Visa Inc.: 10-K Risk Factor Changes

2025 vs 2024  ·  SEC EDGAR  ·  2026-07-05
✓ Deterministic extraction — no AI-generated data

Classification is based on semantic text similarity scoring and may include approximations. “No match” means no high-confidence textual match was found — not necessarily that a section was removed.

0
New Risks
0
Removed
13
Modified
8
Unchanged
🟡 Modified Severity7/10Det 7

Laws and regulations regarding the handling of personal data, including laws and regulations related to privacy, cybersecurity and AI, may impede our services or result in increased costs, legal claims or fines against us.

high match confidence

Sentence-level differences:

  • Reworded sentence: "Legislators and regulators around the world are increasingly adopting or revising privacy, data protection, data management, data transfer, AI and cybersecurity laws and regulations."
  • Reworded sentence: "and international privacy and data protection laws may increase the complexity of our compliance operations, entail substantial expenses, divert resources from other initiatives and projects, require us to modify our data processing practices, policies or services, and adversely impact our business."
  • Reworded sentence: "As we develop integrated and personalized products and services and acquire new companies to meet the needs of a changing marketplace, we may expand our data profile through additional data types and sources, across multiple channels, and involving new partners."
  • Reworded sentence: "For example, as agentic commerce solutions scale, we may see increased instances of erroneous or disputed payments, increased chargebacks and reputational harm."

Current (2025):

Our business relies on the processing of data across national borders. Legislators and regulators around the world are increasingly adopting or revising privacy, data protection, data management, data transfer, AI and cybersecurity laws and regulations. For example, our ongoing…

Read full text

Our business relies on the processing of data across national borders. Legislators and regulators around the world are increasingly adopting or revising privacy, data protection, data management, data transfer, AI and cybersecurity laws and regulations. For example, our ongoing efforts to comply with complex U.S. and international privacy and data protection laws may increase the complexity of our compliance operations, entail substantial expenses, divert resources from other initiatives and projects, require us to modify our data processing practices, policies or services, and adversely impact our business. In addition, privacy laws in numerous jurisdictions, including but not limited to the U.S., China, India, Australia, New Zealand, Brazil, Kingdom of Saudi Arabia, Hong Kong and Japan, have established specific legal requirements for cross-border transfers of personal information and substantial compliance and audit obligations. Certain countries have also established specific legal requirements for data localization, such as where personal data must remain stored in the country. The global proliferation of new privacy and data protection laws may lead to inconsistent and conflicting requirements or legal interpretations, which create an uncertain regulatory environment. Noncompliance could also result in regulatory penalties and significant legal liability. Enforcement actions and investigations by regulatory authorities into companies related to data security incidents and privacy violations are generally increasing. In Europe, data protection authorities continue to apply and enforce the General Data Protection Regulation (GDPR), imposing record setting fines. As we develop integrated and personalized products and services and acquire new companies to meet the needs of a changing marketplace, we may expand our data profile through additional data types and sources, across multiple channels, and involving new partners. This potential expansion could amplify the impact of these various laws and regulations on our business. As a result, we are required to constantly monitor our privacy, data and cybersecurity practices and potentially change them when necessary or appropriate. We also may need to provide increased care in our data management, governance and quality practices, particularly as it relates to the use of data in products leveraging AI. We are also subject to a variety of laws and regulations governing the development, use and deployment of AI technologies. These laws and regulations are increasingly complex, fragmented and still evolving, and there is no single global regulatory framework for AI. Our development, deployment and use of AI and machine learning is subject to various risks at each stage of use. In the context of AI development, risks include those related to intellectual property considerations, the collection and use of personal data, third party risks, technical limitations of algorithms and the accuracy of training data, and compliance with emerging AI legal standards. The increased risk of inadvertent disclosure of confidential information or personal data in connection with the utilization of AI technologies may result in stronger regulatory scrutiny, leading to legal and regulatory investigations and 25 25 25 25 25 25 Table of Contents Table of Contents Table of Contents enforcement actions that may negatively affect our business, even if unfounded. In the context of use and deployment, risks include technical, operational and compliance considerations, and our ability to monitor and safely deploy AI systems throughout the organization with appropriate safeguards and in compliance with the various regulatory schemes related to AI technology. In particular, the adoption of agentic commerce, in which autonomous AI agents initiate and execute transactions on behalf of users, presents novel and complex regulatory, privacy and cybersecurity risks. Legal frameworks governing such autonomous agents remain nascent, with limited direct guidance specific to payments. The interplay between payments regulations, data privacy laws and evolving AI regulations may create uncertainty around compliance obligations and potential liability exposure as more participants (including sellers, fintechs, AI developers and enablers) enter the agentic commerce ecosystem. The market is still assessing how regulators may apply existing consumer protection and other laws in the context of AI. For example, as agentic commerce solutions scale, we may see increased instances of erroneous or disputed payments, increased chargebacks and reputational harm. Furthermore, reliance on agentic AI introduces challenges in monitoring cross-border, prohibited or high-risk transactions, where conflicting regulatory requirements may apply. The fragmented regulatory landscape for emerging technologies such as AI and inconsistent requirements across legal frameworks may amplify difficulties in identifying, preventing or mitigating risk with a single global approach, potentially increasing our compliance costs or stratifying our ability to leverage certain data or technologies for innovation. For instance, the EU has adopted a comprehensive AI Act that establishes harmonized rules across Europe, with key provisions for high-risk AI systems taking effect in August 2026. Meanwhile, several U.S. states, including California, Colorado and Utah, have adopted AI-specific frameworks or are considering applying existing consumer and data protection laws to regulate AI. Depending on how these different regulations are interpreted and enforced, they may limit the ability to develop and deploy AI systems or significantly increase associated compliance costs. Our development and implementation of governance frameworks aimed at complying with emerging laws and regulations applicable to our AI and machine learning systems may not be successful in mitigating all of these emerging risks.

