AssetMark Financial Holdings (AMK) Risk Analysis

We rely heavily on the Internet in conducting our business, and are subject to general business regulations and laws as well as federal and state regulations and laws specifically governing the Internet. The adoption, modification or interpretation of laws or regulations relating to the Internet could impede the growth of the Internet or other online services or increase the cost of providing online services, which could adversely affect the manner in which we conduct our business. Such laws and regulations may cover sales practices, taxes, user privacy, data protection, pricing, content, copyrights, distribution, electronic contracts, consumer protection, broadband residential Internet access and the characteristics and quality of services. If we are required to comply with new regulations or legislation or new interpretations of existing regulations or legislation, we may be required to incur additional expenses or alter our business model, either of which could have a material adverse effect on our results of operations, financial condition or business. Likewise, any failure, or perceived failure, by us to comply with any of these laws or regulations could result in damage to our reputation and brand, a loss in business, and proceedings or actions against us by governmental entities or others, which could adversely affect our results of operations, financial condition or business.

The financial services industry faces substantial regulatory enforcement risks and litigation. Like many firms operating within the financial services industry, we are experiencing a difficult regulatory environment across our markets. Our current scale and reach as a provider to the financial services industry, the increased regulatory oversight of the financial services industry generally, the increase in speed of proposing and adopting new laws, rules and regulations, ever-changing regulatory interpretations of existing laws and regulations and the retroactive imposition of new interpretations through enforcement actions have made this an increasingly challenging and costly regulatory environment in which to operate. In particular, the SEC over the past several years has undertaken an aggressive rulemaking agenda covering a broad array of topics, including securities market structure and settlement, regulatory reporting and recordkeeping, investor disclosures, the scope of various registration requirements, cybersecurity and money market funds, among others. Regulatory examinations or investigations could result in the identification of matters that may require remediation activities or enforcement proceedings by regulators. For example, we recently entered into a settlement with the SEC concerning disclosure practices with respect to potential conflicts of interest among our subsidiaries, without admitting or denying the SEC's findings (the "SEC Settlement"). We agreed to pay a civil penalty of $9.5 million and disgorgement and prejudgment interest of $8.8 million in connection with such settlement. The direct and indirect costs of SEC settlements and any other examinations that we may face, or of defending ourselves in any litigation could be significant, and the outcome of examinations, litigation or regulatory action is inherently difficult to predict and could have an adverse effect on our ability to offer some of our products and services. Additionally, actions brought against us may result in settlements, awards, injunctions, fines and penalties, such as the penalty we agreed to pay in connection with the SEC Settlement discussed above, which have and could negatively impact our results of operations, financial condition, business and reputation.

Personal privacy, data protection, information security and other regulations are significant in the United States and abroad. We are subject to a variety of laws and regulations that apply to our collection, use, retention, protection, disclosure, transfer and other processing of personal information, including those imposed pursuant to our National Security Agreements with the Committee on Foreign Investment in the United States ("CFIUS"), and our handling of personal data is regulated by federal, state and international governmental authorities and regulatory agencies. In addition to such laws and regulations, we may be subject to self-regulatory standards or other rules pertaining to information security and data protection proposed by privacy advocates, industry groups, other self-regulatory bodies or other information security or data protection-related organizations. These and other industry standards may legally or contractually apply to us, or we may elect to comply with such standards. Further, our contractual arrangements may impose additional, or more stringent, obligations upon us relating to our collection, use, retention, protection, disclosure, transfer and other processing of personal, financial and other data. The data protection landscape is rapidly evolving, and we expect that there will continue to be new proposed laws, regulations and industry standards, and changes to and in the interpretation of existing laws, regulations and standards, concerning privacy, data protection, information security and telecommunications services. Interpretation and implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future, and we cannot yet determine the impact such future laws, regulations and standards, or changes to and in the interpretation of existing laws, regulations and standards, may have on our business, but they may result in greater public scrutiny and escalated levels of enforcement and sanctions, increased compliance costs, increased liabilities, restrictions on our operations or other adverse impacts upon our business. For example, evolving and changing definitions of personal information and personal data, especially related to the classification of IP addresses, machine identification, location data and other information, may limit or inhibit our ability to operate or expand our business, including limiting the sharing of data. Recently, the most rapid development in U.S. data privacy and security laws has been at the state level. For example, on June 28, 2018, California enacted the California Consumer Privacy Act (the "CCPA"), which took effect on