Bakkt Holdings, Inc. Class A (BKKT) Risk Factors

Certain of our subsidiaries are subject to regulatory supervision, including the requirement to obtain prior consent from the relevant regulator when a person holds, acquires or increases a controlling interest in those entities. For instance, under certain state money transmitter regulations, no person may hold or acquire, alone or together with others, a direct or indirect stake of 10% or more of us, or exercise, directly or indirectly, a controlling influence over us or any of the regulated subsidiaries. Under other state money transmitter regulations, that threshold may be higher. Non-compliance with those requirements may lead to injunctions, penalties and sanctions against us as well as the person seeking to hold, acquire or increase a controlling interest, may subject the relevant transactions to cancellation or forced sale, and may result in increased regulatory compliance requirements or other potential regulatory restrictions on our business (including in respect of matters such as corporate governance, restructurings, mergers and acquisitions, financings and distributions). If any of this were to occur, it could damage our reputation, limit our growth and materially and adversely affect our business, financial condition and results of operations.

In general, a company that is or holds itself out as being engaged primarily in the business of investing, reinvesting, or trading in securities may be deemed to be an investment company under the Investment Company Act. The Investment Company Act contains substantive legal requirements that regulate the manner in which "investment companies" are permitted to conduct their business activities. We believe we have conducted, and intend to continue to conduct, our business in a manner that does not result in us being characterized as an investment company. To avoid being deemed an investment company, we may decide not to broaden our offerings, which could require us to forgo attractive opportunities. If we are deemed to be an investment company under the Investment Company Act, we would be required to institute burdensome compliance requirements and our activities would be restricted, which would adversely affect our business, financial condition and results of operations. In addition, we may be forced to make changes to our management team if we are required to register as an investment company under the Investment Company Act.

In 2023, we acquired Bumped, a broker-dealer registered with FINRA. Bumped is registered as a broker-dealer in 52 U.S. states and territories. As such, we are subject to regulation, examination, investigation, and disciplinary action by the SEC, FINRA, and state securities regulators, as well as other governmental authorities and self-regulatory organizations with which Bumped is registered or licensed or of which Bumped is a member. Our failure or inability to comply with any of these regulations or any regulatory action against us could adversely affect our results of operations, financial condition, or business.

We are subject to anti-money laundering and counter terrorist financing laws and regulations globally, including the Bank Secrecy Act, as amended by the USA PATRIOT Act, the regulations promulgated by FinCEN, as well as economic and trade sanctions programs, including those imposed and administered by OFAC. These regulations prohibit, among other things, our involvement in transferring the proceeds of criminal activities. Under OFAC's economic sanctions program, we are prohibited from financial transactions and other dealings with certain countries and geographies and with persons and entities included in OFAC sanctions lists, including its list of Specially Designated Nationals and Blocked Persons. The United States is also a member of the Financial Action Task Force ("FATF"), an intergovernmental body that establishes international standards to combat money laundering, terrorist financing and other related threats to the integrity of the international financial system. FATF issues guidance that members states are required to observe. More recently, in October 2021, FATF issued the Updated Guidance for Virtual Assets and Virtual Asset Service Providers ("FATF Guidance") which provides additional details regarding expectations for crypto businesses, including those related to due diligence, transmission of transaction data and reporting. Regulators in the United States, where we currently operate, continue to increase their scrutiny of compliance with these obligations, which may require us to further revise or expand our compliance program. For example, Division F of the National Defense Authorization Act for Fiscal Year 2021, titled the Anti-Money Laundering Act of 2020, makes significant reforms to the Bank Secrecy Act and other anti-money laundering rules. Evaluation and incorporation of changes required under Division F could result in greater costs for compliance. Furthermore, on March 2, 2022, a group of United States Senators sent the Secretary of the United States Treasury Department a letter asking Secretary Yellen to investigate its ability to enforce such sanctions vis-à-vis bitcoin, and on March 8, 2022, President Biden announced an executive order on crypto that seeks to establish a unified federal regulatory regime for crypto. We are unable to predict the nature or extent of new and proposed legislation and regulation affecting the crypto industry, or the potential impact of the use of crypto by Specially Designated Nationals or Blocked Persons, which could have material adverse effects on our business and our industry more broadly. Our failure to comply with such laws and regulations, as required by our regulators, may expose us to liability or enforcement actions. There also can be no assurance that our employees or agents will not violate such anti-money laundering and counter terrorist financing laws and regulations. A failure by us or our employees or agents to comply with such laws and regulations and subsequent judgment or settlement against us under these laws could subject us to monetary penalties, damages and/or have a significant reputational impact.

We are subject to the U.S. Foreign Corrupt Practices Act of 1977 (the "FCPA"), the U.S. domestic bribery statute contained in 18 U.S.C. § 201, and possibly other anti-bribery and anti-corruption laws in countries outside of the United States where we conduct our activities. Anti-corruption and anti-bribery laws are enforced aggressively and are interpreted broadly to generally prohibit companies, their employees, agents, representatives, clients, and third-party intermediaries from authorizing, offering, or providing, directly or indirectly, improper payments or benefits to recipients in the public or private sector. We may leverage third parties to sell our products and conduct our business abroad. We, our employees, agents, representatives, clients and third-party intermediaries may have direct or indirect interactions with officials and employees of government agencies or state-owned or affiliated entities and we may be held liable for the corrupt or other illegal activities of these employees, agents, representatives, clients or third-party intermediaries even if we do not explicitly authorize such activities. We cannot assure you that all of our employees, agents, representatives, clients or third-party intermediaries will not take actions in violation of applicable law for which we may be ultimately held responsible. As we increase our international sales and business, our risks under these laws may increase. These laws also require that we keep accurate books and records and maintain internal controls and compliance procedures designed to prevent any such actions. While we have implemented policies and procedures designed to ensure compliance with these laws and regulations, there can be no assurance that none of our employees, agents, representatives, clients or third-party intermediaries will not violate our policies or applicable laws and regulations, for which we may be ultimately held responsible. Any allegations or violation of the FCPA or other applicable anti-bribery and anti-corruption laws could result in whistleblower complaints, sanctions, settlements, prosecution, enforcement actions, fines, damages, adverse media coverage, investigations, loss of export privileges, severe criminal or civil sanctions, or suspension or debarment from government contracts, all of which may have an adverse effect on our reputation, business, results of operations, and prospects. Responding to any investigation or action will likely result in a materially significant diversion of management's attention and resources and significant defense costs and other professional fees.

