Coinbase Global (COIN) Risk Factors

The CFTC has stated and judicial decisions involving CFTC enforcement actions have confirmed that at least some crypto assets, including Bitcoin, ether, litecoin, and stablecoins, such as USDC, USDT and BUSD, fall within the definition of a "commodity" under the CEA. As a result, the CFTC has general enforcement authority to police against manipulation and fraud in at least some spot crypto asset markets. From time to time, manipulation, fraud, and other forms of improper trading by market participants have resulted in, and may in the future result in, CFTC investigations, inquiries, enforcement action, and similar actions by other regulators, government agencies, and civil litigation. Such investigations, inquiries, enforcement actions, and litigation may cause us to incur substantial costs and could result in negative publicity.

Any transaction in a commodity, including a crypto asset, entered into with or offered to retail investors using leverage, margin, or other financing arrangements (a "retail commodity transaction") is subject to CFTC regulation as a futures contract unless such transaction results in actual delivery within 28 days. The meaning of "actual delivery" has been the subject of commentary and litigation, and in 2020, the CFTC adopted interpretive guidance addressing the "actual delivery" of a crypto asset. To the extent that crypto asset transactions that we facilitate or facilitated are deemed retail commodity transactions, including pursuant to current or subsequent rulemaking or guidance by the CFTC, we may be subject to additional regulatory requirements and oversight, and we could be subject to judicial or administrative sanctions if we do not or did not at a relevant time possess appropriate registrations. The CFTC has previously brought enforcement actions against entities engaged in retail commodity transactions without appropriate registrations, as well as recent enforcement settled orders against developers of decentralized platforms.

Commodity interests, as such term is defined by the CEA and CFTC rules and regulations, are subject to more extensive supervisory oversight by the CFTC, including registrations of entities engaged in, and platforms offering, commodity interest transactions. This CFTC authority extends to crypto asset futures contracts and swaps, including transactions that are based on current and future prices of crypto assets and indices of crypto assets. To the extent that a crypto asset in which we facilitate or facilitated trading or transactions in a crypto asset which we facilitate or facilitated are deemed to fall within the definition of a commodity interest, including pursuant to subsequent rulemaking or guidance by the CFTC, we may be subject to additional regulatory requirements and oversight and could be subject to judicial or administrative sanctions if we do not or did not at a relevant time possess appropriate registrations as an exchange (for example, as a designated contract market for trading futures or options on futures, or as a swaps execution facility for trading swaps) or as a registered intermediary (for example, as a futures commission merchant or introducing broker). Such actions could result in injunctions, cease and desist orders, as well as civil monetary penalties, fines, and disgorgement, as well as reputational harm. The CFTC has previously brought enforcement actions against entities engaged in crypto asset activities for failure to obtain appropriate exchange, execution facility and intermediary registrations. Furthermore, the CFTC and the SEC have jointly adopted regulations defining "security-based swaps," which include swaps based on single securities and narrow-based indices of securities. If a crypto asset is deemed to be a security, certain transactions referencing that crypto asset could constitute a security-based swap. A crypto asset or transaction therein that is based on or references a security or index of securities, whether or not such securities are themselves crypto assets, could also constitute a security-based swap. To the extent that a crypto asset in which we facilitate or have facilitated trading or transactions in a crypto asset which we facilitate or have facilitated are deemed to fall within the definition of a security-based swap, including pursuant to subsequent rulemaking or guidance by the CFTC or SEC, we may be subject to additional regulatory requirements and oversight by the SEC and could be subject to judicial or administrative sanctions if we do not or did not a relevant time possess appropriate registrations as an exchange (for example, as a security-based swaps execution facility) or as a registered intermediary (for example, as a security-based swap dealer or broker-dealer). This could result in injunctions, cease and desist orders, as well as civil monetary penalties, fines, and disgorgement, as well as reputational harm.

