Visa Inc.: 10-K Risk Factor Changes

Our cybersecurity and processing systems, as well as those of financial institutions, merchants and third-party service providers, have experienced and may continue to experience errors, interruptions, delays or damage from a number of causes, including power outages, hardware, software and network failures, computer viruses, ransomware, malware or other destructive software, AI technologies by bad actors, internal design, manual or user errors, cyber attacks, terrorism, political tensions, war or other military conflicts, or civil unrest, security breaches of our physical premises, workplace violence or wrongdoing, catastrophic events, natural disasters, severe weather conditions and other effects from climate change. In addition, there is risk that third-party suppliers of hardware and infrastructure required to operate our data centers and support employee productivity could be impacted by supply chain disruptions, such as manufacturing, shipping delays, and service disruption due to cyber attacks. An extended supply chain or service disruption could also impact processing or delivery of technology services. Furthermore, our visibility and role in the global payments industry also puts our company at a greater risk of being targeted by hackers. In the normal course of our business, we have been the target of malicious cyber activity. We have been, and may continue to be, impacted by attacks and data security breaches of financial institutions, merchants, and third-party service providers. We are also aware of instances where governments have directed or sponsored attacks against some of our financial institution clients, and other instances where merchants and issuers have encountered substantial data security breaches affecting their customers, some of whom were Visa account holders. Given the increase in online banking, ecommerce and other online activity, we continue to see increased cyber and payment fraud activity, as cybercriminals attempt phishing and social engineering scams, distributed denial of service attacks and other disruptive actions. Overall, such attacks and breaches have resulted, and may continue to result in, fraudulent activity and ultimately, financial losses to Visa’s financial institution clients, merchants or third-party service providers. Numerous and evolving cybersecurity threats, including advanced and persistent cyber attacks, targeted attacks against our employees and trusted partners, insider threats, social engineering threats, such as phishing or deepfake schemes, including those using synthetic media, could compromise the confidentiality, availability and integrity of data in our systems, particularly on our internet-facing applications, or the systems of our third-party service providers. Because the tactics, techniques and procedures used to obtain unauthorized access, or to disable or degrade systems change frequently, have become increasingly more complex and sophisticated, and may be difficult to detect for periods of time, we may not anticipate these acts or respond adequately or timely. For example, cybercriminals have increasingly demonstrated advanced capabilities, such as use of zero-day 30 30 30 30 30 30 Table of Contents Table of Contents Table of Contents vulnerabilities, and rapid integration of new technology such as generative AI are being used by threat actors to create sophisticated attacks that are increasingly automated, targeted, and more difficult to defend against. The security measures and procedures we, our financial institution and merchant clients, other merchants and third-party service providers in the payments ecosystem have in place to protect sensitive consumer data and other information may not be implemented effectively, may differ in scope and complexity across different ecosystem participants, or may not be successful or sufficient to counter all data security breaches, cyber incidents and attacks or system failures. In some cases, the mitigation efforts may be dependent on third parties who may not follow the required contractual standards, who may not be able to timely patch vulnerabilities or fix security defects, or whose hardware, software or network services may be subject to error, defect, delay, outage or lack appropriate malware prevention to prevent breaches or data exfiltration incidents. Cyber incidents and attacks can have cascading impacts that unfold with increasing speed across our internal networks and systems and those of our partners and clients. Despite our security measures and programs to protect our systems and data, and prevent, detect and respond to data security incidents, there can be no assurance that our efforts will prevent all such threats. In addition, as a global financial services company, Visa is increasingly subject to complex and varied cybersecurity regulations and cyber incident reporting requirements across numerous jurisdictions. With the often short timeframes required for cyber incident reporting, there is a risk that Visa or its third-party service providers will fail to meet the reporting deadlines for any given incident. It may take considerable time for us to investigate and evaluate the full impact of cyber incidents, particularly for sophisticated attacks. These factors may inhibit our ability to provide prompt, full, and reliable information about the cyber incident to our clients, partners, and regulators, as well as to the public. In the event we are found to be out of compliance, we could be subject to monetary damages, civil and criminal penalties, litigation, investigations and proceedings, and damage to our reputation and brand. Any of these events, individually or in the aggregate, could significantly disrupt our operations; result in the unauthorized disclosure, release, gathering, monitoring, misuse, loss or destruction of confidential, proprietary, sensitive and personal information (including account data information) or data security compromises; impact our clients and consumers; damage our reputation and brand; result in litigation or claims, violations of applicable privacy and other laws, and increased regulatory review or scrutiny, investigations, actions, fines or penalties; result in damages or changes to our business practices; decrease the overall use and acceptance of our products; decrease our volume, net revenue and future growth prospects; and be costly, time consuming and difficult to remedy. In the event of damage or disruption to our business due to these occurrences, we may not be able to successfully and quickly recover all of our critical business functions, assets, and data through our business continuity program. Furthermore, while we maintain insurance, our coverage may not sufficiently cover all types of losses or claims that may arise.

