Evertec (EVTC) Risk Factors

We incorporate technology and software from third parties into our products. We cannot be certain that our vendors and licensors are not infringing the intellectual property rights of third parties or that the vendors and licensors have sufficient rights to the software and technology in all jurisdictions in which it may sell our products. If we are unable to obtain or maintain rights to any of this software or technology because of intellectual property infringement claims brought by third parties against our vendors and licensors or against us, or if we are unable to continue to obtain such software and technology or enter into new agreements on commercially reasonable terms, our ability to develop and sell products, subscriptions and services containing such software and technology could be severely limited, and our business could be harmed. Further, disputes with vendors and licensors over uses or terms could result in the payment of additional royalties or penalties by us, cancellation or non-renewal of the underlying license or litigation. Any such event could have a material and adverse impact on our business, financial condition, and results of operation. Additionally, if we are unable to obtain necessary software or technology from third parties, we may be forced to acquire or develop alternative software and technology, which may require significant time, cost and effort and may be of lower quality or performance standards. This would limit or delay our ability to offer new or competitive products and increase our costs. If alternative software or technology cannot be obtained or developed, we may not be able to offer certain functionality as part of our products, subscriptions and services. As a result, our margins, market share and results of operations could be significantly harmed.

We rely on computer systems, hardware, software, technology infrastructure, and online sites for both internal and external operations that are critical to our business (collectively, "IT Systems"). For example, we use our IT Systems to connect with our clients, people, and others. We own and manage some of these IT Systems, but also rely on third parties for a range of IT Systems and related products and services, including but not limited to cloud computing services. We and certain of our third-party providers also collect, store, transfer, process, and use business, personal, and financial data about our own business, clients, employees, business partners, and others, including information about individuals and proprietary information belonging to our business such as trade secrets. We face numerous and evolving cybersecurity risks that threaten the confidentiality, integrity, and availability of our IT Systems and data. These cybersecurity risks may arise from diverse threat actors, such as state-sponsored organizations and opportunistic hackers and hacktivists, as well as through diverse attack vectors, such as social engineering/phishing, malware (including ransomware), malfeasance by insiders, human or technological error, and as a result of malicious code embedded in open-source software, or misconfigurations, "bugs" or other vulnerabilities in commercial software that is integrated into our (or our suppliers' or service providers') IT Systems, products or services. Additionally, hardware, applications, or services that we develop or procure from third parties may contain defects in design or manufacture or other problems that could compromise the confidentiality, integrity, or availability of our data or IT Systems. Cybersecurity threats and attacks, including computer viruses, malware, hacking, ransomware or other destructive or disruptive software, are constantly evolving and pose a risk to our IT Systems and data. Cybersecurity attacks are expected to accelerate on a global basis in frequency and magnitude as threat actors are becoming increasingly sophisticated in using techniques and tools - including artificial intelligence - that circumvent security controls, evade detection, and remove forensic evidence. As a result, we may be unable to detect, investigate, remediate, or recover from future attacks or incidents, or to avoid a material adverse impact to our IT Systems, data, or business. There can also be no assurance that our cybersecurity risk management program and processes, including our policies, controls, or procedures, will be fully implemented, complied with, or effective in protecting our IT Systems and data, and our systems and processes may be unable to prevent material security breaches. Security breaches, improper use of our systems, and unauthorized access to our data and information by employees and others may pose a risk that data may be exposed to unauthorized persons or to the public. Such occurrences could adversely affect our business, results of operations, financial position, and reputation, and could result in litigation (including class actions) or regulatory investigations or enforcement actions. In addition, we make extensive use of third-party service providers, including providers that store, transmit and process data. These third-party service providers are also subject to malicious attacks and cybersecurity threats that could adversely affect our business, results of operations, financial condition, and reputation. Many of our services are based on sophisticated software, technology, computing systems, and other IT Systems, and we may encounter delays when developing new technology solutions and