Our business is subject to extensive laws, rules, regulations, policies, orders, determinations, directives, treaties, and legal and regulatory interpretations and guidance in the markets in which we operate, including those governing financial services and banking, federal government contractors, trust companies, securities, derivative transactions and markets, broker-dealers and alternative trading systems ("ATS"), commodities, credit, crypto asset custody, exchange, and transfer, cross-border and domestic money and crypto asset transmission, commercial lending, usury, foreign currency exchange, privacy, data governance, data protection, cybersecurity, fraud detection, payment services (including payment processing and settlement services), consumer protection, escheatment, antitrust and competition, bankruptcy, tax, anti-bribery, economic and trade sanctions, anti-money laundering, and counter-terrorist financing. Many of these legal and regulatory regimes were adopted prior to the advent of the internet, mobile technologies, crypto assets, generative artificial intelligence ("AI") and related technologies. As a result, some applicable laws and regulations do not contemplate or address unique issues associated with the cryptoeconomy, are subject to significant uncertainty, and vary widely across U.S. federal, state, and local and international jurisdictions. These legal and regulatory regimes, including the laws, rules, and regulations thereunder, evolve frequently and may be modified, interpreted, and applied in an inconsistent manner from one jurisdiction to another, and may conflict with one another. Moreover, the complexity and evolving nature of our business and the significant uncertainty surrounding the regulation of the cryptoeconomy requires us to exercise our judgment as to whether certain laws, rules, and regulations apply to us, and it is possible that governmental bodies and regulators may disagree with our conclusions. To the extent we have not complied with such laws, rules, and regulations, we could be subject to significant fines, revocation of licenses, limitations on or temporary or permanent suspensions of our products and services, reputational harm, and other regulatory consequences, each of which may be significant and could adversely affect our business, operating results, and financial condition. Additionally, various governmental and regulatory bodies, including legislative and executive bodies, in the United States and in other countries may adopt new laws and regulations, the direction and timing of which may be influenced by changes in the governing administrations and major events in the cryptoeconomy. For example, following the failure of several prominent crypto trading venues and lending platforms, such as FTX, Celsius Networks, Voyager and Three Arrows Capital in 2022 (the "2022 Events"), the U.S. Congress expressed the need for both greater federal oversight of the cryptoeconomy and comprehensive cryptocurrency legislation. Presently, and in the future, various governmental and regulatory bodies, including in the United States, may introduce new policies, laws, and regulations relating to crypto assets and the cryptoeconomy generally, and crypto asset platforms in particular. Other companies' failures of risk management and other control functions that played a role in the 2022 Events could accelerate an existing regulatory trend toward stricter oversight of crypto asset platforms and the cryptoeconomy. Furthermore, new interpretations of existing laws and regulations may be issued by such bodies or the judiciary, which may adversely impact the development of the cryptoeconomy as a whole and our legal and regulatory status in particular by changing how we operate our business, how our products and services are regulated, and what products or services we and our competitors can offer, requiring changes to our compliance and risk mitigation measures, imposing new licensing requirements, or imposing a total ban on certain crypto asset transactions, as has occurred in certain jurisdictions in the past. For example, in April 2023, the SEC reopened a comment period for amendments to Rule 3b-16 under the Securities Exchange Act of 1934, as amended (the "Exchange Act"), that could subject several cryptoeconomy participants and systems to registration or other operational compliance requirements under the Exchange Act. If the SEC's proposed amendment is adopted in its current form, we, along with other cryptoeconomy participants, could face significant additional uncertainty and risk of increased operational costs. In November 2023, the New York Department of Financial Services ("NYDFS") adopted guidance regarding the policies and procedures required for virtual currency business entities licensed in New York, such as Coinbase, Inc. This guidance and other applicable state law guidance regarding virtual currency business activity could result in changes to our business in such states as well as the risk of increased operational costs and the risk of enforcement actions. If we are unable to comply with any new requirements, our ability to offer our products and services in their current form may be adversely affected. Additionally, under recommendations from the Financial Crimes Enforcement Network ("FinCEN"), and the Financial Action Task Force ("FATF"), the United States and several foreign jurisdictions have or are likely to impose the Funds Travel Rule and the Funds Transfer Rule (commonly referred to collectively as the Travel Rule) on financial service providers in the cryptoeconomy. We may face substantial costs to operationalize and comply with the Travel Rule and may be further subject to administrative sanctions for technical violations or customer attrition if the user experience suffers as a result. In October 2023, FinCEN released a proposed rule that identifies virtual currency "mixing" as a class of transactions of primary money laundering concern and imposes heightened recordkeeping and reporting obligations for financial institutions with respect to those transactions. There are substantial uncertainties regarding the scope of these requirements in practice, and we may face substantial costs to operationalize and comply with these rules. Moreover, we offer and may in the future offer products and services whose functionality or value depends in part on our management of token transaction smart contracts, liquid staking, asset tracking, or other applications that provide novel forms of customer engagement and interaction delivered via blockchain protocols. We may also offer products and services whose functionality or value depends on our ability to develop, integrate, or otherwise interact with such applications within the bounds of our legal and compliance obligations. The legal and regulatory landscape for such products, including the law governing the rights and obligations between and among smart contract developers and users and the extent to which such relationships entail regulated activity is uncertain and rapidly evolving. Our interaction with those applications, and the interaction of other blockchain users with any smart contracts or assets we may generate or control, could present legal, operational, reputational, and regulatory risks for our business. We may be further subject to administrative sanctions for technical violations or customer attrition if the user experience suffers as a result. As another example, the extension of anti-money laundering requirements to certain crypto-related activities by the European Union's Fifth Money Laundering Directive, as updated by the European Union's Sixth Money Laundering Directive, has increased the regulatory compliance burden for our business in Europe and, as a result of the fragmented approach to the implementation of its provisions, resulted in distinct and divergent national licensing and registration regimes for us in different E.U. member states. Further E.U.-level legislation imposing additional regulatory requirements in relation to crypto-related activities is also expected in the near term, such as with the effectiveness of the Markets in Crypto-Assets Regulation ("MiCA"). Among other provisions, MiCA introduces a comprehensive authorization and compliance regime for crypto asset service providers and a disclosure regime for the issuers of certain crypto assets, which is expected to impact our operations in the European Union. Because we have offered and will continue to offer a variety of innovative products and services to our customers, many of our offerings are subject to significant regulatory uncertainty and we from time to time face regulatory inquiries regarding our current and planned products. For instance, we are a reseller of USDC, a stablecoin redeemable on a one-to-one basis for U.S. dollars. The regulatory treatment of fiat-backed stablecoins is highly uncertain and has drawn significant attention from legislative and regulatory bodies around the world. The issuance and resale of such stablecoins may implicate a variety of banking, deposit, money transmission, prepaid access and stored value, anti-money laundering, commodities, securities, sanctions, and other laws and regulations in the United States and in other jurisdictions. Moreover, in October 2021, the President's Working Group on Financial Markets, the Federal Deposit Insurance Corporation ("FDIC"), and the Office of the Comptroller of the Currency, issued a joint report that recommended legislation that would subject stablecoin issuers and wallet providers to increased federal oversight. There are substantial uncertainties on how these requirements would apply in practice, and we may face substantial compliance costs to operationalize and comply with these rules. Certain products and services offered by us that we believe are not subject to regulatory oversight, or are only subject to certain regulatory regimes, such as Coinbase Wallet, a standalone mobile application that allows customers to manage their own private keys and store their crypto assets directly on their mobile devices, may cause us to be deemed to be engaged in a form of regulated activity for which licensure is required or cause us to become subject to new and additional forms of regulatory oversight. We also offer various staking, rewards, and lending products, all of which are subject to significant regulatory uncertainty, and could implicate a variety of laws and regulations worldwide. For example, there is regulatory uncertainty regarding the status of our staking, lending, rewards, and other yield-generating activities under the U.S. federal and state securities laws. While we have implemented policies and procedures, including geofencing for certain products and services, designed to help monitor for and ensure compliance with existing and new laws and regulations, there can be no assurance that we and our employees, contractors, and agents will not violate or otherwise fail to comply with such laws and regulations. To the extent that we or our employees, contractors, or agents are deemed or alleged to have violated or failed to comply with any laws or regulations, including related interpretations, orders, determinations, directives, or guidance, we or they could be subject to a litany of civil, criminal, and administrative fines, penalties, orders and actions, including being required to suspend or terminate the offering of certain products and services. Moreover, to the extent our customers nevertheless access our platform, products or services outside of jurisdictions where we have obtained required governmental licenses and authorization, we could similarly be subject to a variety of civil, criminal, and administrative fines, penalties, orders and actions as a result of such activity. Due to our business activities, we are subject to ongoing examinations, oversight, and reviews and currently are, and expect in the future, to be subject to investigations and inquiries, by U.S. federal and state regulators and foreign financial service regulators, many of which have broad discretion to audit and examine our business. We are periodically subject to audits and examinations by these regulatory authorities. As a result of findings from these audits and examinations, regulators have, are, and may in the future require us to take certain actions, including amending, updating, or revising our compliance measures from time to time, limiting the kinds of customers that we provide services to, changing, terminating, or delaying our licenses and the introduction of our existing or new product and services, and undertaking further external audit or being subject to further regulatory scrutiny, including investigations and inquiries. We have received, and may in the future receive, examination reports citing violations of rules and regulations, inadequacies in existing compliance programs, and requiring us to enhance certain practices with respect to our compliance program, including due diligence, monitoring, training, reporting, and recordkeeping. Implementing appropriate measures to properly remediate these examination findings may require us to incur significant costs, and if we fail to properly remediate any of these examination findings, we could face civil litigation, significant fines, damage awards, forced removal of certain employees including members of our executive team, barring of certain employees from participating in our business in whole or in part, revocation of existing licenses, limitations on existing and new products and services, reputational harm, negative impact to our existing relationships with regulators, exposure to criminal liability, or other regulatory consequences. Further, we believe increasingly strict legal and regulatory requirements and additional regulatory investigations and enforcement, any of which could occur or intensify, may continue to result in changes to our business, as well as increased costs, and supervision and examination for ourselves, our agents, and service providers. For example, in June 2023, the SEC filed a complaint in the U.S. District Court for the Southern District of New York (the "District Court") against us and Coinbase, Inc. alleging that (i) Coinbase, Inc. has acted as an unregistered securities exchange, broker, and clearing agency in violation of Sections 5, 15(a) and 17A(b) of the Exchange Act and that, through its staking program, Coinbase, Inc. has offered and sold securities without registering its offers and sales in violation of Sections 5(a) and 5(c) of the Securities Act of 1933, as amended (the "Securities Act"), and (ii) we are liable for the alleged violations as an alleged control person of Coinbase, Inc. (the "June 2023 SEC Complaint"). Moreover, new laws, regulations, or interpretations may result in additional litigation, regulatory investigations, and enforcement or other actions, including preventing or delaying us from offering certain products or services offered by our competitors or could impact how we offer such products and services. Adverse changes to, or our failure to comply with, any laws and regulations have had, and may continue to have, an adverse effect on our reputation and brand and our business, operating results, and financial condition.

In November 2021, the U.S. Congress passed the Infrastructure Investment and Jobs Act (the "IIJA"), providing that brokers would be responsible for reporting to the IRS the transactions of their customers in digital assets, including transfers to other exchanges or to digital asset wallets not connected to any exchange. On June 28, 2024, the U.S. Treasury Department and the IRS released finalized regulations and issued other administrative guidance on tax information reporting for digital assets (the "Final Regulations") and introduced new rules that will be applicable, in certain cases, starting January 1, 2025, related to our tax reporting and withholding obligations on our customer transactions. Although we believe we are compliant with U.S. tax reporting and withholding requirements with respect to our customers' crypto asset transactions, our compliance with the Final Regulations, including but not limited to U.S. onboarding requirements through Forms W9 and W8, backup withholding, non-resident alien withholding, and Form 1099 and Form 1042-S reporting obligations, may be subject to scrutiny and may be challenged. There is a risk that we may not have proper processes and procedures necessary to comply with the Final Regulations, may not interpret the IIJA, the Final Regulations, or administrative guidance correctly, or may not build systems within the required timelines to ensure compliance for certain customers or transactions. If the IRS determines that we are not in compliance with our tax reporting or withholding obligations on customer transactions, significant taxes and penalties may be imposed, which could adversely affect our financial position. The Final Regulations will require us to invest substantially in new compliance processes and procedures, which also could adversely affect our financial position. Further, the IRS announced it intends to issue additional guidance in the future, including, but not limited to, guidance on the treatment of non-custodial parties, which could impose additional burdens on us and result in significant taxes and penalties that could adversely affect our financial position. Similarly, new rules for reporting crypto assets under the global "common reporting standard" as well as under the "crypto-asset reporting framework" will be implemented on our international operations, creating new obligations and a need to invest in new onboarding and reporting infrastructure. Such rules are under discussion today by the member and observer states of the "Organization for Economic Cooperation and Development" and by the European Commission on behalf of the member states of the European Union. These new rules may give rise to potential liabilities or disclosure requirements for prior customer arrangements and new rules that affect how we onboard our customers and report their transactions to taxing authorities. Additionally, the European Union has issued a directive, commonly referred to as "CESOP" (the Central Electronic System of Payment information), requiring payment service providers in the European Union to report cross-border fiat transactions to taxing authorities on a quarterly basis beginning in January 2024. Any actual or perceived failure by us to comply with the above or any other emerging tax and financial regulations that apply to our operations could harm our business and adversely affect our financial position.