Our cybersecurity and processing systems, as well as those of financial institutions, merchants and third-party service providers, have experienced and may continue to experience errors, interruptions, delays or damage from a number of causes, including power outages, hardware, software and network failures, computer viruses, ransomware, malware or other destructive software, internal design, manual or user errors, cyber-attacks, terrorism, workplace violence or wrongdoing, catastrophic events, natural disasters, severe weather conditions and other effects from climate change. In addition, there is risk that third party suppliers of hardware and infrastructure required to operate our data centers and support employee productivity could be impacted by supply chain disruptions, such as manufacturing, shipping delays, and service disruption due to cyber-attacks. An extended supply chain or service disruption could also impact processing or delivery of technology services. 28 28 28 Table of Contents Table of Contents Furthermore, our visibility and role in the global payments industry also puts our company at a greater risk of being targeted by hackers. In the normal course of our business, we have been the target of malicious cyber-attack attempts. We have been, and may continue to be, impacted by attacks and data security breaches of financial institutions, merchants, and third-party service providers. We are also aware of instances where nation states have sponsored attacks against some of our financial institution clients, and other instances where merchants and issuers have encountered substantial data security breaches affecting their customers, some of whom were Visa account holders. Given the increase in online banking, ecommerce and other online activity, as well as more employees working remotely as a result of the COVID-19 pandemic, we continue to see increased cyber and payment fraud activity, as cybercriminals attempt DDoS related attacks, phishing and social engineering scams and other disruptive actions. Overall, such attacks and breaches have resulted, and may continue to result in, fraudulent activity and ultimately, financial losses to Visa’s clients. Numerous and evolving cybersecurity threats, including advanced and persistent cyber-attacks, targeted attacks against our employees and trusted partners (i.e., insider threats), synthetic media threats such as phishing, deepfake or social engineering schemes, particularly on our internet-facing applications, could compromise the confidentiality, availability and integrity of data in our systems or the systems of our third-party service providers. Because the tactics, techniques and procedures used to obtain unauthorized access, or to disable or degrade systems change frequently, have become increasingly more complex and sophisticated, and may be difficult to detect for periods of time, we may not anticipate these acts or respond adequately or timely. For example, cybercriminals have increasingly demonstrated advanced capabilities, such as use of zero-day vulnerabilities, and rapid integration of new technology such as generative AI. The security measures and procedures we, our financial institution and merchant clients, other merchants and third-party service providers in the payments ecosystem have in place to protect sensitive consumer data and other information may not be successful or sufficient to counter all data security breaches, cyber-attacks or system failures. In some cases, the mitigation efforts may be dependent on third parties who may not deliver to the required contractual standards, who may not be able to timely patch vulnerabilities or fix security defects, or whose hardware, software or network services may be subject to error, defect, delay, outage or lack appropriate malware prevention to prevent breaches or data exfiltration incidents. Despite our security measures and programs to protect our systems and data, and prevent, detect and respond to data security incidents, there can be no assurance that our efforts will prevent these threats. In addition, as a global financial services company, Visa is increasingly subject to complex and varied cybersecurity regulations and cyber incident reporting requirements across numerous jurisdictions. With the often short timeframes required for cyber incident reporting, there is a risk that Visa or its suppliers will fail to meet the reporting deadlines for any given incident. In the event we are found to be out of compliance, we could be subject to monetary damages, civil and criminal penalties, litigation, investigations and proceedings, and damage to our reputation and brand. Any of these events could significantly disrupt our operations; impact our clients and consumers; damage our reputation and brand; result in litigation or claims, violations of applicable privacy and other laws, and increased regulatory review or scrutiny, investigations, actions, fines or penalties; result in damages or changes to our business practices; decrease the overall use and acceptance of our products; decrease our volume, revenues and future growth prospects; and be costly, time consuming and difficult to remedy. In the event of damage or disruption to our business due to these occurrences, we may not be able to successfully and quickly recover all of our critical business functions, assets, and data through our business continuity program. Furthermore, while we maintain insurance, our coverage may not sufficiently cover all types of losses or claims that may arise.