services. We and our third-party providers regularly experience cyberattacks and other incidents, and we expect such attacks and incidents to continue in varying degrees. In particular, we have experienced actual and attempted cyber-attacks of our IT Systems, such as through phishing scams, ransomware, exploitation of vulnerabilities in our IT Systems, and other methods of attack. Even though some of these attacks have been successful; none of these actual or attempted cyber-attacks has had a material adverse impact on our operations or financial condition, and we cannot guarantee that any such incidents will not have such an impact in the future. The IT Systems underlying our services have occasionally contained, and may in the future contain, undetected errors or defects when first introduced or when new versions are released. We may experience difficulties in installing or integrating our IT Systems on platforms used by our customers. Our businesses are dependent on our ability to reliably process, record and monitor a large number of transactions. We settle funds on behalf of financial institutions, other businesses and consumers and process funds transactions from clients, card issuers, payment networks and consumers on a daily basis for a variety of transaction types. Transactions facilitated by us include debit card, credit card, electronic bill payment transactions, ACH payments, electronic benefits transfer ("EBT") transactions and check clearing that supports consumers, financial institutions, and other businesses. These payment activities rely upon technology infrastructure that facilitates the verification of activity with counterparties, the facilitation of the payment and, in some cases, the detection or prevention of fraudulent payments. If any of our financial, accounting, or other data processing systems or applications or other IT Systems fail or experience other significant shortcomings, our ability to serve our clients and accordingly our results of operations could be materially adversely affected. Such failures or shortcomings could be the result of events that are beyond our control, which may include, for example, computer viruses, fires, electrical or telecommunications outages, natural disasters, future disease pandemics or other public health crisis, terrorist acts, political instability, or other unanticipated damage to property or physical assets. Certain of these events may become more frequent or intense as a result of climate change. For more information, see our risk factor titled "Our operations, business, customers and partners could be adversely affected by climate change". Any such shortcoming could also damage our reputation, require us to expend significant resources to correct the defect, and may result in liability to third parties, especially since some of our contractual agreements with financial institutions require the crediting of certain fees if our systems do not meet certain specified service levels. There is also a risk that we may lose critical data or experience IT System failures. We perform the vast majority of disaster recovery operations ourselves, though we utilize select third parties for some aspects of recovery. To the extent we outsource our disaster recovery, we are at risk of the vendor's unresponsiveness in the event of breakdowns in our IT Systems. Our property, business interruption, and cybersecurity insurance may not be adequate to compensate us for all losses or failures that may occur. We are similarly dependent on our employees to maintain our IT Systems. Our operations could be materially adversely affected if one or more employees cause a significant operational breakdown or failure, either intentionally or as a result of human error. Suppliers and third parties with which we do business could also be sources of operational risk to us, including relating to breakdowns or failures of such parties' own systems or employees. Any of these occurrences could diminish our ability to operate one or more of our businesses, or result in potential liability to clients, reputational damage and regulatory intervention or fines, any of which could materially adversely affect our financial condition or results of operations.

Our business is subject to the laws, rules, regulations, and policies in the countries in which we operate, as well as the legal interpretation of such regulations by administrative bodies and the judiciary of those countries. The expansion of our business may also result in increased regulatory oversight and enforcement, as well as any claims by regulatory agencies and courts that we are required to obtain licenses to engage in certain business activity. Enforcement of, failure, or perceived failure to comply with laws, rules, regulations, policies, or licensing requirements could result in criminal or civil lawsuits, penalties, fines, regulatory investigations, forfeiture of significant assets, an outright or partial restriction on our operations, enforcement in one or more jurisdictions, additional compliance and licensure requirements, reputational damage and force us to change the way we or our users do business. Any changes in our or our users' business methods could increase cost or reduce revenue. The laws, rules, regulations, and policies in the markets in which we operate include, but are not limited to, privacy and user data protection, banking, money transmission, antitrust, anti-money laundering and the export, re-export, and re-transfer abroad of covered items. In addition, our