January 1, 2020. The CCPA increased privacy rights for California residents and imposes obligations on companies that process their personal information, including an obligation to provide certain disclosures to such residents. Specifically, among other things, the CCPA created new consumer rights, and imposes corresponding obligations on covered businesses, relating to the access to, deletion of and sharing of personal information collected by covered businesses, including California residents' right to access and delete their personal information, opt out of certain sharing and sales of their personal information and receive detailed information about how their personal information is used. The CCPA provides for civil penalties for violations, as well as a private right of action for certain data breaches that result in the loss of personal information. This private right of action is expected to increase the likelihood of, and risks associated with, data breach litigation. The CCPA has already been amended several times, and further amendments may be enacted. Although interpretive guidance through enforcement cases brought by the California Office of the Attorney General is becoming available, even in its current form, it remains unclear how various provisions of the CCPA will be interpreted and enforced. Additionally, on November 3, 2020, California voters approved a further amendment to the CCPA, the California Privacy Rights Act (the "CPRA"), which took effect in most material respects on January 1, 2023. The CPRA significantly modified the CCPA, including by expanding consumers' rights with respect to certain personal information and creating a new state agency to oversee implementation and enforcement efforts, which has resulted in further uncertainty and has caused us to incur additional costs and expenses related to our compliance efforts. It remains unclear how various provisions of the CCPA and CPRA will be interpreted and enforced. Numerous other states have also enacted or are in the process of enacting or considering comprehensive state-level data privacy and security laws, rules and regulations. Compliance with these state laws may require us to modify our data processing practices and policies and may increase our compliance costs and potential liability. There is also discussion in Congress of a new comprehensive federal data protection and privacy law to which we likely would be subject if it is enacted. Additionally, in February 2022, the SEC proposed rules regarding cybersecurity that would require financial advisers and investment companies to adopt and implement formal cybersecurity policies, report significant cybersecurity incidents to the SEC and comply with additional recordkeeping obligations in relation to cybersecurity-related information. These proposed rules are subject to a comment period, which was reopened in March 2023, and the final rules adopted by the SEC may differ significantly from the proposed rules. Moreover, in July 2023, the SEC adopted new rules requiring public companies to provide enhanced disclosure of cybersecurity risks and incidents to investors. The new rules for public companies, and, if adopted as proposed, the proposed rules for financial advisers and investment companies, are expected to increase the cost of operating our business and will likely require additional time and resources dedicated to reporting and compliance matters. Many statutory requirements include obligations for companies to notify individuals of security breaches involving certain personal information, which could result from breaches experienced by us or our third-party service providers. For example, laws in all 50 U.S. states require businesses to provide notice to customers whose personal information has been disclosed as a result of a data breach. These laws are not consistent, and compliance in the event of a widespread data breach is difficult and may be costly. Moreover, states have been frequently amending existing laws, requiring attention to changing regulatory requirements. In addition, we may be contractually required to notify clients, end-investors or other counterparties of a security breach. Although we may have contractual protections with our third-party service providers, any security breach, or actual or perceived non-compliance with privacy or security laws, regulations, standards, policies or contractual obligations, could harm our reputation and brand, expose us to potential liability and require us to expend significant resources on data security and in responding to any such incident or actual or perceived non-compliance. Any contractual protections we may have from our third-party service providers may not be sufficient to adequately protect us from any such liabilities and losses, and we may be unable to enforce any such contractual protections. We make public statements about our use and disclosure of personal information through our privacy policy, information provided on our website and press statements. Although we endeavor to comply with our public statements and documentation, we may at times fail to do so or be alleged to have failed to do so. The publication of our privacy policy and other statements that provide promises and assurances about data privacy and security can subject us to potential government or legal action if they are found to be deceptive, unfair or misrepresentative of our actual practices. In addition, from time to time, concerns may be expressed about whether our products and services compromise the privacy of clients and others. Even the perception, whether or not valid, of privacy concerns or any failure by us to comply with our posted privacy policies or with any legal or regulatory requirements, standards, certifications or orders or other privacy or consumer protection-related laws and regulations applicable to us may harm our reputation, inhibit adoption of our products by current and future customers or adversely impact our ability to attract and retain workforce talent. Internationally, many jurisdictions have established their own data security and privacy legal frameworks with which we may need to comply. For example, the European Union (the "EU") has adopted the General Data Protection Regulation (the "GDPR"), which went into effect in May 2018 and contains numerous