We are subject to federal and state consumer protection laws and regulations in the jurisdictions in which we operate. In the United States, Bakkt Marketplace is subject to federal and state consumer protection laws and regulations applicable to its activities, including the Electronic Fund Transfer Act ("EFTA") and Regulation E as implemented by the CFPB. These regulations require us to provide advance disclosure of changes to our services, follow specified error resolution procedures and reimburse consumers for losses from certain transactions not authorized by the consumer, among other requirements. There are uncertainties associated with being subject to consumer protection rules and regulations of the CFPB and other regulators, including in the application of certain rules and regulations to our business model and to crypto. Bakkt Marketplace may be considered a "covered person" for purposes of the CFPB's enforcement authority and may additionally be subject to the authority of the Federal Trade Commission. Under certain consumer protection rules and regulations, we may be exposed to significant liability to consumers in the event that there is an incident which results in a large number of unauthorized and fraudulent transfers out of our system. Additionally, we could face private litigation by consumers under consumer protection laws and regulations that have private rights of action. Technical violations of consumer protection laws could result in the assessment of actual damages or statutory damages or penalties of up to $1,000 in individual cases or up to $500,000 per violation in any class action and treble damages in some instances; we could also be liable for plaintiffs' attorneys' fees in such cases. We could be subject to, and could be required to pay amounts in settlement of, lawsuits containing allegations that our business violated the EFTA and Regulation E or otherwise advance claims for relief relating to our business practices. We have implemented certain changes to comply with the CFPB's rule on prepaid accounts, which requires, among other things, the disclosure of fees and other information to the consumer prior to the creation of a prepaid account, some of which constitute substantial changes to the design of certain U.S. consumer accounts and their operability, which could lead to consumer dissatisfaction, require us to reallocate resources, and increase our costs, which could negatively affect our business.

Our business is subject to laws, rules, regulations, policies and legal interpretations in the markets in which we operate, including, but not limited to, those governing money transmission, crypto asset business activity, consumer protection, anti-money laundering, counter-terrorist financing, privacy and data protection, cybersecurity, economic and trade sanctions, commodities, derivatives, and securities. We have been, and expect to continue to be, required to apply for and maintain various licenses, certifications and regulatory approvals in jurisdictions where we provide our services, including due to changes in applicable laws and regulations or the interpretation of such laws and regulations. There can be no assurance that we will elect to pursue, or be able to obtain, any such licenses, certifications and approvals. In addition, there are substantial costs and potential product changes involved in maintaining and renewing such licenses, certifications and approvals. For instance, in the United States, each of Bakkt Marketplace and Bakkt Crypto has obtained licenses to operate as a money transmitter (or its equivalent) in the states where it operates and where such licenses are required, as well as in the District of Columbia and Puerto Rico, and as a virtual currency business with the State of New York. In these capacities, each of Bakkt Marketplace and Bakkt Crypto is subject to reporting requirements, restrictions with respect to the investment of consumer funds, bonding requirements and inspection by state regulatory agencies. As we expand our business activities, both as to the products and services offered and into jurisdictions beyond the United States, including as a result of the Bakkt Crypto acquisition, we have become increasingly obligated to comply with new laws and regulations, including those of any additional countries and markets in which we operate, and we may be subject to increased regulatory oversight and enforcement and more restrictive rules and regulations. Laws outside of the United States often impose different, more specific, or even conflicting obligations on companies, as well as broader liability. For example, certain transactions that may be permissible in a local jurisdiction may be prohibited by regulations of U.S. Department of the Treasury's Office of Foreign Assets Control ("OFAC") or U.S. anti-money laundering or counter-terrorist financing regulations. Our ability to manage our business and conduct our operations internationally will require considerable management attention and resources, particularly as we have no operating history outside the United States and limited experience with international regulatory environments and market practices. Our failure to successfully manage regulatory risks could harm our international operations and have an adverse effect on our business, operating results, and financial condition. As we expand our international activities, we become increasingly obligated to comply with the laws, rules, regulations, policies and legal interpretations of both the jurisdictions in which we operate and those into which we offer services on a cross-border basis. For instance, financial regulators outside the United States have increased scrutiny of crypto asset platforms over time, such as by requiring crypto asset platforms operating in their local jurisdictions to be regulated and licensed under local laws. To the extent a customer accesses our services outside of jurisdictions where we have obtained required governmental licenses and authorization, we face a risk of becoming subject to regulations in that local jurisdiction. A regulator's conclusion that we are servicing customers in its jurisdiction without being appropriately licensed, registered or authorized could result in fines or other enforcement actions. In general, any failure or perceived failure to comply with existing or new laws, regulations, or orders of any regulatory authority (including changes to or expansion of the interpretation of those laws, regulations, or orders) may subject us to liability, significant fines, penalties, criminal and civil lawsuits, forfeiture of significant assets and enforcement actions in one or more jurisdictions, result in additional compliance and licensure requirements, increase regulatory scrutiny of our business, restrict our operations and force us to change our business practices, make product or operational changes, including ceasing our operations in certain jurisdictions, or delaying planned product launches or improvements. Any of the foregoing could, individually or in the aggregate, harm our reputation, damage our brand and business, impose substantial costs and adversely affect our financial condition and results of operations. The complexity of U.S. federal and state regulatory and enforcement regimes, coupled with the scope of our operations and the evolving regulatory environment, could result in a single event giving rise to a large number of overlapping investigations and legal and regulatory proceedings by multiple authorities. Moreover, we cannot provide any assurance that our employees, contractors, or agents will not violate such laws and regulations.