Our financial institution clients and merchants can reassess their commitments to us at any time or develop their own competitive services. While we have certain contractual protections, our clients, including some of our largest clients, generally have flexibility to issue non-Visa products. Further, in certain circumstances, our financial institution clients may decide to terminate our contractual relationship on relatively short notice without paying significant early termination fees. Because a significant portion of our net revenue is concentrated among our largest clients, the loss of business from any one of these larger clients could harm our business, results of operations and financial condition. For more information, please see Note 14—Enterprise-wide Disclosures and Concentration of Business to our consolidated financial statements included in Item 8 of this report. In addition, we face intense competitive pressure on the prices we charge our financial institution clients. In certain regions, we are increasingly facing competition from RTP networks, other payment facilitators offering lower pricing, and government involvement in domestic and cross-border payments. In order to stay competitive, we may need to adjust our pricing or offer incentives to our clients to grow payments volume, enter new market segments, adapt to regulatory changes, and expand their use and acceptance of Visa products and services. These include up-front cash payments, fee discounts, rebates, credits, performance-based incentives, marketing and other support payments that impact our net revenue and profitability. In addition, we offer incentives to certain merchants and acquirers to encourage them to route transactions to Visa. Pressures on pricing, incentives, fee discounts and rebates could moderate our growth. If we are not able to implement cost containment and productivity initiatives in other areas of our business or grow our volumes in other ways to offset or absorb the financial impact of these incentives, fee discounts and rebates, it may harm our net revenue and profits. In addition, it may be difficult or costly for us to acquire or conduct business with financial institutions or merchants that have longstanding exclusive, or nearly exclusive, relationships with our competitors. These financial institutions or merchants may be more successful and may grow more quickly than our existing clients or merchants. In addition, if there is a consolidation or acquisition of one or more of our largest clients or co-brand partners by a financial institution client or merchant with a strong relationship with one of our competitors, it could 26 26 26 26 26 26 Table of Contents Table of Contents Table of Contents result in our business shifting to a competitor, which could put us at a competitive disadvantage and harm our business.