requirements and changes from previously existing EU law, including more robust obligations on data processors and heavier documentation requirements for data protection compliance programs. The GDPR requires data controllers to implement more stringent operational requirements for processors and controllers of personal data, including, for example, transparent and expanded disclosure to data subjects about how their personal information is to be used, limitations on retention of information, mandatory data breach notification requirements, and higher standards for data controllers to demonstrate that they have obtained valid consent for certain data processing activities. The GDPR also imposes strict rules on the transfer of personal data to countries outside the European Economic Area (the "EEA"), including the United States. Fines for noncompliance with the GDPR are significant and can be up to the greater of €20 million or 4% of annual global turnover. The GDPR also provides that EU member states may introduce further conditions, including limitations, which could limit our ability to collect, use and share EU data, and could cause our compliance costs to increase, ultimately having an adverse impact on our results of operations, financial condition or business. In July 2020, the Court of Justice of the European Union (the "CJEU") ruled the EU-U.S. Privacy Shield Framework, one of the primary safeguards that allowed U.S. companies to import personal data from the EU to the U.S., was invalid. The CJEU's decision also raised questions about whether the most commonly used mechanism for cross-border transfers of personal data out of the EEA, namely, the European Commission's Standard Contractual Clauses, can lawfully be used for personal data transfers from the EU to the United States or other countries the European Commission has determined do not provide adequate data protections under their laws. On June 4, 2021, the European Commission adopted new Standard Contractual Clauses, which impose on companies additional obligations relating to data transfers, including the obligation to conduct a transfer impact assessment and, depending on a party's role in the transfer, to implement additional security measures and to update internal privacy practices. As of September 27, 2021, companies must use the new Standard Contractual Clauses to govern data transfers made absent an adequacy determination or appropriate safeguards, and as of December 27, 2022, companies must replace existing Standard Contractual Clauses to govern current processing operations. On July 10, 2023, the European Commission adopted an adequacy decision concluding that the U.S. ensures an adequate level of protection for personal data transferred from the EEA to the U.S. under the EU-U.S. Data Privacy Framework, which is intended to replace the EU-U.S. Privacy Shield Framework. However, the adequacy decision does not foreclose, and is likely to face, future legal challenges resulting in ongoing legal uncertainty. If we are unable to implement a valid mechanism for personal data transfers from the EU, we will face increased exposure to regulatory actions, substantial fines and injunctions against processing personal data from the EU. Similar challenges could also arise in other jurisdictions that adopt regulatory frameworks of equivalent complexity. Further, the United Kingdom's vote in favor of exiting the EU, often referred to as "Brexit," and ongoing developments in the United Kingdom have created uncertainty with regard to data protection regulation in the United Kingdom. As of January 1, 2021, following the expiry of transitional arrangements agreed to between the United Kingdom and the EU, data processing in the United Kingdom is governed by a United Kingdom version of the GDPR (combining the GDPR and the United Kingdom's Data Protection Act 2018), exposing us to two parallel regimes, each of which authorizes similar fines and other potentially divergent enforcement actions for certain violations. On June 28, 2021, the European Commission adopted an adequacy decision in favor of the United Kingdom, enabling data transfers from EU member states to the United Kingdom without additional safeguards. However, the United Kingdom adequacy decision will automatically expire in June 2025 unless the European Commission re-assesses and renews or extends that decision. On October 12, 2023, the United Kingdom adopted an adequacy decision concluding that the U.S. ensures an adequate level of protection for personal data transferred from the United Kingdom to the U.S. pursuant to the United Kingdom extension to the EU-U.S. Data Privacy Framework (also known as the U.K.-U.S. data bridge). As above, the adequacy decision does not foreclose, and may face, future legal challenges resulting in ongoing legal uncertainty. Given the complexity of operationalizing data privacy and security laws and regulations to which we are subject, the maturity level of proposed compliance frameworks and the relative lack of guidance in the interpretation of the numerous requirements of the data privacy and security laws and regulations to which we are subject, we may not be able to respond quickly or effectively to regulatory, legislative and other developments, and these changes may in turn impair our ability to offer our existing or planned products and services or increase our cost of doing business. Although we work to comply with applicable laws and regulations, industry standards, contractual obligations and other legal obligations, such laws, regulations, standards and obligations are evolving and may be modified, interpreted and applied in an inconsistent manner from one jurisdiction to another, and may conflict with one another. In addition, they may conflict with other requirements or legal obligations that apply to our business or the features and services that our adviser clients and their investor clients expect from our products and services. As such, we cannot assure ongoing compliance with all such laws, regulations, standards and obligations. Any failure, or perceived failure, by us to adequately address privacy and security concerns, even if unfounded, or to comply with applicable laws, regulations and standards, or with employee, client and other data privacy and data security requirements pursuant to contract and our stated privacy notice(s), could result in investigations or proceedings against us by data protection authorities, governmental entities or others, including class action privacy litigation in certain jurisdictions, which could subject us to fines, civil or criminal liability, public censure, claims for damages by customers and other affected individuals, damage to our reputation and loss of goodwill (in relation to both existing and prospective clients), or we could be required to fundamentally change our business activities and practices, which may not be possible in a commercially reasonable manner, or at all. Any or all of these consequences could have a material adverse effect on our results of operations, financial condition or business.