Significant parts of our business, such as our product and service offerings involving crypto, are subject to uncertain and/or evolving regulatory regimes. As crypto has grown in both popularity and market size, governments have reacted differently, with certain governments deeming it illegal and others allowing its use and trade without restriction. The failures of risk management and other control functions at other companies that played a role in the 2022 and 2023 events have accelerated, and continue to accelerate, an existing regulatory trend toward stricter oversight of crypto platforms and the crypto industry. Legislation, regulations and enforcement actions applicable to crypto in the United States include, but are not limited to the following: - In 2023, the SEC initiated lawsuits against certain crypto asset exchanges, including Bittrex, Coinbase, Binance, and Kraken alleging among other things that those entities operated as unregistered national securities exchanges,unregistered broker-dealers and unregistered clearing agencies and alleging that certain crypto assets available on their platforms are securities. - The Commodity Futures Trading Commission ("CFTC") staff has publicly taken the position that certain crypto assets are commodities, and as such, exchange-traded derivatives involving bitcoin are subject to the CFTC's jurisdiction and enforcement powers. This has been reflected in certain CFTC enforcement actions, including those against Coinflip, Inc. and certain informal CFTC guidance, such as the LabCFTC's Primer on Virtual Currencies. - In June 2023, the CFTC won a default judgment against Ooki DAO, a decentralized autonomous organization that the CFTC charged with operating an illegal trading platform and unlawfully offering leveraged and margined retail commodity transactions in crypto assets outside of a registered exchange, unlawfully acting as a Futures Commission Merchant (FCM), and unlawfully failing to comply with Bank Secrecy Act obligations applicable to FCMs. - In July 2023, a court in the Southern District of New York held that Ripple's sales of XRP to sophisticated investors pursuant to written contracts did constitute the unregistered offer and sale of investment contracts while sales of XRP to purchasers through blind bid/ask transactions on crypto asset exchanges did not constitute the sale of unregistered securities. - On July 31, 2023, a different court in the Southern District of New York held that the SEC had asserted a plausible claim that certain inter-related crypto assets offered by Terraform Labs qualified as investment contracts. - In September 2023, the CFTC issued orders and simultaneously filed and settled charges against Opyn, Inc., ZeroEx, Inc., and Deridex, Inc., alleging that each had offered users the ability to trade crypto asset derivatives without registering with the CFTC as one or more regulated entities. - The U.S. Congress has expressed the need for both greater federal oversight of the crypto industry and comprehensive crypto asset legislation. In June 2023, a bill was introduced in the U.S. House of Representatives that would place certain crypto assets under SEC oversight, while placing others that qualify as commodities, under the jurisdiction of the CFTC. Under the draft bill, whether a particularly crypto asset is as a security or commodity would depend, among other things, on how decentralized its underlying blockchain is. The bill would also require crypto asset intermediaries, such as certain of our subsidiaries, to register with and be regulated by the CFTC, the SEC or both. - Certain state regulators, such as NYDFS, have created or are in the process of creating new regulatory frameworks with respect to crypto. For example, in 2015, the State of New York adopted the "BitLicense," the first U.S. regulatory framework for licensing participants in crypto business activity. Each of Bakkt Marketplace and Bakkt Crypto currently operates under a BitLicense. On January 25, 2023, NYDFS released guidance regarding crypto custody practices, providing that a "virtual currency entity custodian" must: (1) separately account for and segregate customer assets from proprietary assets, (2) take possession of customer assets only for the limited purpose of carrying out custody and safekeeping services, (3) request approval before implementing any sub-custody arrangements, and (4) provide adequate disclosure to customers. In addition, Louisiana has adopted a virtual currency regulation, effective as of January 1, 2023, which requires operators of virtual currency businesses to obtain a virtual currency license in order to conduct business in Louisiana, and as such, we are in the process of applying for this license. Other states, such as Texas, have published guidance on how their existing regulatory regimes governing money transmitters apply to virtual currencies. Some states, such as New Hampshire, North Carolina and Washington, have amended their state's statutes to clarify the treatment of virtual currencies within existing licensing regimes, while others have interpreted their existing statutes as requiring a money transmitter license to conduct certain virtual currency business activities. - FinCEN has released guidance regarding how it considers its regulations to interact with crypto businesses. - The IRS released guidance treating crypto as property that is not currency for U.S. federal income tax purposes. - In August 2023, the IRS published proposed regulations on tax reporting requirements for cryptocurrency brokers, which are generally expected to expand the scope of companies that are required to report basis, adjusted basis, gross proceeds and amounts realized from sales of covered crypto assets. - In October 2023, the governor of California signed into law the Digital Financial Assets Law ("DFAL"), which establishes a required licensing framework administered by the California Department of Financial Protection and Innovation ("DFPI") for entities engaged in digital financial asset business activity in the state of California. The Company expects that its business will require licensure under the DFAL and will therefore take steps to obtain necessary licenses prior to the enactment's effective date of July 1, 2025. The Company notes that the DFAL provides that the DFPI may issue a conditional license to companies, such as our subsidiaries, that maintain licenses to conduct virtual currency business activity in New York or hold a charter as a New York limited purpose trust company with approval to conduct a virtual currency business under New York law. The Company will continue to monitor and review guidance from the DFPI clarifying the enactment's scope and interpretation. Governmental and regulatory bodies may continue to adopt new laws and regulations, issue new guidance or bring new enforcement actions relating to crypto and the crypto industry generally, and crypto platforms in particular, the direction and timing of which may be influenced by changes in the governing administrations and major events in the crypto industry. In addition, regulators may establish self-regulatory bodies to set guidelines regarding crypto, which could have similar effects on new policies adopted by government bodies. To the extent regulators issue guidance, uncertainties may remain regarding the application of such guidance and any informal guidance may not be an official policy, rule or regulation, may be subject to change and is not necessarily binding on the applicable regulators. Enforcement actions may also be contested in litigation, which could take years to resolve, and can also lead to an uncertain regulatory environment. The technologies underlying crypto are novel technologies and relatively untested, and the application of securities and other laws to aspects of these technologies and crypto is unclear in certain respects. It is difficult to predict how or whether regulatory agencies may apply existing or new regulation with respect to this technology and its applications, and whether regulators will bring enforcement actions on specific issues. For instance, U.S. bankruptcy courts are now faced with a number of questions of first impression that may determine the status of crypto in bankruptcy, and the rights and obligations of platforms that custody crypto for their customers. New interpretations of, or changes to, existing laws, regulations and guidance, and new enforcement actions, may adversely impact the development of the crypto industry as a whole and our legal and regulatory status in particular by changing how we operate our business, how our products and services are regulated, and what products or services we and our competitors can offer, requiring changes to our compliance and risk mitigation programs, policies and procedures, imposing new licensing requirements, or imposing a total ban on certain crypto transactions, as has occurred in certain jurisdictions in the past. In addition, new or changing laws, regulations, guidance or enforcement actions, could severely or materially adversely impact, among other things, the permissibility of the operation of the blockchain networks underlying crypto and our operations; adversely impact the value or liquidity of crypto; limit the ability to access marketplaces or exchanges on which to trade crypto; adversely impact the structure, rights and transferability of crypto and the treatment of crypto and holders of crypto in insolvency proceedings; and result in further negative publicity relating to particular crypto assets or platforms or the crypto industry more generally. Any of the foregoing could significantly adversely impact our business. See also "-Risks Related to Regulation, Taxation and Law-A crypto asset's status as a "security" in any relevant jurisdiction is subject to a high degree of uncertainty, and if crypto assets on our platform are later determined to be securities, we may be subject to regulatory scrutiny, investigations, fines, and other penalties, which may adversely affect our business, operating results, and financial condition."