We are subject to complex tax laws and regulations in the United States and a variety of foreign jurisdictions. All of these jurisdictions have in the past and may in the future make changes to their corporate income tax rates and other income tax laws which could increase our future income tax provision. For example, our future income tax obligations could be adversely affected by earnings that are lower than anticipated in jurisdictions where we have lower statutory rates and by earnings that are higher than anticipated in jurisdictions where we have higher statutory rates, by changes in the valuation of our deferred tax assets and liabilities, by changes in the amount of unrecognized tax benefits, or by changes in tax laws, regulations, accounting principles, or interpretations thereof, including changes with possible retroactive application or effect. Our determination of our tax liability is subject to review and may be challenged by applicable U.S. and foreign tax authorities. Any adverse outcome of such a challenge could harm our operating results and financial condition. The determination of our worldwide provision for income taxes and other tax liabilities requires significant judgment and, in the ordinary course of business, there are many transactions and calculations where the ultimate tax determination is complex and uncertain. Moreover, as a multinational business, we have subsidiaries that engage in many intercompany transactions in a variety of tax jurisdictions where the ultimate tax determination is complex and uncertain. Our existing corporate structure and intercompany arrangements have been implemented in a manner we believe is in compliance with current prevailing tax laws. Furthermore, as we operate in multiple taxing jurisdictions, the application of tax laws can be subject to diverging and sometimes conflicting interpretations by tax authorities of these jurisdictions. It is not uncommon for taxing authorities in different countries to have conflicting views with respect to, among other things, the characterization and source of income or other tax items, the manner in which the arm's-length standard is applied for transfer pricing purposes, or with respect to the valuation of intellectual property. The taxing authorities of the jurisdictions in which we operate may challenge our tax treatment of certain items or the methodologies we use for valuing developed technology or intercompany arrangements, which could impact our worldwide effective tax rate and harm our financial position and operating results. Further, any changes in the tax laws governing our activities may increase our tax expense, the amount of taxes we pay, or both. For example, the Tax Cuts and Jobs Act (the "TCJA"), enacted on December 22, 2017, significantly reformed the U.S. federal tax code, reducing the U.S. federal corporate income tax rate, making sweeping changes to the rules governing international business operations, and imposing new limitations on a number of tax benefits, including deductions for business interest and the use of net operating loss carryforwards. Effective beginning in 2022, the TCJA also eliminated the option to immediately deduct research and development expenditures and required taxpayers to amortize domestic expenditures over five years and foreign expenditures over fifteen years. The Inflation Reduction Act of 2022 (the "Inflation Reduction Act"), enacted on August 16, 2022, further amended the U.S. federal tax code, imposing a 15% minimum tax on "adjusted financial statement income" of certain corporations as well as an excise tax on the repurchase or redemption of stock by certain corporations, beginning in the 2023 tax year. In addition, over the last several years, the Organization for Economic Cooperation and Development has been working on a Base Erosion and Profit Shifting Project that, if implemented, would change various aspects of the existing framework under which our tax obligations are determined in many of the countries in which we do business. As of June 2024, over 140 countries have approved a framework that imposes a minimum tax rate of 15%, among other provisions. As this framework is subject to further negotiation and implementation by each member country, the timing and ultimate impact of any such changes on our tax obligations are uncertain. There can be no assurance that future tax law changes will not increase the rate of the corporate income tax, impose new limitations on deductions, credits or other tax benefits, or make other changes that may adversely affect our business, cash flows or financial performance. In addition, the IRS has yet to issue guidance on a number of important issues regarding the tax treatment of cryptocurrency and the products we provide to our customers and from which we derive our income. In the absence of such guidance, we will take positions with respect to any such unsettled issues. There is no assurance that the IRS or a court will agree with the positions taken by us, in which case tax penalties and interest may be imposed that could adversely affect our business, cash flows or financial performance. We also are subject to non-income taxes, such as payroll, sales, use, value-added, digital services, net worth, property, and goods and services taxes in the United States and various foreign jurisdictions. Specifically, we may be subject to new allocations of tax as a result of increasing efforts by certain jurisdictions to tax activities that may not have been subject to tax under existing tax principles. Companies such as ours may be adversely impacted by such taxes. Tax authorities may disagree with certain positions we have taken. As a result, we may have exposure to additional tax liabilities that could have an adverse effect on our operating results and financial condition. As a result of these and other factors, the ultimate amount of tax obligations owed may differ from the amounts recorded in our financial statements and any such difference may harm our operating results in future periods in which we change our estimates of our tax obligations or in which the ultimate tax outcome is determined.

We obtain and process large amounts of sensitive data, including personal data related to our customers and their transactions, such as their names, addresses, social security numbers, visa information, copies of government-issued identification, facial recognition data (from scanning of photographs for identity verification), trading data, tax identification, and bank account information. We face risks, including to our reputation, in the handling and protection of this data, and these risks will increase as our business continues to expand, including through our acquisition of, and investment in, other companies and technologies. Federal, state, and international laws and regulations governing privacy, data protection, and e-commerce transactions require us to safeguard our customers', employees', and service providers' personal data. We have administrative, technical, and physical security measures and controls in place and maintain a robust information security program. However, our security measures, or the security measures of companies we acquire, may be inadequate or breached as a result of third-party action, employee or service provider error, malfeasance, malware, phishing, hacking attacks, system error, trickery, advances in computer capabilities, new discoveries in the field of cryptography, inadequate facility security or otherwise, and, as a result, someone may be able to obtain unauthorized access to sensitive information, including personal data, on our systems. We could be the target of a cybersecurity incident, which could result in harm to our reputation and financial losses. Additionally, our customers have been and could be targeted in cybersecurity incidents like an account takeover, which could result in harm to our reputation and financial losses. For example, in 2021, third parties independently obtained login credentials and personal information for at least 6,000 customers and used those credentials to exploit a vulnerability that previously existed in the account recovery process. Coinbase reimbursed impacted customers approximately $25.1 million. Additionally, privacy and data protection laws are evolving, and these laws may be interpreted and applied in a manner that is inconsistent with our data handling safeguards and practices that could result in fines, lawsuits, and other penalties, and significant changes to our or our third-party partners' business practices and products and service offerings. Our future success depends on the reliability and security of our platform. To the extent that the measures we, any companies we acquire, or our third-party business partners have taken prove to be insufficient or inadequate, or to the extent we discover a security breach suffered by a company we acquire following the closing of such acquisition, we may become subject to litigation, breach notification obligations, or regulatory or administrative sanctions, which could result in significant fines, penalties, damages, harm to our reputation, or loss of customers. If our own confidential business information or sensitive customer information were improperly disclosed, our business could be adversely affected. Additionally, a party who circumvents our security measures could, among other effects, appropriate customer information or other proprietary data, cause interruptions in our operations, or expose customers to hacks, viruses, and other disruptions. Depending on the nature of the information compromised, in the event of a data breach or other unauthorized access to our customer data, we may also have obligations to notify customers and regulators about the incident, and we may need to provide some form of remedy, such as a subscription to credit monitoring services, pay significant fines to one or more regulators, or pay compensation in connection with a class-action settlement (including under the private right of action under the California Consumer Privacy Act of 2018 (the "CCPA"), which is expected to increase security breach litigation). Such breach notification laws continue to evolve and may be inconsistent from one jurisdiction to another. In the United States, the SEC has adopted rules for mandatory disclosure of cybersecurity incidents suffered by public companies, as well as cybersecurity governance and risk management. Complying with these obligations could cause us to incur substantial costs and could increase negative publicity surrounding any incident that compromises customer data. Any failure or perceived failure by us to comply with these laws may also subject us to enforcement action or litigation, any of which could harm our business. Additionally, the financial exposure from the events referenced above could either not be insured against or not be fully covered through any insurance that we may maintain, and there can be no assurance that the limitations of liability in any of our contracts would be enforceable or adequate or would otherwise protect us from liabilities or damages as a result of the events referenced above. Any of the foregoing could have an adverse effect on our business, reputation, operating results, and financial condition. Furthermore, we may be required to disclose personal data pursuant to demands from individuals, regulators, government agencies, and law enforcement agencies in various jurisdictions with conflicting privacy and security laws, which could result in a breach of privacy and data protection policies, notices, laws, rules, court orders, and regulations. Additionally, changes in the laws and regulations that govern our collection, use, and disclosure of customer data could impose additional requirements with respect to the retention and security of customer data, could limit our marketing activities, and have an adverse effect on our business, operating results, and financial condition.