Our success depends in part on our proprietary technology. We rely on a combination of copyright, trademark and trade secret laws, confidentiality, nondisclosure, non-interference and invention assignment agreements and other contractual and technical security measures to establish and protect our intellectual property and proprietary rights. If we fail to successfully obtain, maintain, enforce, monitor, police or defend our intellectual property rights, or if we were to infringe, misappropriate or violate the intellectual property rights of others, our competitive position, operations, financial condition or business could suffer. We license certain trademark and web domain rights from third parties and may be subject to claims of infringement if such parties do not possess the necessary intellectual property rights. In addition, we may face risk of infringement or misappropriation claims if we hire an employee who possesses third-party proprietary information who decides to use such information in connection with our investment solutions, services or business processes without such third party's authorization. Furthermore, third parties may in the future assert intellectual property infringement claims against our customers, which, in certain circumstances, we have agreed to indemnify. In some instances, litigation may be necessary to enforce our intellectual property rights and protect our proprietary information, or to defend against claims by third parties that we have infringed, misappropriated or violated their intellectual property rights. Any litigation or claims brought by or against us, whether with or without merit, could result in substantial costs to us and divert the attention of our management, which could harm our results of operations, financial condition or business. In addition, any intellectual property litigation or claims against us could result in the loss or compromise of our intellectual property and proprietary rights, subject us to significant liabilities or require us to seek licenses on unfavorable terms or make changes to the investment services and solutions we offer, any of which could harm our results of operations, financial condition or business.

We have integrated, or are in the process of integrating, artificial intelligence ("AI") into various aspects of our business operations. These include, but are not limited to, customer service automation, data analytics, supply chain management, and predictive maintenance. We evaluate and adapt our AI strategies to optimize operational efficiency and enhance customer experiences. We have made and expect to continue to make significant investments in AI, including software acquisitions, development of proprietary algorithms, and talent recruitment. These investments are expected to drive innovation, improve operational efficiencies, and contribute to long-term growth. While AI presents substantial opportunities, it also poses certain risks. These include reliance on complex algorithms, potential biases in AI decision-making, cybersecurity threats, and regulatory changes. If the AI tools that we use are deficient, inaccurate or controversial, we could incur operational inefficiencies, competitive harm, legal liability, brand or reputational harm, or other adverse impacts on our business and financial results. If we do not have sufficient rights to use the data or other material or content on which the AI tools we use rely, we also may incur liability through the violation of applicable laws and regulations, third-party intellectual property, privacy or other rights, or contracts to which we are a party. We seek to mitigate these risks through regular audits, risk assessments, review of privacy standards, security protocols, monitoring, and adaptive AI models. The integration of AI technologies has also led to changes in workforce requirements. We invest in employee training and development to adapt to AI-driven changes. While AI automates certain tasks, it also creates new roles and opportunities within our organization. We anticipate that AI will play an increasingly significant role in our operations and strategy. Ongoing investments and research in AI are expected to yield new capabilities and efficiencies, aligning with our long-term vision for innovation and growth. In addition, regulation of AI is rapidly evolving worldwide as legislators and regulators are increasingly focused on these powerful emerging technologies. The technologies underlying AI and its uses are subject to a variety of laws and regulations, including intellectual property, data privacy and security, consumer protection, competition, and equal opportunity laws, and are expected to be subject to increased regulation and new laws or new applications of existing laws and regulations. AI is the subject of ongoing review by various U.S. governmental and regulatory agencies, and various U.S. states and other foreign jurisdictions are applying, or are considering applying, their platform moderation, cybersecurity, and data protection laws and regulations to AI or are considering general legal frameworks for AI. We may not be able to anticipate how to respond to these rapidly evolving frameworks, and we may need to expend resources to adjust our operations or offerings in certain jurisdictions if the legal frameworks are inconsistent across jurisdictions. Furthermore, because AI technology itself is highly complex and rapidly developing, it is not possible to predict all of the legal, operational or technological risks that may arise relating to the use of AI.