The SEC and its staff have taken the position that certain crypto assets fall within the definition of a "security" under the U.S. federal securities laws, and it is possible the SEC may take this position with respect to other assets that may be transacted on our platform. Certain legal tests for determining whether any given asset is a security may require highly complex and fact-driven analyses, and the outcome is difficult to predict. The SEC, as well as other regulators, have been increasingly focused on the regulation of crypto, which has impacted and will continue to impact our business. In recent months, the SEC has alleged a number of additional crypto assets to be securities in the course of enforcement actions and lawsuits brought against crypto market participants, including lawsuits brought against the crypto exchanges Bittrex, Coinbase, Binance, and Kraken. Among the crypto assets identified as securities in these actions are assets that were previously listed on Bakkt Crypto's platform, which Bakkt has since delisted. Prior SEC enforcement activity had not alleged crypto assets made available for trading on or through a Bakkt platform to be securities. It is not clear what actions the SEC will take with respect to those or other crypto assets, including in the course of the SEC inquiry regarding the Bakkt Crypto platform that began prior to Bakkt's acquisition, or what decisions the courts will reach regarding the status of specific crypto assets as securities. For example, in December 2020, the SEC initiated a lawsuit against Ripple Labs, Inc. ("Ripple") and two of its executives, alleging that they engaged in the unlawful offer and sale of unregistered securities through sales of XRP, Ripple's crypto asset, since 2012. On July 13, 2023, a court in the Southern District of New York held that Ripple's sales of XRP to sophisticated investors pursuant to written contracts did constitute the unregistered offer and sale of investment contracts while sales of XRP to purchasers through blind bid/ask transactions on crypto asset exchanges did not constitute the sale of unregistered securities. There also remains a significant lack of clarity over whether individual crypto assets that purport to maintain a fixed or "stable" value relative to a fiat currency or other underlying asset, known as "stablecoins," will be deemed to be "securities." The classification of an asset as a security under applicable law has wide-ranging implications for the regulatory obligations that flow from the offer, sale, trading and clearing of such assets. For example, an asset that is a security in the United States may generally only be offered or sold in the United States pursuant to a registration statement filed with the SEC or in an offering that qualifies for an exemption from registration. Persons that effect transactions in assets that are classified as securities in the United States may be subject to registration with the SEC and states in which they offer and sell securities as a "broker" or "dealer" and subject to the corresponding rules and regulations of the SEC, relevant states and self-regulatory organizations, including FINRA. Platforms that bring together buyers and sellers of assets that are classified as securities in the United States constitute securities exchanges and will be either required to register as such with the SEC, or to operate pursuant to an exemption, as an alternative trading system ("ATS"). We could be subject to legal or regulatory action in the event the SEC, a foreign regulatory authority, or a court were to determine that a supported crypto asset bought, sold, converted, spent or sent through our platform is a "security" under applicable laws. Because our platform is not yet registered or licensed with the SEC or foreign authorities as a broker-dealer, national securities exchange, or ATS (or foreign equivalents), and we do not seek to register or rely on an exemption from such registration or license to facilitate the offer and sale of crypto assets on our platform, we currently only permit transactions in crypto assets that we have determined are not securities. We intend to offer other crypto assets on our platform in the future, although which crypto assets will be allowed on our platform, and the timing for such crypto assets to be allowed on our platform, is uncertain. We will only allow those crypto assets for which we determine there are reasonably strong arguments to conclude that the crypto asset is not a security. However, the application of securities laws to the specific facts and circumstances of crypto may be complex and subject to change, and a listing determination does not guarantee any conclusion under the United States federal securities laws. While we have policies that are designed to help us analyze whether a particular crypto asset is a "security", our policies and procedures are not a legal standard, but rather a framework for analysis that permits us to make a risk-based assessment regarding the likelihood that a particular crypto asset could be deemed a "security" under applicable laws. Regardless of our conclusions, we could be subject to legal or regulatory action in the event the SEC, a state or foreign regulatory authority, or a court, were to determine that a crypto asset currently offered, sold or traded on our platform is a "security" under applicable laws. Moreover, although we expect our risk assessment policies and procedures to regularly evolve to take into account developments in case law, facts and developments in technology, regulatory clarity and changes in market acceptance and adoption of these crypto assets, these developments and changes may occur more rapidly than we are able to change our related policies and procedures. Actions may also be brought by private individuals or entities alleging illegal transactions involving crypto assets that they claim are securities, and seeking rescission of those transactions, and/or other legal and equitable relief under federal or state securities laws. In addition, in connection with our acquisition of Bakkt Crypto we have needed to, and if we engage in any other acquisitions in the future, may further need to, update our policies and procedures to account for additional types of crypto assets or additional functionalities, and there may be a delay in adopting uniform policies and procedures relating to the acquired company or in applying such policies and procedures to an acquired company's crypto assets. In applying our policies and procedures to an acquired company's crypto assets, we may determine to delist some or all of such company's crypto assets. See also "-If we are unable to attract, retain or grow our relationships with our existing clients, our business, financial condition, results of operations and future prospects would be materially and adversely affected. Moreover, sales efforts to large clients involve risks that may not be present or that are present to a lesser extent with respect to sales to smaller organizations." There can be no assurances that we will properly characterize any given crypto asset as a security or non-security for purposes of determining if that crypto asset is allowed to be offered through our platform, or that the SEC, foreign regulatory authority, or a court, if the question was presented to it, would agree with our assessment. If the SEC, foreign regulatory authority, or a court were to determine that bitcoin or any other crypto asset to be offered, sold, or traded on our platform in the future is a security, we would not be able to offer such crypto asset for trading until we are able to do so in a compliant manner, such as through an alternative trading system approved to trade crypto assets that constitute securities, and such determination may have adverse consequences for such supported crypto assets. A determination by the SEC, a foreign regulatory authority, or a court that an asset that we support for trading on our platform constitutes a security may also result in a determination that we should remove such asset from our platform, as well as other assets that have similar characteristics to such asset deemed to be a security. In addition, we could be subject to judicial or administrative sanctions for failing to offer or sell the asset in compliance with the registration requirements, or for acting as a broker, dealer, or national securities exchange without appropriate registration. Similarly, the SEC has recently alleged that certain crypto asset exchanges have acted without appropriate registration as clearing agencies. Although our platform functions differently from those alleged to have functioned as unregistered clearing agencies in actions brought by the SEC to date, we could face a similar action if the SEC and its staff take a different position with respect to our activities. An action for failure to register as a broker, dealer, national securities exchange, or clearing agency when such registration was required could result in injunctions, cease and desist orders, as well as civil monetary penalties, fines and disgorgement, criminal liability and reputational harm. Customers that traded such supported assets on our platform and suffered trading losses could also seek to rescind a transaction that we facilitated on the basis that it was conducted in violation of applicable law, which could subject us to significant liability. Furthermore, if we remove any assets from trading on our platform, our decision may be unpopular with our customers and may reduce our ability to attract and retain customers, especially if such assets remain traded on unregulated exchanges, which includes many of our competitors.