operations in most of the countries where we operate are subject to risks related to compliance with the U.S. Foreign Corrupt Practices Act and other applicable U.S. and other local laws prohibiting corrupt payments to government officials and other third parties. Privacy and Data Protection Our business relies on the processing of data in multiple jurisdictions and the movement of data across national borders. Legal requirements relating to the collection, storage, handling, use, disclosure, transfer, and security of personal data continues to evolve, and regulatory scrutiny in this area is increasing around the world. Significant uncertainty exists as privacy and data protection laws may differ from country to country and may create inconsistent or conflicting requirements. Our ongoing efforts to comply with privacy, cybersecurity, and data protection laws may entail expenses, may divert resources from other initiatives and projects, and could limit the service we are able to offer. Enforcement actions and investigations by regulatory authorities related to data security incidents and privacy actions or investigations could damage our reputation and impact us through increased costs or restrictions on our business, and noncompliance could result in regulatory penalties and significant legal liability. Although we make reasonable efforts to comply with all applicable data protection laws and regulations, our interpretations and efforts may have been or may prove to be insufficient or incorrect. We also make public statements about our use and disclosure of personal information through our privacy policy, information provided on our website and other public statements. Although we endeavor to ensure that our public statements are complete, accurate and fully implemented, we may at times fail to do so or be alleged to have failed to do so. We may be subject to potential regulatory or other legal action if such policies or statements are found to be deceptive, unfair or misrepresentative of our actual practices. In addition, from time to time, concerns may be expressed about whether our products and services compromise the privacy of our customers and others. Any concerns about our data privacy and security practices (even if unfounded), or any failure, real or perceived, by us to comply with our posted privacy policies or with any legal or regulatory requirements, standards, certifications or orders or other privacy or consumer protection-related laws and regulations applicable to us, could cause our customers, riders and users to reduce their use of our products and services. Banking In general, financial institution regulators require their supervised institutions to cause their service providers to agree to certain terms and to agree to supervision and oversight by applicable financial regulators, primarily to protect the safety and soundness of the financial institution. We have agreed to such terms and provisions in many of our service agreements with financial institutions. We and our customers are also generally subject to U.S. federal, Puerto Rico and other countries' laws, rules and regulations that affect the electronic payments industry, including with respect to activities in the countries where we operate and due to our relationship with customers that are subject to banking and financial regulation, including Popular. Regulation of the electronic payment card industry has increased significantly in recent years. There is also continued scrutiny by the U.S. Congress of the manner in which payment card networks and card issuers set various fees. Banking regulators have been strengthening their examination guidelines with respect to relationships between banks and their third-party service providers, such as us. Any such heightened supervision of our relationship with our banking and financial services customers, including Popular, could have an effect on our contractual relationship with our customers as well as on the standards applied in the evaluation of our services. See "Part I, Item 1. Business- Government Regulation and Payment Network Rules- Regulatory Reform and Other Legislative Initiatives." Export We are also subject to the Export Administration Regulations ("EAR"), which regulates the export, re-export and re-transfer abroad of covered items made or originating in the United States as well as the transfer of covered U.S.-origin technology abroad. There can be no assurance that we have not violated the EAR in past transactions or that our new policies and procedures will prevent us from violating the EAR in every transaction in which we engage. Any such violations of the EAR could result in fines, penalties or other sanctions being imposed on us, which could negatively affect our business, results of operations and financial condition. Some financial institutions refuse, even in the absence of a regulatory requirement, to provide services to companies operating in certain countries or engaging in certain practices because of concerns that the compliance efforts perceived to be necessary may outweigh the usefulness of the service relationship. Our operations outside the United States make it more likely that financial institutions may refuse to conduct business with us for this type of reason. Any such refusal could negatively affect our business, results of operations and financial condition. We and our subsidiaries conduct business with financial institutions and/or card payment networks operating in countries whose nationals, including some of our customers, engage in transactions in countries that are the target of U.S. economic sanctions and embargoes, including Cuba. As a U.S.