Various local, state, federal, and international laws, directives, and regulations apply to our collection, use, retention, protection, disclosure, transfer, and processing of personal data. These data protection and privacy laws and regulations are subject to uncertainty and continue to evolve in ways that could adversely impact our business. These laws have a substantial impact on our operations both outside and in the United States, either directly or as a data processor and handler for various offshore entities. In the United States, state and federal lawmakers and regulatory authorities have increased their attention on the collection and use of user data. In the United States, non-sensitive user data generally may be used under current rules and regulations, subject to certain restrictions, so long as the person does not affirmatively "opt-out" of the collection or use of such data. If an "opt-in" model or additional required "opt-outs" were to be adopted in the United States, less data may be available, and the cost of data likely would increase. For example, California enacted the CCPA (effective January 2020) and the California Privacy Rights Act (the "CPRA") (effective January 2023), which expands upon and amends the CCPA. The CCPA and the CPRA require covered companies to, among other things, provide new disclosures to California users, and affords such users new privacy rights such as the ability to opt-out of certain sales of personal information and expanded rights to access and require deletion of their personal information, opt out of certain personal information sharing, and receive detailed information about how their personal information is collected, used, and shared. The CCPA provides for civil penalties for violations, as well as a private right of action for security breaches that may increase security breach litigation. In addition, several other states have proposed or enacted laws that contain obligations similar to the CCPA and CPRA that have taken effect or will take effect in coming years. We cannot fully predict the impact of recently proposed or enacted laws or regulations on our business or operations, but compliance may require us to modify our data processing practices and policies incurring costs and expense. Further, to the extent multiple state-level laws are introduced with inconsistent or conflicting standards, it may require costly and difficult efforts to achieve compliance with such laws. Our failure or perceived failure to comply with state privacy laws or regulations passed in the future could have a material adverse effect on our business, including how we use personal information, our business, operating results, and financial condition. Additionally, many foreign countries and governmental bodies, including Australia, Brazil, Kenya, the European Union, India, Japan, Philippines, Indonesia, Singapore, United Kingdom, Switzerland, and numerous other jurisdictions in which we operate or conduct our business, have laws and regulations concerning the collection, use, processing, storage, and deletion of personal information obtained from their residents or by businesses operating within their jurisdiction. These laws and regulations often are more restrictive than those in the United States. Such laws and regulations may require companies to implement new privacy and security policies, permit individuals to access, correct, and delete personal information stored or maintained by such companies, inform individuals of security breaches that affect their personal information, require that certain types of data be retained on local servers within these jurisdictions, and, in some cases, obtain individuals' affirmative opt-in consent to collect and use personal information for certain purposes. We are subject to the European Union's General Data Protection Regulation (the "GDPR") and the United Kingdom's General Data Protection Regulation (the "U.K. GDPR"), which impose stringent privacy and data protection requirements, and could increase the risk of non-compliance and the costs of providing our products and services in a compliant manner. A breach of the GDPR or U.K. GDPR could result in regulatory investigations, reputational damage, fines and sanctions, orders to cease or change our processing of our data, enforcement notices, or assessment notices (for a compulsory audit). For example, if regulators assert that we have failed to comply with the GDPR or U.K. GDPR, we may be subject to fines of up to €20 million (£17.5 million) or 4% of our worldwide annual revenue, whichever is greater. We may also face civil claims including representative actions and other class action type litigation (where individuals have suffered harm), potentially amounting to significant compensation or damages liabilities, as well as associated costs, diversion of internal resources, and reputational harm. Both the GDPR (covering the EEA) as well as U.K. and Swiss data protection laws impose strict rules on the transfer of personal data out of the E.U., U.K., or Switzerland to a "third country," including the United States. On June 4, 2021 the European Commission finalized new versions of the Standard Contractual Clauses, with the Implementing Decision now in effect. The U.K. Information Commissioner's Office of the Data Protection Authority published the U.K. version of the Standard Contractual Clauses (the "SCCS"), which requires us to use and honor these clauses for transfers of U.K. residents' personal data to a foreign country that does not have adequate data protection. Effective July 10, 2023, the new E.U.-U.S. and Swiss-U.S. Data Privacy Framework (together, the "DPF") have been recognized as adequate under E.U. law to allow transfers of personal data from the E.U. and Switzerland to certified companies in the United States. The U.K. extension to the DPF (the "U.K. DPF") which covers transfers of personal data from the U.K. to certified companies in the United States took effect in October 2023. However, the DPF and U.K. DPF are subject to further legal challenge which could cause the legal requirements for personal data transfers from the E.U., Switzerland and the U.K. to the United States to become uncertain once again. E.U., Switzerland and U.K. data protection authorities have and may again block the use of certain U.S.-based services that involve the transfer of personal data to the United States. In the E.U. and other markets, potential new rules and restrictions on the flow of data across borders could increase the cost and complexity of doing business in those regions. While we maintain an E.U.-U.S., Swiss-U.S. and U.K.-U.S. DPF certification, we still rely on the standard contractual clauses for intercompany data transfers from the European Union, Switzerland and the U.K. to the United States. As supervisory authorities continue to issue further guidance on personal data, we could suffer additional costs, complaints, or regulatory investigations or fines, and if we are otherwise unable to transfer personal data between and among countries and regions in which we operate, it could affect the manner in which we provide our services, the geographical location or segregation of our relevant systems and operations and could adversely affect our financial results. We are also subject to evolving E.U. privacy laws on cookies and e-marketing. In the European Union, regulators are increasingly focusing on compliance with requirements in the online behavioral advertising ecosystem, and an E.U. regulation known as the ePrivacy Regulation will significantly increase fines for non-compliance once in effect. In the European Union, informed consent, including a prohibition on pre-checked consents and a requirement to ensure separate consents for each cookie, is required for the placement of a cookie or similar technologies on a user's device and for direct electronic marketing. As regulators start to enforce the strict approach in recent guidance, this could lead to substantial costs, require significant systems changes, limit the effectiveness of our marketing activities, divert the attention of our technology personnel, negatively impact our efforts to understand users, adversely affect our margins, increase costs, and subject us to additional liabilities. There is a risk that as we expand, we may assume liabilities for breaches experienced by the companies we acquire. Additionally, there are potentially inconsistent world-wide government regulations pertaining to data protection and privacy. Despite our efforts to comply with applicable laws, regulations and other obligations relating to privacy, data protection, and information security, it is possible that our practices, offerings, or platform could fail, or be alleged to fail to meet applicable requirements. For instance, the overall regulatory framework governing the application of privacy laws to blockchain technology is still highly undeveloped and likely to evolve. Further there are also changes in the regulatory landscape relating to new and evolving technologies, such as generative AI, which we have and continue to find new ways to leverage in our products and internal operations. Changes to existing regulations, their interpretation or implementation, or new regulations could impede any potential use of AI technologies, which could impair our competitive position and result in an adverse effect on our business, results of operations and financial condition. Our failure, or the failure by our third-party providers or partners, to comply with applicable laws or regulations and to prevent unauthorized access to, or use or release of personal data, or the perception that any of the foregoing types of failure has occurred, even if unfounded, could subject us to audits, inquiries, whistleblower complaints, adverse media coverage, investigations, severe criminal, or civil sanctions, damage our reputation, or result in fines or proceedings by governmental agencies and private claims and litigation, any of which could adversely affect our business, operating results, and financial condition.