Some of our current and prospective clients themselves are regulated entities that may be restricted from engaging with us. For instance, several banks to whom we seek to provide our crypto solutions are regulated by the Federal Reserve, the Office of the Comptroller of the Currency, and/or the Federal Deposit Insurance Corporation. Pursuant to statements made by these regulators in the last several months, banks they regulate are required to consult with, and potentially obtain the approval of, their relevant regulator before "engaging in crypto-related activities." If these banks, or other current or prospective clients that are regulated entities, are unable to obtain the approval of their regulators, or the timing of such approvals is delayed, that failure or delay would materially and adversely affect our results of operations and future prospects.

Payments under the Tax Receivable Agreement will be based on the tax reporting positions that we determine, and the Internal Revenue Service (the "IRS") or another taxing authority may challenge all or any part of the tax basis increases, as well as other tax positions that we take, and a court may sustain such a challenge. In the event any tax benefits initially claimed by us are disallowed, the current Opco Equity Holders will not be required to reimburse us for any excess payments that may previously have been made under the Tax Receivable Agreement, for example, due to adjustments resulting from examinations by taxing authorities. Rather, excess payments made to such holders will be netted against any future cash payments otherwise required to be made by us, if any, after the determination of such excess. However, a challenge to any tax benefits initially claimed by us may not arise for a number of years following the initial time of such payment or, even if challenged early, such excess cash payment may be greater than the amount of future cash payments that we might otherwise be required to make under the terms of the Tax Receivable Agreement and, as a result, there might not be future cash payments from which to net against. As a result, in certain circumstances we could make payments under the Tax Receivable Agreement in excess of our actual income tax savings, which could materially impair our financial condition. Moreover, the Tax Receivable Agreement provides that, in the event that (a) we exercise our early termination rights under the Tax Receivable Agreement, (b) the Tax Receivable Agreement is rejected in a bankruptcy proceeding, (c) certain changes of control occur (as described in the Tax Receivable Agreement) or (d) we are more than thirty days late in making of a payment due under the Tax Receivable Agreement (unless we determine that we have insufficient funds to make such payment as a result of obligations imposed in connection with a senior obligation or applicable law), our obligations under the Tax Receivable Agreement will accelerate and we will be required to make an immediate lump-sum cash payment to the Opco Equity Holders equal to the present value of all forecasted future payments that would have otherwise been made under the Tax Receivable Agreement, which lump-sum payment would be based on certain assumptions, including those relating to our future taxable income. The lump-sum payment to the Opco Equity Holders could be substantial and could exceed the actual tax benefits that we realize subsequent to such payment because such payment would be calculated assuming, among other things, that we would have certain tax benefits available to it, that we would be able to use the potential tax benefits in future years, and that tax rates applicable to us would be the same as they were in the year of the termination. There may be a material negative effect on our liquidity if the payments under the Tax Receivable Agreement exceed the actual income tax savings that we realize. Furthermore, our obligations to make payments under the Tax Receivable Agreement could also have the effect of delaying, deferring or preventing certain mergers, asset sales, other forms of business combinations or other changes of control. We may need to incur additional indebtedness to finance payments under the Tax Receivable Agreement to the extent our cash resources are insufficient to meet our obligations under the Tax Receivable Agreement as a result of timing discrepancies or otherwise.