-based entity, we and our subsidiaries are obligated to comply with the economic sanctions regulations administered by OFAC. These regulations prohibit U.S.-based entities from entering into or facilitating unlicensed transactions with, for the benefit of, or in some cases involving the property and property interests of, persons, governments, or countries designated by the U.S. government under one or more sanctions regimes. Various state and municipal governments, universities and other investors maintain prohibitions or restrictions on investments in companies that do business involving sanctioned countries or entities. Because we process transactions on behalf of financial institutions through the payment networks, we have processed a limited number of transactions potentially involving sanctioned countries and there can be no assurances that, in the future, we will not inadvertently process such transactions. Due to a variety of factors, including technical failures and limitations of our transaction screening process, conflicts between U.S. and local laws, political or other concerns in certain countries in which we and our subsidiaries operate, and/or failures in our ability to effectively control employees operating in certain non-U.S. subsidiaries, we have not rejected every transaction originating from or otherwise involving sanctioned countries, or persons and there can be no assurances that, in the future, we will not inadvertently fail to reject such transactions. Antitrust Due to our ownership of the ATH network and our merchant acquiring and payment services business in Puerto Rico, we are involved in a significant percentage of the debit and credit card transactions conducted in Puerto Rico each day. We have in the past been subject to regulatory investigations and any future regulatory scrutiny of, or regulatory enforcement action in connection with, compliance with U.S. state and federal antitrust requirements could potentially have a material adverse effect on our reputation and business. In addition, we are subject to applicable antitrust requirements in each of the countries in which we operate. All of these laws and requirements may affect potential acquisitions in the relevant jurisdictions. ESG Regulatory Developments The recent emphasis on environmental, social and other sustainability matters has resulted and may continue to result in the adoption of new laws and regulations, including new reporting requirements. For example, various policymakers, including the SEC, have adopted (or are considering adopting) requirements for the disclosure of certain climate-related information or other environmental, social and governance ("ESG") disclosures. Compliance with environmental, social and other sustainability laws, regulations, expectations or reporting requirements may result in increased compliance costs, as well as additional scrutiny. It is possible that other types of environmental and social regulations, for example regulations regarding the use of energy or water or regulations regarding human capital management matters, may also result in increased costs. Moreover, if we fail to comply with new laws, regulations, expectations or reporting requirements, or if we are perceived as failing, our reputation and business could be adversely impacted. Any reputational damage associated with ESG factors may also adversely impact our ability to recruit and retain employees and customers.

We conduct business and file income tax returns in several jurisdictions. Our consolidated effective income tax rate could be materially adversely affected by several factors, including: changing tax laws, regulations and treaties, or the interpretation thereof (such as the recent United States Inflation Reduction Act which, among other changes, introduced a 15% corporate minimum tax on certain United States corporations and a 1% excise tax on certain stock redemptions by United States corporations, which the U.S. Treasury indicated may also apply to certain stock redemptions by a foreign corporation funded by certain United States affiliates); tax policy initiatives and reforms (such as those related to the Organization for Economic Co-Operation and Development's ("OECD") Base Erosion and Profit Shifting, or BEPS, project and other initiatives); the practices of tax authorities in jurisdictions in which we operate; the resolution of issues arising from tax audits or examinations and any related interest or penalties. Such changes may include (but are not limited to) the taxation of operating income, investment income, dividends received or (in the specific context of withholding tax) dividends, royalties and interest paid. We are unable to predict what tax reforms may be proposed or enacted in the future or what effect such changes would have on our business, but such changes, to the extent they are brought into tax legislation, regulations, policies or practices in jurisdictions in which we operate, could increase the estimated tax liability that we have expensed to date and paid or accrued on our Consolidated Statement of Financial Position, and otherwise affect our future results of operations, cash flows in a particular period and overall or effective tax rates in the future in countries where we have operations, reduce post-tax returns to our stockholders and increase the complexity, burden and cost of tax compliance.