We currently support, and expect to continue to support, various crypto assets that represent units of value on smart contracts deployed on a third-party blockchain. Smart contracts are programs that store and transfer value and execute automatically when certain conditions are met. Since smart contracts typically cannot be stopped or reversed, vulnerabilities in their programming and design can have damaging effects. For instance, in April 2018, a batch overflow bug was found in many Ethereum-based ERC20-compatible smart contract tokens that allowed hackers to create a large number of smart contract tokens, causing multiple crypto asset platforms worldwide to shut down ERC20-compatible token trading. Similarly, in March 2020, a design flaw in the MakerDAO smart contract caused forced liquidations of crypto assets at significantly discounted prices, resulting in millions of dollars of losses to users who had deposited crypto assets into the smart contract. If any such vulnerabilities or flaws come to fruition, smart contract-based crypto assets, including those held by our customers on our platforms, may suffer negative publicity, be exposed to security vulnerabilities, decline significantly in value, and lose liquidity over a short period of time. In some cases, smart contracts can be controlled by one or more "admin keys" or users with special privileges, or "super users." These users have the ability to unilaterally make changes to the smart contract, enable or disable features on the smart contract, change how the smart contract receives external inputs and data, and make other changes to the smart contract. For smart contracts that hold a pool of reserves, these users may also be able to extract funds from the pool, liquidate assets held in the pool, or take other actions that decrease the value of the assets held by the smart contract in reserves. Even for crypto assets that have adopted a decentralized governance mechanism, such as smart contracts that are governed by the holders of a governance token, such governance tokens can be concentrated in the hands of a small group of core community members, who would be able to make similar changes unilaterally to the smart contract. If any such super user or group of core members unilaterally make adverse changes to a smart contract, the design, functionality, features and value of the smart contract, its related crypto assets may be harmed. In addition, assets held by the smart contract in reserves may be stolen, misused, burnt, locked up or otherwise become unusable and irrecoverable. These super users can also become targets of hackers and malicious attackers. If an attacker is able to access or obtain the super user privileges of a smart contract, or if a smart contract's super users or core community members take actions that adversely affect the smart contract, our customers who hold and transact in the affected crypto assets may experience decreased functionality and value of the applicable crypto assets, up to and including a total loss of the value of such crypto assets. Although we do not control these smart contracts, any such events could cause customers to seek damages against us for their losses, result in reputational damage to us, or in other ways adversely impact our business.

We rely on banks and other payment processors to process customers' payments in connection with the purchase of crypto assets on our platform and we pay these providers fees for their services. From time to time, payment networks have increased, and may increase in the future, the interchange fees and assessments that they charge for transactions that use their networks. Payment networks have imposed, and may impose in the future, special fees on the purchase of crypto assets, including on our platform, which could negatively impact us and significantly increase our costs. Our payment card processors may have the right to pass any increases in interchange fees and assessments on to us, and may impose additional use charges which would increase our operating costs and reduce our operating income. We could attempt to pass these increases along to our customers, but this strategy might result in the loss of customers to our competitors that may not pass along the increases, thereby reducing our revenue and earnings. If competitive practices prevent us from passing along the higher fees to our customers in the future, we may have to absorb all or a portion of such increases, thereby increasing our operating costs and reducing our earnings. We may also be directly or indirectly liable to the payment networks for rule violations. Payment networks set and interpret their network operating rules and have alleged from time to time that various aspects of our business model violate these operating rules. If such allegations are not resolved favorably, they may result in significant fines and penalties or require changes in our business practices that may be costly and adversely affect our business. The payment networks could adopt new operating rules or interpret or reinterpret existing rules that we or our processors might find difficult or even impossible to follow, or costly to implement. As a result, we could lose our ability to give customers the option of using cards to fund their purchases or the choice of currency in which they would like their card to be charged. If we are unable to accept cards or are limited in our ability to do so, our business would be adversely affected.

We hold cash and safeguard crypto assets on behalf of our customers and hold fiat and crypto for corporate investment and operating purposes. In addition, following the acquisition of Coinbase Asset Management, formerly One River Digital Asset Management ("CBAM"), we additionally safeguard, as defined by Staff Accounting Bulletin No. 121 issued by the staff of the SEC ("SAB 121"), an immaterial amount of cryptocurrencies at third-party custodians for asset management products. Safeguarding customers' cash and crypto assets is integral to the trust we build with our customers. We believe our policies, procedures, operational controls and controls over financial reporting, protect us from material risks surrounding the safeguarding of these assets and conflicts of interest. Our controls over financial reporting include among others, controls over the segregation of corporate crypto asset balances from customer crypto asset balances, controls over the processes of customer crypto asset deposits and customer crypto asset withdrawals and corporate and customer fiat balances. Our financial statements and disclosures, as a whole, are available through periodic filings on a quarterly basis, and compliant with annual audit requirements of Article 3 of Regulation S-X. We hold cash at financial institutions in accounts designated as for the benefit of our customers. We have also entered into partnerships or joint ventures with third parties, such as with the issuer of USDC, where we or our partners receive and hold customer funds. Our and our financial partners' abilities to manage and accurately hold customer cash and cash we hold for our own investment and operating purposes requires a high level of internal controls. We are limited in our ability to influence or manage the controls and processes of third party partners or vendors and may be dependent on our partners' and vendors' operations, liquidity and financial condition to manage these risks. As we maintain, grow and expand our product and services offerings we also must scale and strengthen our internal controls and processes, and monitor our third party partners' and vendors' ability to similarly scale and strengthen. Failure to do so could adversely impact our business, operating results, and financial condition. This is important both to the actual controls and processes and the public perception of the same. Any inability by us to maintain our safeguarding procedures, perceived or otherwise, could harm our business, operating results, and financial condition. Accordingly, we take steps to ensure customer cash is always secure. Customer cash and crypto asset balances are maintained through our internal ledgering processes. Customer cash is maintained in segregated Company bank accounts that are held for the exclusive benefit of customers with our financial institution banking partners or in government money market funds. We safeguard crypto assets using proprietary technology and operational processes. Crypto assets are not insured or guaranteed by any government or government agency, however we have worked hard to safeguard our customers' crypto assets and our own crypto assets for investment and operational purposes with legal and operational protections. Any material failure by us or our partners to maintain the necessary controls, policies, procedures or to manage the crypto assets we hold for our own investment and operating purposes could also adversely impact our business, operating results, and financial condition. Further, any material failure by us or our partners to maintain the necessary controls or to manage customer crypto assets and funds appropriately and in compliance with applicable regulatory requirements could result in reputational harm, litigation, regulatory enforcement actions, significant financial losses, lead customers to discontinue or reduce their use of our and our partners' products, and result in significant penalties and fines and additional restrictions, which could adversely impact our business, operating results, and financial condition. Moreover, because custodially held crypto assets may be considered to be the property of a bankruptcy estate, in the event of a bankruptcy, the crypto assets we hold in custody on behalf of our customers could be subject to bankruptcy proceedings and such customers could be treated as our general unsecured creditors. This may result in customers finding our custodial services more risky and less attractive and any failure to increase our customer base, discontinuation or reduction in use of our platform and products by existing customers as a result could adversely impact our business, operating results, and financial condition. Additionally, following the acquisition of CBAM, some of our asset management products hold customer assets at third-party custodians with their own bankruptcy protection procedures. We place great importance on safeguarding crypto assets we custody and keeping them bankruptcy remote from our general creditors, and in June 2022 we updated our Retail User Agreement to clarify the applicability of UCC Article 8 to custodied crypto assets – the same legal protection that our institutional custody and prime broker clients also rely upon. UCC Article 8 provides that financial assets held by Coinbase are not property of Coinbase and not subject to the claims of its general creditors. In light of UCC Article 8, we believe that a court would not treat custodied crypto assets as part of our general estate; however, due to the novelty of crypto assets, courts have not yet considered this type of treatment for custodied crypto assets. We deposit, transfer, and custody customer cash and crypto assets in multiple jurisdictions. In each instance, we require bank-level security encryption to safeguard customers' assets for our wallet and storage systems, as well as our financial management systems related to such custodial functions. Our security technology is designed to prevent, detect, and mitigate inappropriate access to our systems, by internal or external threats. We believe we have developed and maintained administrative, technical, and physical safeguards designed to comply with applicable legal requirements and industry standards. However, it is nevertheless possible that hackers, employees or service providers acting contrary to our policies, or others could circumvent these safeguards to improperly access our systems or documents, or the systems or documents of our business partners, agents, or service providers, and improperly access, obtain, or misuse customer crypto assets and funds. The methods used to obtain unauthorized access, disable, or degrade service or sabotage systems are also constantly changing and evolving and may be difficult to anticipate or detect for long periods of time. Certain of our customer contracts do not limit our liability with respect to security breaches and other security-related matters and our insurance coverage for such impropriety is limited and may not cover the extent of loss nor the nature of such loss, in which case we may be liable for the full amount of losses suffered, which could be greater than all of our assets. Our ability to maintain insurance is also subject to the insurance carriers' ongoing underwriting criteria. Any loss of customer cash or crypto assets could result in a subsequent lapse in insurance coverage, which could cause a substantial business disruption, adverse reputational impact, inability to compete with our competitors, and regulatory investigations, inquiries, or actions. Additionally, transactions undertaken through our websites or other electronic channels may create risks of fraud, hacking, unauthorized access or acquisition, and other deceptive practices. Any security incident resulting in a compromise of customer assets could result in substantial costs to us and require us to notify impacted individuals, and in some cases regulators, of a possible or actual incident, expose us to regulatory enforcement actions, including substantial fines, limit our ability to provide services, subject us to litigation, significant financial losses, damage our reputation, and adversely affect our business, operating results, financial condition, and cash flows.