Under the current law, we do not believe that we are required to file any information returns with taxing authorities with respect to the issuance by our clients of loyalty points or other incentives, and we believe that we are in compliance with our tax information reporting obligations with respect to incentives that we issue. There can be no assurance that the IRS will not challenge our position, or that the applicable laws and administrative guidance will not change in a manner requiring us to provide additional tax information reporting to our customers. It is unclear whether the conversion to crypto of loyalty points by means of using our platform is or may become subject to information reporting by us. In our capacity as the facilitator of an exchange on which such transactions occur, we may be deemed to have certain information reporting obligations to the IRS or another taxing authority. The IRS has provided limited guidance with respect to information reporting obligations for transactions involving loyalty points or other incentives, and, absent future regulatory or administrative guidance, we expect to file information returns with the IRS for only a limited number of such transactions. There can be no assurances, however, that the IRS will not take a contrary position with respect to our information reporting obligations. If the IRS were to successfully challenge our position with respect to its information reporting obligations or if it were ultimately determined that the conversion of loyalty points to crypto is subject to information reporting obligations, we could potentially be subject to penalties for any failure to satisfy such information reporting obligations. Additionally, changes in applicable laws and administrative guidance could impose such obligations on us. For example, under the Infrastructure Investment and Jobs Act of 2021 (Pub. L. 117-58) (the "Infrastructure Act"), we may be treated as a "broker" with respect to crypto transactions we facilitate. As a result, we may be required to file certain information reports, including customer's names and addresses, gross proceeds from sales, and any capital gains or losses to the IRS. In August 2023, the IRS published proposed regulations on tax reporting requirements for cryptocurrency brokers, which were intended to implement the changes in law enacted by the Infrastructure Act. Such changes in our tax information reporting obligations may have a negative effect on the experience of our customers and may significantly increase our compliance costs. As a result of the foregoing, our planned business model may be adversely affected or it may incur additional costs in connection therewith.

Our operations may be subject to extensive tax liabilities, including federal and state income taxes and other taxes, such as excise, sales/use, payroll, franchise, withholding and ad valorem taxes. Changes in tax laws or their judicial or administrative interpretations could decrease the amount of revenues we receive, the value of any tax loss carryforwards and tax credits recorded on our balance sheet and the amount of our cash flow and may have a material adverse impact on our business, financial condition and results of operations. Some of our tax liabilities may be subject to periodic audits by the applicable taxing authority, which could increase our tax liabilities. Furthermore, we may become subject to taxation in various taxing jurisdictions. If we are required to pay additional taxes and are unable to pass the tax expense through to our customers, our costs would increase and our net income would be reduced, which could have a material adverse effect on our business, financial condition and results of operations.

Because there has been limited guidance for the tax reporting or accounting of crypto and limited guidance has been provided by the IRS, it is unclear how crypto transactions or other actions related to crypto (such as forks, provision of staking rewards and other crypto incentives and rewards products or other similar items) and related tax consequences should be accounted for or reported for tax purposes. In 2014, the IRS released Notice 2014-21, IRB 2014-16, or IRS Notice, discussing certain aspects of "convertible virtual currency" (that is, crypto currency that has an equivalent value in real (or fiat) currency or that acts as a substitute for fiat currency) for U.S. federal income tax purposes. IRS stated that such crypto currency is treated as "property", not "currency" for purposes of the rules relating to foreign currency gain or loss, and may be held as a capital asset. In 2019, the IRS released Revenue Ruling 2019-24 and a set of "Frequently Asked Questions", or the 2019 Revenue Ruling & FAQs, that provide some additional guidance, including guidance to the effect that, under certain circumstances, hard forks of crypto currencies are taxable events giving rise to ordinary income and guidance with respect to the determination of the tax basis of crypto currency. In 2023, the IRS released Revenue Ruling 2023-14, or the 2023 Revenue Ruling, that provides a cash-method taxpayer that receives additional units of crypto from staking must include those rewards in gross income. However, the IRS Notice, the 2019 Revenue Ruling & FAQs and the 2023 Revenue Ruling do not address other significant aspects of the U.S. federal income tax treatment of crypto and related transactions. Furthermore, the accounting treatment for revenues from crypto transactions is currently under review and subject to change. Failure to properly account for and report the transactions and other items related to the crypto held by our consumers to relevant tax authorities, such as the IRS, could have negative outcomes for us and harm our reputation with consumers and others. There can be no assurance that the IRS or other foreign tax authority will not alter its existing positions with respect to crypto in the future or that a court would uphold the treatment set forth in the existing IRS guidance. It is also unclear what additional guidance may be issued in the future on the treatment of existing crypto transactions and future crypto innovations for purposes of U.S. federal income tax or other foreign tax regulations. Any such alteration of existing IRS and foreign tax authority positions or additional guidance regarding crypto products and transactions could result in adverse tax consequences for holders of crypto and could have an adverse effect on the value of crypto and the broader crypto markets. Future technological and operational developments that may arise with respect to crypto currencies may increase the uncertainty with respect to the treatment of crypto currencies for U.S. federal income and foreign tax purposes. The uncertainty regarding tax treatment of crypto transactions impacts our customers, and could impact our business, both domestically and abroad. It is likely that the IRS will introduce new rules related to our tax reporting and withholding obligations on our customer transactions in the future, possibly in ways that differ from our existing compliance protocols and where there is risk that we do not have proper records to ensure compliance for certain legacy customers. If the IRS determines that we are not in compliance with our tax reporting or withholding requirements with respect to customer crypto transactions, we may be exposed to significant penalties, which could adversely affect our financial position. We anticipate additional guidance from the IRS regarding tax reporting and withholding obligations with respect to customer crypto transactions that will likely require us to invest substantially in new compliance measures and may require significant retroactive compliance efforts, which could adversely affect our financial position. Similarly, it is likely that new rules for reporting crypto under the "common reporting standard" will be implemented on our international operations, creating new obligations and a need to invest in new onboarding and reporting infrastructure. Such rules are under discussion today by the member and observer states of the "Organization for Economic Cooperation and Development" and may give rise to potential liabilities or disclosure requirements for prior customer arrangements and new rules that affect how we onboard our customers and report their transactions to taxing authorities.