We depend on the efforts of our executive officers, other management team members and key employees. Our executive officers, in particular, play an important role in the stability and growth of our business, and our future success depends, in part, on our ability to continue to attract and retain highly skilled personnel. The loss of any key personnel, such as the recent departure of our former Chief Executive Officer, could have a material adverse effect on our results of operations, financial condition or business.

We maintain relationships with certain broker-dealers and financial advisers that serve clients on our platform. The loss of these relationships would likely result in a loss of adviser and investor clients. Likewise, we engage strategists who offer certain investment products on our platform. The loss of certain strategists and their investment products could cause our investor clients to leave our platform to follow such strategists and investment products to our competitors or otherwise. We also maintain direct relationships with certain enterprise customers, the loss of which could have a material impact on our business. Further, the engagement contracts governing our relationships with broker-dealers, financial advisers and strategists are terminable by either us or the broker-dealer, financial adviser or strategist, as applicable, upon short-notice with or without cause. Further, broker-dealers and financial advisers may substantially reduce their use of our platform without terminating their agreements with us. Loss of our investor and enterprise clients, whether due to termination of a significant number of engagement contracts or otherwise, may have a material adverse effect on our financial condition and result in harm to our results of operations, financial condition or business.

Asset-based revenue makes up a significant portion of our revenue, representing 78.8% and 76.9% of our total revenue for the three months ended March 31, 2024 and 2023, respectively. In addition, given our fee-based model, we expect that asset-based revenue will continue to account for a significant percentage of our total revenue in the future. Significant fluctuations in securities prices have materially affected and will materially affect the value of the assets managed by our clients, and any decrease in the value of assets managed by our clients has and will continue to negatively impact our asset-based revenue. Spread-based revenue accounted for 15.8% and 18.8% of our total revenue for the three months ended March 31, 2024 and 2023, respectively. Fluctuations in interest rates have had and will have a direct impact on our spread-based revenue. Changes in interest rates, inflation and other economic indicators may also influence financial adviser and investor decisions regarding whether to invest in, or maintain an investment in, one or more of our investment solutions. Inflation and other economic factors may also impact the cost of running our business including the cost of personnel, operations, travel and other expenses. If such fluctuations in securities prices, interest rates or inflation were to lead to decreased investment in the securities markets, our revenue and earnings derived from asset-based and spread-based revenue could be simultaneously materially adversely affected. We provide our investment solutions and services to the financial services industry. The financial markets, and in turn the financial services industry, are affected by many factors, such as U.S. and foreign economic and geopolitical conditions and general trends in business and finance that are beyond our control, and could be adversely affected by changes in the equity or debt marketplaces, unanticipated changes in currency exchange rates, interest rates, inflation rates, the yield curve, financial crises, war, terrorism, natural disasters, pandemics and outbreaks of disease or similar public health concerns and other factors that are difficult to predict. During periods of severe or prolonged downturns or market volatility, investments may lose value and investors may choose to withdraw assets from financial advisers and use the assets to pay expenses or transfer them to investments that they perceive to be more secure, such as bank deposits and Treasury securities. Any prolonged downturn in financial markets, or increased levels of asset withdrawals could have a material adverse effect on our results of operations, financial condition or business.