Our financial institution clients and merchants can reassess their commitments to us at any time or develop their own competitive services. While we have certain contractual protections, our clients, including some of our largest clients, generally have flexibility to issue non-Visa products. Further, in certain circumstances, our financial institution clients may decide to terminate our contractual relationship on relatively short notice without paying significant early termination fees. Because a significant portion of our net revenues is concentrated among our largest clients, the loss of business from any one of these larger clients could harm our business, results of operations and financial condition. For more information, please see Note 14—Enterprise-wide Disclosures and Concentration of Business to our consolidated financial statements included in Item 8 of this report. In addition, we face intense competitive pressure on the prices we charge our financial institution clients. In certain regions, we are increasingly facing competition from RTP networks and other payment facilitators offering lower pricing, as well as initiatives to lower costs, such as the G20 Roadmap for Enhancing Cross-border Payments. In order to stay competitive, we may need to adjust our pricing or offer incentives to our clients to increase payments volume, enter new market segments, adapt to regulatory changes, and expand their use and acceptance of Visa products and services. These include up-front cash payments, fee discounts, rebates, credits, 24 24 24 Table of Contents Table of Contents performance-based incentives, marketing and other support payments that impact our revenues and profitability. In addition, we offer incentives to certain merchants and acquirers to win routing preference in relation to other network options or forms of payment. Market pressures on pricing, incentives, fee discounts and rebates could moderate our growth. If we are not able to implement cost containment and productivity initiatives in other areas of our business or increase our volumes in other ways to offset or absorb the financial impact of these incentives, fee discounts and rebates, it may harm our net revenues and profits. In addition, it may be difficult or costly for us to acquire or conduct business with financial institutions or merchants that have longstanding exclusive, or nearly exclusive, relationships with our competitors. These financial institutions or merchants may be more successful and may grow more quickly than our existing clients or merchants. In addition, if there is a consolidation or acquisition of one or more of our largest clients or co-brand partners by a financial institution client or merchant with a strong relationship with one of our competitors, it could result in our business shifting to a competitor, which could put us at a competitive disadvantage and harm our business.

More than half of our net revenue is earned outside the U.S. In addition, international cross-border transaction revenue represents a significant part of our net revenue and is an important part of our growth strategy. Our net revenue is dependent on the volume and number of payment transactions made by consumers, governments, and businesses whose spending patterns may be affected by economic, political, market, health and social events or conditions. Adverse macroeconomic conditions within the U.S. or internationally, including but not limited to recessions, inflation, rising interest rates, high unemployment, currency fluctuations, actual or anticipated large-scale defaults or failures, rising energy prices, or a slowdown of global trade, and reduced consumer, small business, government, and corporate spending, have a direct impact on our volumes, transactions and net revenue. Furthermore, in efforts to deal with adverse macroeconomic conditions, governments may introduce new or additional initiatives or requests to reduce or eliminate payment fees or other costs. In an overall soft global economy, such pricing measures could result in additional financial pressures on our business. In addition, outbreaks of illnesses, pandemics like COVID-19, or other local or global health issues, political uncertainties, international hostilities, armed conflicts, wars, civil unrest, climate-related events, including the increasing frequency of extreme weather events, impacts to the power grid, and natural disasters have to varying degrees negatively impacted our operations, clients, third-party suppliers, activities, and cross-border travel and spend. Geopolitical trends towards nationalism, protectionism, and restrictive visa requirements, as well as continued activity and uncertainty around economic sanctions, tariffs or trade restrictions, including restrictions on the cross-border flow of data, also limit the expansion of our business in certain regions and have resulted in us suspending our operations in other regions. During fiscal 2022, economic sanctions were imposed on Russia by the U.S., the EU, United Kingdom and other jurisdictions and authorities, impacting Visa and its clients. In March 2022, we suspended our operations in Russia and as a result, are no longer generating revenue from domestic and cross-border activities related to Russia. The war in Ukraine and any further actions by, or in response to such actions by, Russia or its allies could have lasting impacts on Ukraine as well as other regional and global economies, any or all of which could adversely affect our business. The ongoing military conflict in the Middle East, and any resulting conflicts in the region, could potentially have similar negative impacts. A decline in economic, political, market, health and social conditions could impact our clients as well, and their decisions could reduce the number of cards, accounts, and credit lines of their account holders, and impact overall consumption by consumers and businesses, which would ultimately impact our net revenue. Our clients may implement cost-reduction initiatives that reduce or eliminate marketing budgets, and decrease spending on optional or enhanced value-added services from us. Any events or conditions that impair the functioning of the financial markets, tighten the credit market, or lead to a downgrade of our current credit rating could increase our future borrowing costs and impair our ability to access the capital and credit markets on favorable terms, which could affect our liquidity and capital resources, or significantly increase our cost of capital. 28 28 28 28 28 28 Table of Contents Table of Contents Table of Contents Finally, as governments, investors and other stakeholders face additional pressures to accelerate actions to address climate change and other environmental, governance and social topics, governments are implementing regulations and investors and other stakeholders are imposing new expectations or focusing investments in ways that may cause significant shifts in disclosure, commerce and consumption behaviors that may have negative impacts on our business. As a result of any of these factors, any decline in cross-border travel and spend would impact our cross-border volumes, the number of cross-border transactions we process and our currency exchange activities, which in turn would reduce our international transaction revenue.