In our capacity as a crypto custodian, our platform holds crypto for individual and institutional customers, and buys, sells, sends and receives crypto to fulfill buy and sell orders of such customers. Specifically, Bakkt Trust Company LLC ("Bakkt Trust") provides custody services to customers of Bakkt Marketplace and to its own institutional customers with respect to all crypto assets which we support for trading. In addition, Bakkt Crypto provides custodial services that support the crypto tokens offered on the consumer platform through both third-party providers of custodial services and self-custody through. the Fireblocks Vault service. Should we or one of our third-party custodians fail to implement or maintain the policies, procedures and controls necessary to secure the custody of the crypto assets entrusted to us by our customers in full compliance with applicable law and regulation, the Company could suffer reputational harm and/or significant financial losses; face litigation or regulatory enforcement action potentially leading to significant fines, penalties, and additional restrictions; and see its customers discontinue or reduce their use of our and our partners' products. Any of these occurrences could adversely impact our business, operating results, and financial condition. We regard the crypto assets that we hold in custody for customers as the property of those customers, who benefit from the rewards and bear the risks associated with their ownership, and we believe that customer crypto assets, consistent with the nature and terms of the services we offer and applicable law, would not be made available to satisfy the claims of our general creditors in the event of our bankruptcy. In addition, since the acquisition of Bakkt Crypto, we have utilized the services of third-party custodians to hold crypto assets in custody for the benefit of Bakkt Crypto customers. These third-party custodians maintain their own bankruptcy protection procedures and contractual protections designed with the goal that the crypto assets held in custody by these third-party custodians would not be made available to satisfy the claims of such custodian's general creditors in the event of bankruptcy. However, insolvency law is not fully developed with respect to the holding of crypto assets in custodial arrangements and continues to develop. As a result, there is a risk that crypto assets held in custody could be considered to be the property of a bankruptcy estate in the event of a bankruptcy, and that the crypto assets held in custody on behalf of our customers could be subject to bankruptcy proceedings and such customers could be treated as general unsecured creditors. This prospect may result in customers finding our custodial services more risky and less attractive. Both Bakkt Trust and Bakkt Crypto use omnibus wallets to hold crypto assets belonging to the Company as well as crypto assets held for the benefit of and on behalf of customers. The balances of Bakkt Crypto-owned assets in such wallets are de minimis and are maintained solely to facilitate customer transactions, such as by funding the payment of transfer fees and addressing rounding conventions and trade errors. Although the Company maintains detailed internal ledgers recording the ownership of crypto assets held in Company-controlled omnibus wallets, the use of omnibus wallets could complicate the disposition or treatment of customer crypto assets in the event of our bankruptcy, including by increasing the risk that crypto assets held in the omnibus wallets are considered to be the property of our bankruptcy estate. Further, on March 31, 2022, the SEC issued Staff Accounting Bulletin No. 121, which represents a significant change regarding how a company safeguarding crypto held for its platform users reports such crypto on its balance sheet. Any future changes in U.S. generally accepted accounting principles ("GAAP") that require us to change the manner in which we account for our crypto held for our customers could have a material adverse effect on our financial results and the market price of our securities. See "Risks Related to Risk Management and Financial Reporting – Future changes in financial accounting standards may significantly change our reported results of operations."

Our systems and custodial solutions involve the processing, storage and transmission of crypto and data. Contractual limits on our exposure in the event that crypto is stolen or misappropriated may not be sufficient to protect us from liability or other harm. The theft or misappropriation of crypto held in custody by us would likely result in financial loss, reputational damage, potential lack of trust from our customers, negative press coverage, and diversion of our management's time and focus. The secure storage and transmission of crypto and data over networks is a critical element of our operations. Threats to our operations come from external factors such as governments, organized crime, hackers, and other third parties such as outsourced or infrastructure-support providers and application developers, or may originate internally from an employee or service provider to whom we have granted access to our systems. Crypto transactions are generally irrevocable, and stolen or incorrectly transferred crypto may be irretrievable. Once a transaction has been verified and recorded in a block that is added to the distributed ledger, an incorrect transfer of a crypto generally will not be reversible, and we may not be able to obtain compensation for any such transfer or theft. It is possible that, through computer or human error, or through theft or criminal action, the crypto could be transferred in incorrect amounts or to unauthorized third parties, or to uncontrolled accounts. Such events would have a material adverse effect on our ability to continue as a going concern. Crypto is controllable only by the possessor of private keys relating to the distributed ledger through which the crypto is held. While the distributed ledgers require a public key relating to a crypto asset to be published when used in a transaction, private keys must be safeguarded and kept private in order to prevent a third party from accessing the crypto asset. To the extent our private keys are lost, destroyed, or otherwise compromised and no backups of the private keys are accessible, we will be unable to access the crypto held through the distributed ledger. Any loss of private keys relating to, or hack or other compromise of, our crypto could adversely affect our consumers' ability to access or sell their crypto and could harm consumers' trust in us and our products. Additionally, any loss of private keys relating to, or hack or other compromise of, the distributed ledger through which third parties store crypto could have negative reputational effects on us and harm consumers' trust in us and our products. Our insurance policies may not be adequate to reimburse us for losses caused by security breaches or incidents, and we may lose crypto valued in excess of the insurance policy without any recourse. Unlike bank accounts or accounts at some other financial institutions, in the event of loss or loss of utility value, there is no public insurer to offer recourse to us or to any consumer and the misappropriated crypto may not be easily traced to the bad actor. Further, when crypto custodial solutions or transfer venues, whether involving our systems or others, experience system failures or other operational issues, such events could result in a reduction in crypto prices or confidence and impact our success and have a material adverse effect on our ability to continue as a going concern.

