Bill.com Holdings (BILL) Risk Factors

We are required to comply with the Mastercard, American Express, and Visa payment card network operating rules applicable to our card products. We have agreed to reimburse certain service providers for any fines they are assessed by payment card networks as a result of any rule violations by us. We may also be directly liable to the payment card networks for rule violations. The payment card networks set and interpret the card operating rules. The payment card networks could adopt new operating rules or interpret or reinterpret existing rules that we or our processors might find difficult or even impossible to follow, or costly to implement. We also may seek to introduce other card-related products in the future, which would entail compliance with additional operating rules. As a result of any violations of rules, new rules being implemented, or increased fees, we could be hindered or lose our ability to provide our card products, which would adversely affect our business. In addition, we are contractually obligated to comply with card network rules as a card program manager. As a result of any violations of these rules or new rules being implemented, we could lose our ability or rights to act as a card program manager.

As of June 30, 2024, we had net operating loss (NOL) carryforwards of approximately $1.2 billion, $1.0 billion, and $134.9 million for federal, state, and foreign tax purposes, respectively, that are available to reduce future taxable income. If not utilized, the state NOL carryforwards will begin to expire in 2024. As of June 30, 2024, the federal and foreign NOL carryforwards do not expire and will carry forward indefinitely until utilized. As of June 30, 2024, we also had research and development tax credit carryforwards of approximately $76.5 million and $53.1 million for federal and state tax purposes, respectively. If not utilized, the federal tax credits will expire at various dates beginning in 2041. The majority of the state tax credits do not expire and will carry forward indefinitely until utilized. In general, under Sections 382 and 383 of the U.S. Internal Revenue Code of 1986, as amended (the Code), a corporation that undergoes an "ownership change" is subject to limitations on its ability to utilize its pre-change NOLs and other tax attributes, such as research tax credits, to offset future taxable income or income tax. If it is determined that we have in the past experienced an ownership change, or if we undergo one or more ownership changes as a result of future transactions in our stock, then our ability to utilize NOLs and other pre-change tax attributes could be limited by Sections 382 and 383 of the Code. Future changes in our stock ownership, many of which are outside of our control, could result in an ownership change under Sections 382 or 383 of the Code. Furthermore, our ability to utilize NOLs of companies that we may acquire in the future may be subject to limitations. For these reasons, we may not be able to utilize a material portion of the NOLs, even if we were to achieve profitability. In addition, any future changes in tax laws could impact our ability to utilize NOLs in future years and may result in greater tax liabilities than we would otherwise incur and adversely affect our cash flows and financial position.