Companies across industries are facing increasing scrutiny from a variety of stakeholders related to their ESG practices. For example, various groups produce ESG scores or ratings based at least in part on a company's ESG disclosures, and certain market participants, including institutional investors and capital providers, use such ratings to assess companies' ESG profiles. Unfavorable perceptions of our ESG performance could negatively impact our business, whether from a reputational perspective, through a reduction in interest in purchasing our stock or products, issues in attracting/retaining employees, customers and business partners, or otherwise. Simultaneously, there are efforts by some stakeholders to reduce companies' efforts on certain ESG-related matters. Both advocates and opponents to certain ESG matters are increasingly resorting to a range of activism forms, including media campaigns and litigation, to advance their perspectives. To the extent we are subject to such activism, it may require us to incur costs or otherwise adversely impact our business. While we have engaged in, and expect to continue to engage in, certain voluntary initiatives (such as voluntary disclosures, certifications, or goals) to improve the ESG profile of our company and/or products or respond to stakeholder concerns, such initiatives may be costly and may not have the desired effect. Expectations around companies' management of ESG matters continue to evolve rapidly, in many instances due to factors that are out of our control. For example, our actions or statements that we may make based on expectations, assumptions, or third-party information that we currently believe to be reasonable may subsequently be determined to be erroneous or not in keeping with best practice. If we fail to, or are perceived to fail to, comply with or advance certain ESG initiatives (including the manner in which we complete such initiatives), we may be subject to various adverse impacts, including reputational damage and potential stakeholder engagement and/or litigation, even if such initiatives are currently voluntary. There are also increasing regulatory expectations for ESG matters. This and other stakeholder expectations will likely lead to increased costs as well as scrutiny that could heighten all of the risks identified in this risk factor. Additionally, many of our customers, business partners, and suppliers may be subject to similar expectations, which may augment or create additional risks, including risks that may not be known to us.

Growth in our merchant acquiring business is derived primarily from acquiring new merchant relationships, new and enhanced product and service offerings, cross selling products and services into existing relationships, the shift of consumer spending to increased usage of electronic forms of payment, and the strength of our existing commercial relationship with Banco Popular. A substantial portion of our business is generated from our Amended and Restated Independent Sales Organization Sponsorship and Services Agreement (the "A&R ISO Agreement") with Banco Popular, which was amended and restated on July 1, 2022, among other things, to extend its term to end in 2035. Banco Popular acts as a merchant referral source and provides sponsorship into the ATH, Visa, Discover and MasterCard networks for merchants, as well as card association sponsorship, clearing and settlement services. We provide transaction-processing and related functions. Both we and Popular, as alliance partners, may provide management, sales, marketing, and other administrative services to merchants. Although Banco Popular is not our sole distribution channel, it is the most significant. We rely on the continuing growth of our merchant relationships, which in turn is dependent upon our alliance with Banco Popular and other distribution channels. There can be no guarantee that this growth will continue and the loss or deterioration of these relationships, whether due to the termination of the A&R ISO Agreement or otherwise, could negatively impact our business and result in a material reduction of our revenue and income.

Puerto Rico's location in the Caribbean exposes the island to increased risk of hurricanes and other severe tropical weather conditions and natural disasters. Hurricanes and other natural disasters including earthquakes and wildfires, and their potential aftermaths, such as widespread power outages in Puerto Rico, damage to infrastructure and communications networks, and the temporary cessation and slow pace of reestablishment of regular day-to-day commerce, may severely impact the economies of Puerto Rico and the Caribbean more generally. These events have accelerated and could continue to accelerate the ongoing emigration trend of Puerto Rico residents to the United States. Prolonged delays in the repairs to the island's infrastructures, decline in business volumes, insufficient federal recovery and rebuilding assistance and any other economic declines due to natural disasters and their aftermaths may impact the demand for our services and could have a material adverse effect on our business and results of operations. Additionally, future disease pandemics or any other public health crisis may materially adversely affect our business, results of operations and financial condition, similar to or beyond those disruptions and operational consequences that we experienced in connection with the COVID-19 pandemic. Prolonged economic uncertainties relating to the residual impacts of COVID-19 could limit our ability to grow our business and negatively affect our operating results. Moreover, the global electronic payments industry and the banking and financial services industries depend heavily upon the overall levels of consumer, business and government spending. Adverse economic conditions, such as those caused by the COVID-19 pandemic, could result in a decrease in consumers' use of banking services and financial service providers resulting in significant decreases in the demand for our products and services which could adversely affect our business and operating results. As a result of Puerto Rico's high cost of electricity and governmental financial crisis, businesses may be reluctant to establish or expand their operations in Puerto Rico and the Caribbean, or might consider closing operations currently in such locations. If companies in the financial services and related industries decide not to commence new operations or not to expand their existing operations in Puerto Rico, or consider closing operations in Puerto Rico, the demand for our services could be negatively affected.