More than half of our net revenues are earned outside the U.S. International cross-border transaction revenues represent a significant part of our revenue and are an important part of our growth strategy. Our revenues are dependent on the volume and number of payment transactions made by consumers, governments, and businesses whose spending patterns may be affected by economic, political, market, health and social events or conditions. Adverse macroeconomic conditions within the U.S. or internationally, including but not limited to recessions, inflation, rising interest rates, high unemployment, currency fluctuations, actual or anticipated large-scale defaults or failures, rising energy prices, or a slowdown of global trade, and reduced consumer, small business, government, and corporate spending, have a direct impact on our volumes, transactions and revenues. Furthermore, in efforts to deal with adverse macroeconomic conditions, governments may introduce new or additional initiatives or requests to reduce or eliminate payment fees or other costs. In an overall soft global economy, such pricing measures could result in additional financial pressures on our business. In addition, outbreaks of illnesses, pandemics like COVID-19, or other local or global health issues, political uncertainties, international hostilities, armed conflicts, wars, civil unrest, climate-related events, including the increasing frequency of extreme weather events, impacts to the power grid, and natural disasters have to varying degrees negatively impacted our operations, clients, third-party suppliers, activities, and cross-border travel and spend. Although the World Health Organization and the federal government declared an end to COVID-19 as a global and national health emergency, respectively, risks related to COVID-19 have adversely affected and may continue to adversely affect our business, results of operations, cash flows and financial condition. The ongoing effects of the COVID-19 pandemic remain difficult to predict due to numerous uncertainties, including the resumption of international travel, and the indirect impact of the pandemic on global economic activity. In addition, a number of countries took steps during the pandemic to temporarily cap interchange or other fees on electronic payments as part of their COVID-19 economic relief measures. While most have been rescinded or have expired, it 26 26 26 Table of Contents Table of Contents is possible that proponents of interchange and/or MDR regulation may try to position government intervention as necessary to support potential future economic relief initiatives. Geopolitical trends towards nationalism, protectionism, and restrictive visa requirements, as well as continued activity and uncertainty around economic sanctions, tariffs or trade restrictions also limit the expansion of our business in certain regions and have resulted in us suspending our operations in other regions. During fiscal 2022, economic sanctions were imposed on Russia by the U.S., European Union, United Kingdom and other jurisdictions and authorities, impacting Visa and its clients. In March 2022, we suspended our operations in Russia and as a result, are no longer generating revenue from domestic and cross-border activities related to Russia. For fiscal 2022 and 2021, total net revenues from Russia, including revenues driven by domestic as well as cross-border activities, were approximately 2% and 4% of our consolidated net revenues, respectively. The war in Ukraine and any further actions by, or in response to such actions by, Russia or its allies could have lasting impacts on Ukraine as well as other regional and global economies, any or all of which could adversely affect our business. A decline in economic, political, market, health and social conditions could impact our clients as well, and their decisions could reduce the number of cards, accounts, and credit lines of their account holders, and impact overall consumption by consumers and businesses, which would ultimately impact our revenues. Our clients may implement cost-reduction initiatives that reduce or eliminate marketing budgets, and decrease spending on optional or enhanced value added services from us. Any events or conditions that impair the functioning of the financial markets, tighten the credit market, or lead to a downgrade of our current credit rating could increase our future borrowing costs and impair our ability to access the capital and credit markets on favorable terms, which could affect our liquidity and capital resources, or significantly increase our cost of capital. Finally, as governments, investors and other stakeholders face additional pressures to accelerate actions to address climate change and other environmental, governance and social topics, governments are implementing regulations and investors and other stakeholders are imposing new expectations or focusing investments in ways that may cause significant shifts in disclosure, commerce and consumption behaviors that may have negative impacts on our business. As a result of any of these factors, any decline in cross-border travel and spend would impact our cross-border volumes, the number of cross-border transactions we process and our currency exchange activities, which in turn would reduce our international transaction revenues.