Our success depends on our ability to retain existing customers and attract new customers, including developers, to increase engagement with our products, services, and platform. To do so, we must continue to offer leading technologies and ensure that our products and services are secure, reliable, and engaging. We must also expand our products and services, and offer competitive prices in an increasingly crowded and price-sensitive market. There is no assurance that we will be able to continue to do so, that we will be able to retain our current customers or attract new customers, or keep our customers engaged. Any number of factors can negatively affect customer retention, growth, and engagement, including if: - customers increasingly engage with competing products and services, including products and services that we are unable to offer due to regulatory reasons;- we fail to introduce new and improved products and services, or if we introduce new products or services that are not favorably received;- we fail to support new and in-demand crypto assets or if we elect to support crypto assets with negative reputations;- there are changes in sentiment about the quality or usefulness of our products and services or concerns related to privacy, security, fiat pegging or other factors;- there are adverse changes in our products and services that are mandated by legislation, regulatory authorities, or litigation;- customers perceive the crypto assets on our platform to be bad investments, or experience significant losses in investments made on our platform;- technical or other problems prevent us from delivering our products and services with the speed, functionality, security, and reliability that our customers expect;- cybersecurity incidents, employee or service provider misconduct, or other unforeseen activities cause losses to us or our customers, including losses to assets held by us on behalf of our customers;- modifications to our pricing model or modifications by competitors to their pricing models;- we fail to provide adequate customer service;- regulatory and governmental bodies in countries that we target for expansion express negative views towards crypto asset trading platforms and, more broadly, the cryptoeconomy; or - we or other companies or high-profile figures in our industry are the subject of adverse media reports or other negative publicity. From time to time, certain of these factors have negatively affected customer retention, growth, and engagement to varying degrees. If we are unable to maintain or increase our customer base and customer engagement, our revenue and financial results may be adversely affected. Any decrease in user retention, growth, or engagement could render our products and services less attractive to customers, which may have an adverse impact on our revenue, business, operating results, and financial condition. If our customer growth rate slows or declines, we will become increasingly dependent on our ability to maintain or increase levels of user engagement and monetization in order to drive growth of revenue.

Certain supported crypto assets enable holders to earn rewards by participating in decentralized governance, bookkeeping and transaction confirmation activities on their underlying blockchain networks, such as through staking activities, including staking through validation, delegating, and baking. We currently provide and expect to continue to provide such services for certain supported crypto assets to our customers in order to enable them to earn rewards based on crypto assets that we hold on their behalf. For instance, as a service to customers, we operate staking nodes on certain blockchain networks utilizing customers' crypto assets and pass through the rewards received to those customers, less a service fee. In other cases, upon customers' instructions, we may delegate our customers' assets to third-party service providers that are unaffiliated with us. Some networks may further require customer assets to be transferred into smart contracts on the underlying blockchain networks not under our or anyone's control. If our validator, any third-party service providers, or smart contracts fail to behave as expected, suffer cybersecurity attacks, experience security issues, or encounter other problems, our customers' assets may be irretrievably lost. In addition, certain blockchain networks dictate requirements for participation in the relevant decentralized governance activity, and may impose penalties, or "slashing," if the relevant activities are not performed correctly, such as if the staker, delegator, or baker acts maliciously on the network, "double signs" any transactions, or experience extended downtimes. If we or any of our service providers are slashed by the underlying blockchain network, our customers' assets may be confiscated, withdrawn, or burnt by the network, resulting in losses for which we may be responsible. Furthermore, certain types of staking require the payment of transaction fees on the underlying blockchain network and such fees can become significant as the amount and complexity of the transaction grows, depending on the degree of network congestion and the price of the network token. If we experience a high volume of such staking requests from our customers on an ongoing basis, we could incur significant costs. Any penalties or slashing events could damage our brand and reputation, cause us to suffer financial losses, discourage existing and future customers from utilizing our products and services, and adversely impact our business.

From time to time we have been, and may in the future be, subject to claims and disputes with our customers with respect to our products and services, such as regarding the execution and settlement of crypto asset trades, fraudulent or unauthorized transactions, account takeovers, deposits and withdrawals of crypto assets, failures or malfunctions of our systems and services, or other issues relating to our products services. For example, during periods of heavy Trading Volumes, we have received increased customer complaints. Additionally, the ingenuity of criminal fraudsters, combined with many consumer users' susceptibility to fraud, may cause our customers to be subject to ongoing account takeovers and identity fraud issues. While we have taken measures to detect and reduce the risk of fraud, there is no guarantee that they will be successful and, in any case, require continuous improvement and optimization for continually evolving forms of fraud to be effective. There can be no guarantee that we will be successful in detecting and resolving these disputes or defending ourselves in any of these matters, and any failure may result in impaired relationships with our customers, damage to our brand and reputation, and substantial fines and damages. In some cases, the measures we have implemented to detect and deter fraud have led to poor customer experiences, including indefinite account inaccessibility for some of our customers, which increases our customer support costs and can compound damages. We could incur significant costs in compensating our customers, such as if a transaction was unauthorized, erroneous, or fraudulent. We could also incur significant legal expenses resolving and defending claims, even those without merit. To the extent we are found to have failed to fulfill our regulatory obligations, we could also lose our authorizations or licenses or become subject to conditions that could make future operations more costly, impair our ability to grow, and adversely impact our operating results. We currently are, and may in the future become, subject to investigation and enforcement action by state, federal, and international consumer protection agencies, including the Consumer Financial Protection Bureau (the "CFPB"), the Federal Trade Commission (the "FTC"), state attorneys general in the United States, the U.K. Financial Conduct Authority, the U.K. Financial Ombudsman Service, and the U.K. Office of Fair Trading, each of which monitors customer complaints against us and, from time to time, escalates matters for investigation and potential enforcement against us. While certain of our customer agreements contain arbitration provisions with class action waiver provisions that may limit our exposure to consumer class action litigation, some federal, state, and foreign courts have refused or may refuse to enforce one or more of these provisions, and there can be no assurance that we will be successful in enforcing these arbitration provisions, including the class action waiver provisions, in the future or in any given case. Legislative, administrative, or regulatory developments may directly or indirectly prohibit or limit the use of pre-dispute arbitration clauses and class action waiver provisions. Any such prohibitions or limitations on or discontinuation of the use of such arbitration or class action waiver provisions could subject us to additional lawsuits, including additional consumer class action litigation, and significantly limit our ability to avoid exposure from consumer class action litigation.