Our customers, their suppliers, and other users store personal and business information, financial information, and other sensitive information on our platform. In addition, we receive, store, and process personal and business information and other data from and about actual and prospective customers and users, in addition to our employees and service providers. Our handling of data is subject to a variety of laws and regulations, including regulation by various government agencies, such as the FTC, and various state, local, and foreign agencies. Our data handling also is subject to contractual obligations and industry standards. The U.S. federal and various state and foreign governments have adopted or proposed limitations on the collection, distribution, use, and storage of data relating to individuals and businesses, including the use of contact information and other data for marketing, advertising, and other communications with individuals and businesses. In the U.S., various laws and regulations apply to the collection, processing, disclosure, and security of certain types of data, including the Gramm Leach Bliley Act (GLBA) and state laws relating to privacy and data security. GLBA requires financial institutions to explain their information sharing practices to their customers and to safeguard sensitive data. Additionally, the FTC and many state attorneys general are interpreting federal and state consumer protection laws as imposing standards for the online collection, use, dissemination, and security of data. For example, the California Consumer Privacy Act (CCPA), which broadly defines personal information, gives California residents expanded privacy rights and protections, including the right to opt out of certain personal information sharing, the use of "sensitive personal information," and the use of personal information for automated decision-making or targeted advertising and provides for civil penalties for violations and a private right of action for data breaches. Many aspects of the CCPA remain unclear, and its full impact on our business and operations remains uncertain. Following the lead of California, over a third of U.S. states, including Colorado, Virginia, and Texas have enacted laws similar to the CCPA and several other states are considering enacting similarly comprehensive consumer privacy laws as well. Accordingly, the laws and regulations relating to privacy, data protection, and information security are evolving, can be subject to significant change, and may result in ever-increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions. In addition, several foreign countries and governmental bodies, including the European Union (EU) and the United Kingdom (UK), have laws and regulations dealing with the handling and processing of personal information, which in certain cases are more restrictive than those in the U.S. Laws and regulations in these jurisdictions apply broadly to the collection, use, storage, disclosure, and security of various types of data, including data that identifies or may be used to identify an individual, such as names, email addresses, and internet protocol addresses. Our current and prospective service offerings subject us to the GDPR, Australian and Canadian privacy laws, and the privacy laws of many other foreign jurisdictions. Such laws and regulations may be modified or subject to new or different interpretations, and new laws and regulations may be enacted in the future. For example, the GDPR imposes stringent operational requirements for controllers and processors of personal data of individuals within the European Economic Area and the UK, respectively, and non-compliance can trigger robust regulatory enforcement and fines of up to the greater of €20 million or 4% of the annual global revenues. Among other requirements, GDPR regulates transfers of personal data to third countries that have not been found to provide adequate protection to such personal data, including the United States. The efficacy and longevity of current transfer mechanisms between the EU or the UK and the United States remains uncertain. Violations of the GDPR may also lead to damages claims by data controllers and data subjects, in addition to civil litigation claims by data controllers, customers, and data subjects. The scope and interpretation of the laws that are or may be applicable to us are often uncertain and may be conflicting as a result of the rapidly evolving regulatory framework for privacy issues worldwide. For example, laws relating to the liability of providers of online services for activities of their users and other third parties are currently being tested by a number of claims, including actions based on invasion of privacy and other torts, unfair competition, copyright and trademark infringement, and other theories based on the nature and content of the materials searched, the ads posted, or the content provided by users. As a result of the laws that are or may be applicable to us, and due to the sensitive nature of the information we collect, we have implemented policies and procedures to preserve and protect our data and our customers' data against loss, misuse, corruption, misappropriation caused by systems failures, or unauthorized access. If our policies, procedures, or measures relating to privacy, data protection, information security, marketing, or customer communications fail to comply with laws, regulations, policies, legal obligations, or industry standards, we may be subject to governmental enforcement actions, litigation, regulatory investigations, fines, penalties, and negative publicity, and it could cause our application providers, customers, and partners to lose trust in us, and have an adverse effect on our business, operating results, and financial condition. In addition to government regulation, privacy advocates and industry groups may propose new and different self-regulatory standards that may apply to us. Because the interpretation and application of privacy, data protection and information security laws, regulations, rules, and other standards are still uncertain, it is possible that these laws, rules, regulations, and other actual or alleged legal obligations, such as contractual or self-regulatory obligations, may be interpreted and applied in a manner that is inconsistent with our existing data management practices or the functionality of our platform. If so, in addition to the possibility of fines, lawsuits, and other claims, we could be required to fundamentally change our business activities and practices or modify our software, which could have an adverse effect on our business. Any failure or perceived failure by us to comply with laws, regulations, policies, legal, or contractual obligations, industry standards, or regulatory guidance relating to privacy, data protection, or information security, may result in governmental investigations and enforcement actions, litigation, fines and penalties, or adverse publicity, and could cause our customers and partners to lose trust in us, which could have an adverse effect on our reputation and business. We expect that there will continue to be new proposed laws, regulations, and industry standards relating to privacy, data protection, information security, marketing, and consumer communications, and we cannot determine the impact such future laws, regulations, and standards may have on our business. Future laws, regulations, standards, and other obligations or any changed interpretation of existing laws or regulations could impair our ability to develop and market new functionality and maintain and grow our customer base and increase revenue. Future restrictions on the collection, use, sharing, or disclosure of data, or additional requirements for express or implied consent of our customers, partners, or users for the use and disclosure of such information could require us to incur additional costs or modify our platform, possibly in a material manner, and could limit our ability to develop new functionality. If we are not able to comply with these laws or regulations, or if we become liable under these laws or regulations, our business, financial condition, or reputation could be harmed, and we may be forced to implement new measures to reduce our exposure to this liability. This may require us to expend substantial resources or to discontinue certain products, which would negatively affect our business, financial condition,and operating results. In addition, the increased attention focused upon liability issues as a result of lawsuits and legislative proposals could harm our reputation or otherwise adversely affect the growth of our business. Furthermore, any costs incurred as a result of this potential liability could harm our operating results.

The market for SMB financial software solutions is relatively new and subject to ongoing technological change, evolving industry standards, payment methods, and changing regulations, as well as changing customer needs, requirements, and preferences. The success of our business will depend, in part, on our ability to adapt and respond effectively to these changes on a timely basis, including launching new products and services. In addition, the market for our spend and expense management solution is new and fragmented, and it is uncertain whether we will achieve and sustain high levels of demand and market adoption. The success of any new product and service, or any enhancements or modifications to existing products and services, depends on several factors, including the timely completion, introduction, and market acceptance of such products and services, enhancements, and modifications. If we are unable to enhance our platform, add new payment methods, or develop new products that keep pace with technological and regulatory change and achieve market acceptance, or if new technologies emerge that are able to deliver competitive products and services at lower prices, more efficiently, more conveniently, or more securely than our products, our business, operating results, and financial condition would be adversely affected. Furthermore, modifications to our existing platform or technology will increase our research and development expenses. Any failure of our services to operate effectively with existing or future network platforms and technologies could reduce the demand for our services, result in customer or spending business dissatisfaction, and adversely affect our business.