We typically commit, through service level agreements or otherwise, to maintaining a minimum service levels with respect to our platform's functionality, availability and response time. If we are unable to meet these commitments, we may be obligated to provide clients with remedies set forth below. A failure to meet service level commitments, even for a relatively short duration, could cause us to be contractually obligated to issue credits or refunds to a large number of affected clients and customers, or could result in the dissatisfaction or loss of clients and customers. Affected participants could also choose to pursue other legal remedies that may be available to them. In addition, we rely on public cloud providers, such as Microsoft Azure and Google Cloud, and any availability interruption in the public cloud could result in us not meeting our service-level commitments. In some cases, we may not have a contractual right with our public cloud providers that compensates us for any losses due to availability interruptions in the public cloud. Any of the above circumstances or events may impact our revenues, harm our reputation, impair our ability to develop our platform and grow our base of clients and customers, subject us to financial penalties and liabilities under our service level agreements and otherwise harm our business, financial condition and results of operations.

In order to support any particular crypto asset, a variety of front and back-end technical and development work is required to integrate such supported crypto asset with our existing technical infrastructure. For certain crypto assets, a significant amount of development work is required and there is no guarantee that we will be able to integrate successfully with any existing or future crypto asset. In addition, such integration may introduce software errors or weaknesses into our platform, including our existing infrastructure. Even if such integration is initially successful, any number of technical changes, software upgrades, soft or hard forks, cybersecurity incidents, bugs, errors, defects or other changes to the underlying blockchain network may occur from time to time, causing incompatibility, technical issues, disruptions, or security weaknesses to our platform. If we are unable to identify, troubleshoot and resolve any such issues successfully, we may no longer be able to support such crypto assets, our customers' assets may be frozen or lost, the security of our hot, warm, or cold wallets may be compromised, and our platform and technical infrastructure may be affected, all of which could adversely impact our business.

Our systems and those of our service providers and clients have experienced from time to time, and may experience in the future service interruptions or degradation because of hardware and software defects or malfunctions, insider threats, human error, earthquakes, hurricanes, floods, fires and other natural disasters, power losses, disruptions in telecommunications services, fraud, geopolitical tensions, and military or political conflicts (including the Russia-Ukraine and Israel-Hamas wars), terrorist attacks, computer viruses, ransomware or other malware, or other events. We have experienced from time to time, and may experience in the future, disruptions in our systems. In addition, as a provider of payments solutions and crypto trading and custody solutions, we are subject to heightened scrutiny by regulators that may require specific business continuity, resiliency and disaster recovery plans and more rigorous testing of such plans, which may be costly and time-consuming to implement, and may divert our resources from other business priorities. We have experienced and expect to continue to experience system failures, denial-of-service attacks and other events or conditions from time to time that interrupt the availability, or reduce or adversely affect the speed or functionality, of our products and services. These events have resulted and likely will result in loss of revenue. A prolonged interruption in the availability or reduction in the availability, speed, or functionality of our products and services could materially harm our business. Frequent or persistent interruptions in our services could cause current or potential clients to believe that our systems are unreliable, leading them to switch to competitors or to avoid or reduce the use of our platform, and could permanently harm our reputation. Moreover, if any system failure or similar event results in damages to our customers, these clients could seek significant compensation or contractual penalties from us for their losses, and those claims, even if unsuccessful, would likely be time-consuming and costly for us to address, and could have other consequences described in this "Risk Factors" section under the caption "Actual or perceived cyberattacks, security incidents, or breaches could result in serious harm to our reputation, business and financial condition." Further, frequent or persistent site interruptions could lead to regulatory scrutiny, significant fines and penalties and mandatory and costly changes to our business practices, and ultimately could cause us to lose existing licenses that we need to operate or prevent or delay us from obtaining additional licenses that may be required for our business. We also rely on facilities, components, applications and services supplied by third parties, including data center facilities and cloud storage services, which subjects us to risks in the nature of those discussed in this "Risk Factors" section under the caption "We face operational, legal and other risks related to our reliance on third party vendors, over which we have no control." From time to time, such third parties may cease to provide us with such facilities and services. Additionally, if these third parties experience operational interference or disruptions, breach their agreements with us, fail to perform their obligations and meet our expectations, or experience a cyberattack, security incident or breach, our operations could be disrupted or otherwise negatively affected, which could result in consumer dissatisfaction, regulatory scrutiny and damage to our reputation and brands and materially and adversely affect our business. Our business interruption insurance coverage may be insufficient to compensate us for all losses that may result from interruptions in our service as a result of systems failures and similar events. Implementation of new systems and technologies is complex, expensive and time-consuming. If we fail to timely and successfully implement new information systems and technologies, or improvements or upgrades to existing information systems and technologies, or if such systems and technologies do not operate as intended, this could have an adverse impact on our business, internal controls (including internal controls over financial reporting), results of operations and financial condition.

Our future success will depend on our ability to identify, hire, develop, motivate and retain highly qualified personnel for all areas of our organization, particularly information technology and sales. Further, hiring qualified and experienced personnel in this specialized technology space is difficult due to the high level of competition and scarcity of experience. Many of the companies with which we compete for experienced employees have greater resources than we do and may be able to offer more attractive terms of employment. In addition, we invest significant time and expense in training employees, which increases their value to competitors that may seek to recruit them. We may not be able to attract, develop and maintain the skilled workforce necessary to operate our business and labor expenses may increase as a result of a shortage in the supply of qualified personnel, which would negatively impact our business. Further, if we suffer attrition and shortages with respect to certain of our customer service personnel, such as our call centers, our ability to maintain compliance with our service level commitments to clients may be impacted, resulting in financial penalties and, potentially, damage to or loss of those client relationships.