View prior text (2024)

Our business relies on the processing of data across national borders. Legal requirements relating to the collection, storage, handling, use, disclosure, transfer, disposal and security of personal data continue to evolve, and we are subject to an increasing number of privacy, data protection, cybersecurity and AI requirements around the world. For example, our ongoing efforts to comply with complex U.S. state privacy and data protection regulations, and emerging international privacy and data protection laws, may increase the complexity of our compliance operations, entail substantial expenses, divert resources from other initiatives and projects, and limit the services we are able to offer. Additionally, privacy laws in other regions, such as China’s Personal Information Protection Law and India’s Personal Data Protection Act, may have extraterritorial application and include restrictions on cross-border data transfers, extensive notification and localization requirements, and substantial compliance and audit obligations. The global proliferation of new privacy and data protection laws may lead to inconsistent and conflicting requirements, which create an uncertain regulatory environment. Noncompliance could also result in regulatory penalties and significant legal liability. Enforcement actions and investigations by regulatory authorities into companies related to data security incidents and privacy violations are generally increasing. In Europe, data protection authorities continue to apply and enforce the General Data Protection Regulation (GDPR), imposing record setting fines. We are also subject to a variety of laws and regulations governing the development, use, and deployment of AI technologies. These laws and regulations are still evolving, and there is no single global regulatory framework for AI. The market is still assessing how regulators may apply existing consumer protection and other laws in the context of AI. There is thus uncertainty on what new laws will look like and how existing laws will apply to our development, use, and deployment of AI. In the midst of this uncertainty, we may face challenges due to the complexity and rapidly changing nature of AI technology and applicable laws. Our use of AI and machine learning is subject to various risks at each stage of use. In the context of AI development, risks include those related to intellectual property considerations, the collection and use of personal information, third party risks, technical limitations of algorithms and the accuracy of training data, and compliance with emerging AI legal standards. In the context of use and deployment, risks include ethical and compliance considerations, and our ability to monitor and safely deploy AI systems throughout the organization with appropriate safeguards. The EU has adopted a comprehensive AI Act that applies harmonized rules across Europe with the aim of fostering innovation and respecting fundamental rights. The EU AI Act comes into force in stages with the key provisions related to high risk AI coming into force in August 2026. There is still limited guidance on the EU AI Act, but it could, depending on how provisions are interpreted and enforced, limit the ability to create and deploy AI systems for uses deemed high-risk in the EU or add increased compliance costs associated with these systems. Our development and implementation of governance frameworks for our AI and machine learning systems may not be successful in mitigating all of these emerging risks. Further, as we develop integrated and personalized products and services and acquire new companies to meet the needs of a changing marketplace, we may expand our data profile through additional data types and sources, across multiple channels, and involving new partners. This potential expansion could amplify the impact of these various laws and regulations on our business. As a result, we are required to constantly monitor our privacy, 23 23 23 23 23 23 Table of Contents Table of Contents Table of Contents data and cybersecurity practices and potentially change them when necessary or appropriate. We also may need to provide increased care in our data management, governance and quality practices, particularly as it relates to the use of data in products leveraging AI.

🟡 Modified We face intense competition in our industry. 🔒
🟡 Modified A disruption, failure or breach of our networks or systems, including as a result of cyber incidents or attacks, could harm our business. 🔒
🟡 Modified Increased scrutiny and regulation of the global payments industry, including with respect to interchange reimbursement fees, merchant discount rates, operating rules, risk management protocols and other related practices, could harm our business. 🔒
🟡 Modified We may be unable to attract, hire and retain a highly qualified workforce, including key management. 🔒
🟡 Modified Global economic, political, market, health and social events or conditions may harm our business. 🔒
🟡 Modified Our ability to adjust to evolving corporate responsibility and sustainability (CRS) matters and related regulations could adversely affect our business and financial results or negatively impact our reputation. 🔒
🟡 Modified We are subject to complex and evolving global regulations that could harm our business and financial results. 🔒
🟡 Modified Sellers’ and processors’ continued push to lower acceptance costs and challenge industry practices could harm our business. 🔒
🟡 Modified We depend on relationships with financial institutions, acquirers, processors, sellers, payment facilitators, ecommerce platforms, fintechs and other third parties. 🔒
🟡 Modified Our net revenue and profits are dependent on our client and seller base, which may be costly to win, retain and develop. 🔒
🟡 Modified Our indemnification obligation to fund settlement losses of our clients exposes us to significant risk of loss and may reduce our liquidity. 🔒
🟡 Modified Delaware law, provisions in our certificate of incorporation and bylaws, and our capital structure could make a merger, takeover attempt or change in control difficult. 🔒
12 more changes in this filing

Full diff access, historical comparisons, and cross-company signal tracking.

Get full access — from $29/month Already a Pro subscriber? View full diff →