Our success is dependent, in part, upon protecting our proprietary technology. We rely on a combination of patents, copyrights, trademarks, service marks, trade secret laws, and contractual provisions to establish and protect our proprietary rights. However, the steps we take to protect our intellectual property may be inadequate. While we have been issued patents in the U.S. and have additional patent applications pending, we may be unable to obtain patent protection for the technology covered in our patent applications. In addition, any patents issued in the future may not provide us with competitive advantages or may be successfully challenged by third parties. Any of our patents, trademarks, or other intellectual property rights may be challenged or circumvented by others or invalidated through administrative process or litigation. There can be no guarantee that others will not independently develop similar products, duplicate any of our products, or design around our patents. Furthermore, legal standards relating to the validity, enforceability, and scope of protection of intellectual property rights are uncertain. Despite our precautions, it may be possible for unauthorized third parties to copy our products and use information that we regard as proprietary to create products and services that compete with ours.

We use open source software in our products. From time to time, there have been claims challenging the ownership of open source software against companies that incorporate it into their products. As a result, we could be subject to lawsuits by parties claiming ownership of what we believe to be open source software. Litigation could be costly for us to defend, have a negative effect on our operating results and financial condition, or require us to devote additional research and development resources to change our products. In addition, if we were to combine our proprietary software products with open source software in a certain manner under certain open source licenses, we could be required to release the source code of our proprietary software products. If we inappropriately use or incorporate open source software subject to certain types of open source licenses that challenge the proprietary nature of our products, we may be required to re-engineer such products, discontinue the sale of such products, or take other remedial actions.

As of June 30, 2024, we had 474,600 businesses using our solutions and TPV processed was approximately $292.4 billion, $266.0 billion, and $228.1 billion during fiscal 2024, 2023, and 2022, respectively. Accordingly, we have grown rapidly and seek to continue to grow, and although we maintain a robust and multi-faceted risk management process, our business is highly complex and always subject to the risk of financial losses as a result of credit losses, operational errors, software defects, service disruption, employee misconduct, security breaches, or other similar actions or errors on our platform. As a provider of accounts payable, accounts receivable, spend and expense management, and payment solutions, we collect and transfer funds on behalf of our customers and our trustworthiness and reputation are fundamental to our business. The occurrence of any credit losses, operational errors, software defects, service disruptions, employee misconduct, security breaches, or other similar actions or errors on our platform could result in financial losses to our business and our customers, loss of trust, damage to our reputation, or termination of our agreements with financial institution partners and accountants, each of which could result in: - loss of customers;- lost or delayed market acceptance and sales of our platform;- legal claims against us, including warranty and service level agreement claims;- regulatory enforcement action; or - diversion of our resources, including through increased service expenses or financial concessions, and increased insurance costs. Although our terms of service allocate to our customers the risk of loss resulting from our customers' errors, omissions, employee fraud, or other fraudulent activity related to their systems, in some instances we may cover such losses for efficiency or to prevent damage to our reputation. Although we maintain insurance to cover losses resulting from our errors and omissions, there can be no assurance that our insurance will cover all losses or our coverage will be sufficient to cover our losses. If we suffer significant losses or reputational harm as a result, our business, operating results, and financial condition could be adversely affected.

During the second quarter of fiscal 2024, we announced a reduction in force (RIF) impacting approximately 15% of our global workforce and the closure of our Sydney, Australia office. In connection with the RIF, we have incurred and may continue to incur additional costs in the near term, including cash expenditures related to severance payments, certain retention payments, employee benefits and employee transition costs, as well as non-cash charges for stock-based compensation expense. The RIF may result in other unintended consequences, including employee attrition beyond our intended reduction in force, damage to our corporate culture and decreased employee morale among our remaining employees, diversion of management attention, adverse effects to our reputation as an employer, loss of institutional knowledge and expertise (particularly as it relates to our Invoice2Go solutions), and potential failure or delays to meet operational and growth targets due to the loss of qualified employees. If we experience any of these adverse consequences, the RIF may not achieve its intended benefits, or the benefits, even if achieved, may not be adequate to meet our long-term profitability and operational expectations, which could adversely affect our business, operating results and financial condition.