In connection with our Prime trading service, we routinely route customer orders to third-party exchanges or other trading venues. In connection with these activities, we generally hold cash and other crypto assets with such third-party exchanges or other trading venues in order to effect customer orders. If we were to experience a disruption in our access to these third-party exchanges and trading venues, our Prime trading service could be adversely affected to the extent that we are limited in our ability to execute order flow for our Prime customers. In addition, while we have policies and procedures to help mitigate our risks related to routing orders through third-party trading venues, if any of these third-party trading venues experience any technical, legal, regulatory or other adverse events, such as shutdowns, delays, system failures, suspension of withdrawals, illiquidity, insolvency, or loss of customer assets, we might not be able to fully recover the cash and other crypto assets that we have deposited with these third parties, and these risks may be heightened following the 2022 Events. For example, in connection with the 2022 Events, we were not able to recover an immaterial amount of cash deposited at FTX. As a result, our business, operating results and financial condition could be adversely affected.

We receive a high degree of media coverage in the cryptoeconomy and around the world. Unfavorable publicity regarding, for example, our product changes, product quality, litigation or regulatory activity, privacy and data security practices, terms of service, employment matters, the use of our products, services, or supported crypto assets for illicit or objectionable ends, the actions of our customers, or the actions of other companies that provide similar services to ours, has in the past, and could in the future, adversely affect our reputation. Further, we have in the past, and may in the future, be the target of social media campaigns criticizing actual or perceived actions or inactions that are disfavored by our customers, employees, or society at-large, which campaigns could materially impact our customers' decisions to trade on our platform. Any such negative publicity could have an adverse effect on the size, activity, and loyalty of our customers and result in a decrease in net revenue, which could adversely affect our business, operating results, and financial condition.

Our business involves the collection, storage, processing, and transmission of confidential information, customer, employee, service provider, and other personal data, as well as information required to access customer assets. We have built our reputation on the premise that our platform offers customers a secure way to purchase, store, and transact in crypto assets. As a result, any actual or perceived security breach of us or our third-party partners may: - harm our reputation and brand;- result in our systems or services being unavailable and interrupt our operations;- result in improper disclosure of data and violations of applicable privacy and data protection laws;- result in significant regulatory scrutiny, investigations, fines, penalties, and other legal, regulatory, and financial exposure;- cause us to incur significant remediation costs;- lead to theft or irretrievable loss of our or our customers' fiat currencies or crypto assets;- reduce customer confidence in, or decreased use of, our products and services;- divert the attention of management from the operation of our business;- result in significant compensation or contractual penalties from us to our customers or third parties as a result of losses to them or claims by them; and - adversely affect our business and operating results. For example, in 2021, third parties independently obtained login credentials and personal information for at least 6,000 customers and used those credentials to exploit a vulnerability that previously existed in the account recovery process. Coinbase reimbursed impacted customers approximately $25.1 million. Further, any actual or perceived breach or cybersecurity attack directed at other financial institutions or crypto companies, whether or not we are directly impacted, could lead to a general loss of customer confidence in the cryptoeconomy or in the use of technology to conduct financial transactions, which could negatively impact us, including the market perception of the effectiveness of our security measures and technology infrastructure. An increasing number of organizations, including large merchants, businesses, technology companies, and financial institutions, as well as government institutions, have disclosed breaches of their information security systems, some of which have involved sophisticated and highly targeted attacks, including on their websites, mobile applications, and infrastructure. Attacks upon systems across a variety of industries, including the crypto industry, are increasing in their frequency, persistence, and sophistication, and, in many cases, are being conducted by sophisticated, well-funded, and organized groups and individuals, including state actors. The techniques used to obtain unauthorized, improper, or illegal access to systems and information (including customers' personal data and crypto assets), disable or degrade services, or sabotage systems are constantly evolving, may be difficult to detect quickly, and often are not recognized or detected until after they have been launched against a target. These attacks may occur on our systems or those of our third-party service providers or partners. Certain types of cyberattacks could harm us even if our systems are left undisturbed. For example, attacks may be designed to deceive employees and service providers into releasing control of our systems to a hacker, while others may aim to introduce computer viruses or malware into our systems with a view to stealing confidential or proprietary data. Additionally, certain threats are designed to remain dormant or undetectable until launched against a target and we may not be able to implement adequate preventative measures. Although we have developed systems and processes designed to protect the data we manage, prevent data loss and other security breaches, effectively respond to known and potential risks, and expect to continue to expend significant resources to bolster these protections, there can be no assurance that these security measures will provide absolute security or prevent breaches or attacks. We have experienced from time to time, and may experience in the future, breaches of our security measures due to human error, malfeasance, insider threats, system errors or vulnerabilities, or other irregularities. Unauthorized parties have attempted, and we expect that they will continue to attempt, to gain access to our systems and facilities, as well as those of our customers, partners, and third-party service providers, through various means, including hacking, social engineering, phishing, and attempting to fraudulently induce individuals (including employees, service providers, and our customers) into disclosing usernames, passwords, payment card information, or other sensitive information, which may in turn be used to access our information technology systems and customers' crypto assets. Threats can come from a variety of sources, including criminal hackers, hacktivists, state-sponsored intrusions, industrial espionage, and insiders. Certain threat actors may be supported by significant financial and technological resources, making them even more sophisticated and difficult to detect. We may also acquire other companies that expose us to unexpected security risks or increase costs to improve the security posture of the acquired company. Further, there has been an increase in such threat actor activities as a result of the increased prevalence of hybrid and remote working arrangements in recent years. As a result, our costs and the resources we devote to protecting against these advanced threats and their consequences may continue to increase over time. Although we maintain insurance coverage, it may be insufficient to protect us against all losses and costs stemming from security breaches, cyberattacks, and other types of unlawful activity, or any resulting disruptions or data theft and loss from such events. Outages and disruptions of our platform, including any caused by cyberattacks, may harm our reputation and our business, operating results, and financial condition.