The application of tax laws requires significant judgment and can be subject to uncertainty and differing interpretations. We are currently under examination by, or in disputes with, the U.S. Internal Revenue Service as well as tax authorities in other jurisdictions, and we may be subject to additional examinations or disputes in the future. We exercise significant judgment and make estimates that we believe to be reasonable in calculating our worldwide provision for income taxes and other tax liabilities. However, relevant tax authorities may disagree with our estimates, interpretations or tax treatment of certain material items. Failure to sustain our position in these matters could adversely affect our cash flows and financial position. In addition, changes in existing laws in the U.S. or foreign jurisdictions, including unilateral actions of foreign jurisdictions to introduce digital services taxes, or changes resulting from the Organization for Economic Cooperation and Development’s proposals for modernizing the international tax system, including the introduction of a global minimum tax with widespread implementation by member countries expected by 2025, may also materially affect our effective tax rate and could increase our tax payments. Please see Item 7 and Note 19—Income Taxes to our consolidated financial statements included in Item 8 of this report.

We exercise significant judgment and make estimates in calculating our worldwide provision for income taxes and other tax liabilities. Although we believe our tax estimates are reasonable, many factors may limit their accuracy. We are currently under examination by, or in disputes with, the U.S. Internal Revenue Service, the UK’s HM Revenue and Customs as well as tax authorities in other jurisdictions, and we may be subject to additional examinations or disputes in the future. Relevant tax authorities may disagree with our tax treatment of certain material items and thereby increase our tax liability. Failure to sustain our position in these matters could harm our cash flow and financial position. In addition, changes in existing laws in the U.S. or foreign jurisdictions, including unilateral actions of foreign jurisdictions to introduce digital services taxes, or changes resulting from the Organization for Economic Cooperation and Development’s Program of Work, related to the revision of profit allocation and nexus rules and design of a system to ensure multinational enterprises pay a minimum level of tax to the countries where we earn revenue, may also materially affect our effective tax rate. A substantial increase in our tax payments could have a material, adverse effect on our financial results. See also Note 19—Income Taxes to our consolidated financial statements included in Item 8 of this report.

