to comply with these laws, regulations and requirements could result in fines, sanctions or other penalties, which could materially and adversely affect our results of operations and overall business, as well as have an impact on our reputation. New requirements or changing interpretations of existing requirements in these areas, or the development of new regulatory schemes related to the digital economy in general, may also increase our costs and/or restrict our ability to leverage data for innovation. This could impact the products and services we offer and other aspects of our business, such as fraud monitoring, the need for improved data management, governance and quality practices, the development of information-based products and solutions, and technology operations. In addition, these requirements may increase the costs to our customers of issuing payment products, which may, in turn, decrease the number of our payment products that they issue. Moreover, due to account data compromise events and privacy abuses by other companies, as well as the disclosure of monitoring activities by certain governmental agencies in combination with the use of artificial intelligence and new technologies, there has been heightened legislative and regulatory scrutiny around the world that could lead to further regulation and requirements and/or future enforcement. Those developments have also raised public attention on companies' data practices and have changed consumer and societal expectations for enhanced privacy and data protection. While we make every effort to comply with all regulatory requirements and we deploy a Privacy by Design and Data by Design approach to all of our product development, the speed and pace of changes in laws (as well as stakeholder interests) may not allow us to meet rapidly evolving regulatory and stakeholder expectations. Any of these developments could materially and adversely affect our overall business and results of operations. In addition, fraudulent activity and increasing cyberattacks have encouraged legislative and regulatory intervention, and could damage our reputation and reduce the use and acceptance of our integrated products and services or increase our compliance costs. Criminals are using increasingly sophisticated methods to capture consumer personal information to engage in illegal activities such as counterfeiting or other fraud. As outsourcing and specialization become common in the payments industry, there are more third parties involved in processing transactions using our payment products. While we are taking measures to make card and digital payments more secure, increased fraud levels involving our integrated products and services, or misconduct or negligence by third parties switching or otherwise servicing our integrated products and services, could lead to legislative or regulatory intervention, such as enhanced security requirements and liabilities, as well as damage to our reputation. **Current (2024):** We are subject to increasingly complex, fragmented and divergent laws and regulations related to privacy and data protection, data use and governance, AI and information security in the jurisdictions in which we do business. While policymakers around the globe look to the EU and the GDPR when adopting new or updated privacy and data protection laws, divergences have occurred and continue to occur. As a result, new or updated privacy and data protection and information security laws and regulations have led, and may continue to lead, to similar, stricter or at times conflicting requirements, creating an uncertain regulatory environment. For example, some jurisdictions have implemented or are otherwise considering requirements to collect, store and/or process data within their borders, as well as prohibitions on the transfer of data abroad, leading to technological and operational implications. Other jurisdictions have adopted or are otherwise considering adopting sector-specific regulations for the payments industry and other industries in which we participate, including forced data sharing requirements or additional verification requirements. In addition, laws and regulations on AI, data governance and credit decisioning may overlap or conflict with, or diverge from, general privacy rules. Overall, these myriad laws and regulations may require us to modify our data processing practices and policies, incur substantial compliance-related costs and expenses, and otherwise suffer adverse impacts on our business. Failure to comply with any of these laws, regulations and requirements could result in fines, sanctions or other enforcement actions or penalties, which could materially and adversely affect our results of operations and overall business, as well as have an impact on our reputation. As a user and deployer of AI technology, we are also subject to increasing and evolving laws and regulations related to AI governance and new applications of existing laws and regulations to AI. How our use and deployment of AI will be regulated remains uncertain given the uncertainty that exists as to how AI technology will develop. In addition, the use of AI creates or amplifies risks that are challenging to fully prevent or mitigate. In particular, AI algorithms may generate inaccurate, unintended, unfair or discriminatory outcomes, which may not be easily detectable or explainable, and may inadvertently breach intellectual property, privacy or other rights, as well as confidential information. Our implementation of robust AI governance and risk management frameworks aimed at complying with emerging laws and regulations may not be sufficient protection against these emerging risks. Further, as we acquire new companies and develop integrated and personalized products and services to meet the needs of a changing marketplace, we have expanded our data profile through additional data types and sources, across multiple channels, and involving new partners. This expansion has amplified the impact of these various laws and regulations on our business. As a result, we are required to constantly monitor our data practices and potentially change them when necessary or appropriate. We also need to provide increased care in our data management, governance and quality practices, particularly as it relates to the use of data in products leveraging AI. New requirements or changing interpretations of existing requirements in these areas, or the development of new regulatory schemes related to the digital economy in general, may also increase our costs and/or restrict our ability to leverage data or use AI for innovation. This could impact the products and services we offer and other aspects of our business, such as fraud monitoring, the need for improved data management, governance and quality practices, the development of information-based products and solutions, and technology operations. In addition, these requirements may increase the costs to our customers of issuing payment MASTERCARD 2023 FORM 10-K 29 MASTERCARD 2023 FORM 10-K 29 MASTERCARD 2023 FORM 10-K 29 PART IITEM 1A. RISK FACTORS PART I ITEM 1A. RISK FACTORS products or using information products, which may, in turn, decrease the number of our products that they offer. While we intend to comply with all regulatory requirements, innovate responsibly and deploy Privacy by Design, Data by Design and AI Governance approaches to all of our product development, the speed and pace of changes in laws (as well as stakeholder interests) may not allow us to meet rapidly evolving regulatory and stakeholder expectations. Any of these developments could materially and adversely affect our overall business and results of operations. --- *Data sourced from SEC EDGAR. Last updated 2026-05-10.*