Our reputation and ability to attract and retain customers and grow our business depends on our ability to operate our service at high levels of reliability, scalability, and performance, including the ability to process and monitor, on a daily basis, a large number of transactions that occur at high volume and frequencies across multiple systems. For example, in March 2023, there was a temporary disruption to USDC services for several days following the news of Silicon Valley Bank's closure. Our platform, the ability of our customers to trade, and our ability to operate at a high level, are dependent on our ability to access the blockchain networks underlying the supported crypto assets, for which access is dependent on our systems' ability to access the internet. Further, the successful and continued operations of such blockchain networks will depend on a network of computers, miners, or validators, and their continued operations, all of which may be impacted by service interruptions. Our systems, the systems of our third-party service providers and partners, and certain crypto asset and blockchain networks have experienced from time to time, and may experience in the future service interruptions or degradation because of hardware and software defects or malfunctions, distributed denial-of-service and other cyberattacks, insider threats, break-ins, sabotage, human error, vandalism, earthquakes, hurricanes, floods, fires, and other natural disasters, power losses, disruptions in telecommunications services, fraud, military or political conflicts, terrorist attacks, computer viruses or other malware, or other events. In addition, extraordinary Trading Volumes or site usage could cause our computer systems to operate at an unacceptably slow speed or even fail. Some of our systems, including systems of companies we have acquired, or the systems of our third-party service providers and partners are not fully redundant, and our or their disaster recovery planning may not be sufficient for all possible outcomes or events. If any of our systems, or those of our third-party service providers, are disrupted for any reason, our products and services may fail, resulting in unanticipated disruptions, slower response times and delays in our customers' trade execution and processing, failed settlement of trades, incomplete or inaccurate accounting, recording or processing of trades, unauthorized trades, loss of customer information, increased demand on limited customer support resources, customer claims, complaints with regulatory organizations, lawsuits, or enforcement actions. Further, when these disruptions occur, we have in the past, and may in the future, fulfill customer transactions using inventory to prevent adverse user impact and limit detrimental impact to our operating results. A prolonged interruption in the availability or reduction in the availability, speed, or functionality of our products and services could harm our business. Significant or persistent interruptions in our services could cause current or potential customers or partners to believe that our systems are unreliable, leading them to switch to our competitors or to avoid or reduce the use of our products and services, and could permanently harm our reputation and brands. Moreover, to the extent that any system failure or similar event results in damages to our customers or their business partners, these customers or partners could seek significant compensation or contractual penalties from us for their losses, and those claims, even if unsuccessful, would likely be time-consuming and costly for us to address. Problems with the reliability or security of our systems would harm our reputation and the cost of remedying these problems could negatively affect our business, operating results, and financial condition. Because we are a regulated financial institution in certain jurisdictions, interruptions have resulted and in the future may result in regulatory scrutiny, and significant or persistent interruptions could lead to significant fines and penalties, and mandatory and costly changes to our business practices, and ultimately could cause us to lose existing licenses or banking relationships that we need to operate or prevent or delay us from obtaining additional licenses that may be required for our business. In addition, we are continually improving and upgrading our information systems and technologies. Implementation of new systems and technologies is complex, expensive, time-consuming, and may not be successful. If we fail to timely and successfully implement new information systems and technologies, or improvements or upgrades to existing information systems and technologies, or if such systems and technologies do not operate as intended, it could have an adverse impact on our business, internal controls (including internal controls over financial reporting), operating results, and financial condition.

In order to support any supported crypto asset, a variety of front and back-end technical and development work is required to implement our wallet, custody, trading, staking and other solutions for our customers, and to integrate such supported crypto asset with our existing technical infrastructure. For certain crypto assets, a significant amount of development work is required and there is no guarantee that we will be able to integrate successfully with any existing or future crypto asset. In addition, such integration may introduce software errors or weaknesses into our platform, including our existing infrastructure. Even if such integration is initially successful, any number of technical changes, software upgrades, soft or hard forks, cybersecurity incidents, or other changes to the underlying blockchain network may occur from time to time, causing incompatibility, technical issues, disruptions, or security weaknesses to our platform. If we are unable to identify, troubleshoot and resolve any such issues successfully, we may no longer be able to support such crypto asset, our customers' assets may be frozen or lost, the security of our hot, warm, or cold wallets may be compromised, and our platform and technical infrastructure may be affected, all of which could adversely impact our business.

We hold investments in various DeFi protocols. These protocols achieve their investment purposes through self-executing smart contracts that allow users to invest crypto assets in a pool from which other users can borrow without requiring an intermediate party to facilitate these transactions. These investments earn interest to the investor based on the rates at which borrowers repay the loan, and can generally be withdrawn with no restrictions. However, these DeFi protocols are subject to various risks, including uncertain regulatory and compliance conditions in large markets such as the United States, the risk that the underlying smart contract is insecure, the risk that borrowers may default and the investor will not be able to recover its investment, the risk that any underlying collateral may experience significant volatility, and the risk of certain core developers with protocol administration rights can make unauthorized or harmful changes to the underlying smart contract. If any of these risks materialize, our investments in these DeFi protocols may be adversely impacted.

In order to own, transfer and use a crypto asset on its underlying blockchain network, a person must have a private and public key pair associated with a network address, commonly referred to as a "wallet." Each wallet is associated with a unique "public key" and "private key" pair, each of which is a string of alphanumerical characters. To deposit crypto assets held by a customer onto our platform or custody platform, a customer must "sign" a transaction that consists of the private key of the wallet from where the customer is transferring crypto assets, the public key of a wallet that we control which we provide to the customer, and broadcast the deposit transaction onto the underlying blockchain network. Similarly, to withdraw crypto assets from our platform or custody platform, the customer must provide us with the public key of the wallet that the crypto assets are to be transferred to, and we would be required to "sign" a transaction authorizing the transfer. In addition, some crypto networks require additional information to be provided in connection with any transfer of crypto assets to or from our platforms. A number of errors can occur in the process of depositing or withdrawing crypto assets into or from our platform, such as typos, mistakes, or the failure to include the information required by the blockchain network. For instance, a user may incorrectly enter our wallet's public key or the desired recipient's public key when depositing and withdrawing from our platforms, respectively. Alternatively, a user may transfer crypto assets to a wallet address that the user does not own, control or hold the private keys to. In addition, each wallet address is only compatible with the underlying blockchain network on which it is created. For instance, a Bitcoin wallet address can only be used to send and receive Bitcoins. If any Ethereum or other crypto assets are sent to a Bitcoin wallet address, or if any of the foregoing errors occur, all of the customer's sent crypto assets will be permanently and irretrievably lost with no means of recovery. We have encountered and expect to continue to encounter similar incidents with our customers. Such incidents could result in customer disputes, damage to our brand and reputation, legal claims against us, and financial liabilities, any of which could adversely affect our business. Moreover, we hold customer assets one-to-one at all times and we have procedures to process redemptions and withdrawals expeditiously, following the terms of the applicable user agreements. We have not experienced excessive redemptions or withdrawals, or prolonged suspended redemptions or withdrawals, of crypto assets to date. However, similar to traditional financial institutions, we may experience temporary process-related withdrawal delays. For example, we, and traditional financial institutions, may experience such delays if there is a significant volume of withdrawal requests that is vastly beyond anticipated levels. This does not mean we cannot or will not satisfy withdrawals, but this may mean a temporary delay in satisfying withdrawal requests, which we still expect to be satisfied within the withdrawal timelines set forth in the applicable user agreements or otherwise communicated by us. To the extent we have process-related delays, even if brief or due to blockchain network congestion or heightened redemption activity, and within the terms of an applicable user agreement or otherwise communicated by us, we may experience increased customer complaints and damage to our brand and reputation and face additional regulatory scrutiny, any of which could adversely affect our business.

Our platform contains software modules licensed to us by third-party authors under "open source" licenses. We also make certain of our own software available to users for free under various open source licenses. Use and distribution of open source software may entail greater risks than use of third-party commercial software, as open source licensors generally do not provide support, warranties, indemnification or other contractual protections regarding infringement claims or the quality of the code. In addition, the public availability of such software may make it easier for others to compromise our platform. Some open source licenses contain requirements that we make available source code for modifications or derivative works we create based upon the type of open source software we use, or grant other licenses to our intellectual property. If we combine our proprietary software with open source software in a certain manner, we could, under certain open source licenses, be required to release the source code of our proprietary software to the public. This would allow our competitors to create similar offerings with lower development effort and time and ultimately could result in a loss of our competitive advantages. Alternatively, to avoid the public release of the affected portions of our source code, we could be required to expend substantial time and resources to re-engineer some or all of our software. We have not recently conducted an extensive audit of our use of open source software and, as a result, we cannot assure you that our processes for controlling our use of open source software in our platform are, or will be, effective. If we are held to have breached or failed to fully comply with all the terms and conditions of an open source software license, we could face litigation, infringement or other liability, or be required to seek costly licenses from third parties to continue providing our offerings on terms that are not economically feasible, to re-engineer our platform, to discontinue or delay the provision of our offerings if re-engineering could not be accomplished on a timely basis or to make generally available, in source code form, our proprietary code, any of which could adversely affect our business, operating results, and financial condition. Moreover, the terms of many open source licenses have not been interpreted by U.S. or foreign courts. As a result, there is a risk that these licenses could be construed in a way that could impose unanticipated conditions or restrictions on our ability to provide or distribute our platform. From time to time, there have been claims challenging the ownership of open source software against companies that incorporate open source software into their solutions. As a result, we could be subject to lawsuits by parties claiming ownership of what we believe to be open source software.