Our business relies on the processing of data across national borders. Legal requirements relating to the collection, storage, handling, use, disclosure, transfer, disposal and security of personal data continue to evolve, and we are subject to an increasing number of privacy, data protection, cybersecurity and AI requirements around the world. For example, our ongoing efforts to comply with complex U.S. state privacy and data protection regulations, and emerging international privacy and data protection laws, may increase the complexity of our compliance operations, entail substantial expenses, divert resources from other initiatives and projects, and limit the services we are able to offer. Additionally, privacy laws in other regions, such as China’s Personal Information Protection Law and India’s Personal Data Protection Act, may have extraterritorial application and include restrictions on cross-border data transfers, extensive notification and localization requirements, and substantial compliance and audit obligations. The global proliferation of new privacy and data protection laws may lead to inconsistent and conflicting requirements, which create an uncertain regulatory environment. Noncompliance could also result in regulatory penalties and significant legal liability. Enforcement actions and investigations by regulatory authorities into companies related to data security incidents and privacy violations are generally increasing. In Europe, data protection authorities continue to apply and enforce the General Data Protection Regulation (GDPR), imposing record setting fines. We are also subject to a variety of laws and regulations governing the development, use, and deployment of AI technologies. These laws and regulations are still evolving, and there is no single global regulatory framework for AI. The market is still assessing how regulators may apply existing consumer protection and other laws in the context of AI. There is thus uncertainty on what new laws will look like and how existing laws will apply to our development, use, and deployment of AI. In the midst of this uncertainty, we may face challenges due to the complexity and rapidly changing nature of AI technology and applicable laws. Our use of AI and machine learning is subject to various risks at each stage of use. In the context of AI development, risks include those related to intellectual property considerations, the collection and use of personal information, third party risks, technical limitations of algorithms and the accuracy of training data, and compliance with emerging AI legal standards. In the context of use and deployment, risks include ethical and compliance considerations, and our ability to monitor and safely deploy AI systems throughout the organization with appropriate safeguards. The EU has adopted a comprehensive AI Act that applies harmonized rules across Europe with the aim of fostering innovation and respecting fundamental rights. The EU AI Act comes into force in stages with the key provisions related to high risk AI coming into force in August 2026. There is still limited guidance on the EU AI Act, but it could, depending on how provisions are interpreted and enforced, limit the ability to create and deploy AI systems for uses deemed high-risk in the EU or add increased compliance costs associated with these systems. Our development and implementation of governance frameworks for our AI and machine learning systems may not be successful in mitigating all of these emerging risks. Further, as we develop integrated and personalized products and services and acquire new companies to meet the needs of a changing marketplace, we may expand our data profile through additional data types and sources, across multiple channels, and involving new partners. This potential expansion could amplify the impact of these various laws and regulations on our business. As a result, we are required to constantly monitor our privacy, 23 23 23 23 23 23 Table of Contents Table of Contents Table of Contents data and cybersecurity practices and potentially change them when necessary or appropriate. We also may need to provide increased care in our data management, governance and quality practices, particularly as it relates to the use of data in products leveraging AI.

Our business relies on the movement of data across national borders. Legal requirements relating to the collection, storage, handling, use, disclosure, transfer and security of personal data continue to evolve, and we are subject to an increasing number of privacy and data protection requirements around the world. For example, our ongoing efforts to comply with complex U.S. state privacy and data protection regulations, and emerging international privacy and data protection laws, may increase the complexity of our compliance operations, entail substantial expenses, divert resources from other initiatives and projects, and limit the services we are able to offer. 21 21 21 Table of Contents Table of Contents Additionally, privacy laws in other regions, such as China’s Personal Information Protection Law and India’s Personal Data Protection Act, have extraterritorial application and include restrictions on processing sensitive data, extensive notification requirements, and substantial compliance and audit obligations. The global proliferation of new privacy and data protection laws may lead to inconsistent and conflicting requirements, which create an uncertain regulatory environment. Noncompliance could also result in regulatory penalties and significant legal liability. Enforcement actions and investigations by regulatory authorities into companies related to data security incidents and privacy violations are generally increasing. In Europe, data protection authorities continue to apply and enforce the General Data Protection (GDPR), imposing record setting fines. We are also subject to a variety of laws and regulations governing the development, use, and deployment of AI technologies. These laws and regulations are still evolving, and there is no single global regulatory framework for AI. The market is still assessing how regulators may apply existing consumer protection and other laws in the context of AI. There is thus uncertainty on what new laws will look like and how existing laws will apply to our development, use, and deployment of AI. In the midst of this uncertainty, we may face challenges due to the complexity and rapidly changing nature of AI technology and applicable laws. Our use of AI and machine learning is subject to various risks at each stage of use. In the context of AI development, risks relate to intellectual property considerations, the use of personal information, and flaws in algorithms or datasets used for training. In the context of use and deployment, risks include ethical considerations regarding the outputs, and our ability to safely deploy AI throughout the organization. Our development and implementation of governance frameworks for our AI and machine learning systems may not be successful in mitigating all of these emerging risks.