Expensify (EXFY) Risk Analysis

We receive, process, store and use business and personal data relating to our employees, members and customers around the world, including the United States and the European Economic Area ("EEA"). As a result, our business is therefore subject to a number of federal, state, local and foreign laws, regulations, regulatory codes and guidelines governing data privacy, data protection and security, including with respect to the collection, storage, use, processing, transmission, sharing and protection of personal data. For instance, laws in all fifty U.S. states and outside the United States (and sometimes contractual and/or other obligations) and certain international laws and regulations require notification of certain incidents to a number of third parties, such as impacted customers, regulators, credit reporting agencies or others when certain information has been compromised as a result of a security breach. We seek to comply with applicable laws, regulations, policies, legal obligations and industry standards and have developed privacy policies, data processing addenda and internal privacy procedures to reflect our practices designed to achieve such compliance. However, such laws, regulations, regulatory codes and guidelines regulations are complex, may be inconsistent across jurisdictions or conflict with other rules and their interpretation is rapidly evolving, making implementation and enforcement, and thus compliance requirements,ambiguous, uncertain, and potentially inconsistent and therefore, there can be no assurance that our policies and process will be fully implemented, complied with, or effective. Compliance with such laws may require changes to our data collection, use, transfer, disclosure, other processing, and certain other related business practices and may thereby increase compliance costs or have other material adverse effects on our business. Further, any significant change in applicable laws, regulations, or industry practices regarding the use or disclosure of our members' or customers' data, or regarding the manner in which the express or implied consent of members or customers for the use and disclosure of such data is obtained, could require us to modify our platform, possibly in a material manner, and may limit our ability to develop new services and features that make use of the data that our members and customers voluntarily share. A failure on our part to safeguard consumer data adequately or to destroy data securely or otherwise comply with legal obligations may subject us, depending on the personal data in question, to costs associated with notice and remediation, as well as potential regulatory investigations or enforcement actions, and possibly to civil liability, under federal, state, or foreign laws or regulation, industry standards, our internal privacy policies and procedures, or our contracts governing our processing of personal data claims by third parties, and damage to our reputation, any of which could have an adverse effect on our operations, financial performance and business. We could also incur significant costs investigating and defending such claims and, if we are found liable, significant damages. For example, in the United States, the data protection landscape is also rapidly growing and evolving on both the state and federal level. As our operations and business grow, we may become subject to or affected by new or additional data protection laws and regulations and face increased scrutiny or attention from regulatory authorities. For example, a number of state-level general data privacy laws have or will soon go into effect that introduce new data privacy rights for consumers and new operational requirements for companies. For instance, the California Consumer Privacy Act ("CCPA"), provides data privacy rights for California residents and operational requirements for covered businesses. Among other things, companies covered by the CCPA must provide new disclosures to California residents and afford such residents certain privacy rights relating to their personal data. The CCPA also considers certain financial information to be "sensitive personal information" imposing additional requirements on businesses, such as public disclosures about how such data is being used and disclosed by the business. The CCPA also provides for civil penalties for violations, as well as a private right of action for certain data breaches that increases the potential exposure in relation to data breaches. We cannot fully predict the impact of these laws, or subsequent guidance, regulations or rules on our business or operations, including those that are still in draft form, but they may increase our compliance costs and potential liability, particularly in the event of a data breach, and could have a material adverse effect on our business, including how we use personal data, our financial condition, and the results of our operations or prospects. Further, if we become subject to other state-level privacy laws, guidelines or regulations, we may be required again to modify our data collection or processing practices and policies and to incur substantial costs and expenses in an effort to comply and increase our potential exposure to regulatory enforcement and/or litigation. Furthermore, at the federal level, we are also subject to laws, regulations and standards covering marketing, advertising, cookies, tracking technologies, e-marketing, and other activities conducted by telephone, email, mobile devices and the internet, such as the Federal Wiretap Act, the Telephone Consumer Protection Act, the Controlling the Assault of Non-Solicited Pornography and Marketing Act, and similar state consumer protection and communication privacy laws. Additionally, the Federal Trade Commission ("FTC") and many state Attorneys General continue to enforce federal and state consumer protection laws against companies for online collection, use, dissemination and security practices that appear to be unfair or deceptive. For example, according to the FTC, failing to take appropriate steps to keep consumers' personal data secure can constitute unfair acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act. The FTC expects a company's data security measures to be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities. There are a number of legislative proposals in the United States, at both the federal and state level, and in the E.U. and more globally, that could impose new obligations in areas such as e-commerce and other related legislation or liability for copyright infringement by third parties. We cannot yet determine the impact that these future laws, regulations and standards may have on our business. In addition, the EU General Data Protection Regulation ("GDPR") imposes stringent data protection requirements for processing the personal data of individuals within the European Economic Area ("EEA"). The GDPR enhances data protection obligations for processors and controllers of personal data, including, for example, expanded disclosure requirements, limitations on retention of personal data, mandatory data breach notification requirements and additional obligations. Non-compliance with the GDPR can trigger fines of up to the greater of €20 million or 4% of our global revenue. Among other requirements, the GDPR regulates transfers of personal data subject to the GDPR to third countries that have not been found to provide adequate protection to such personal data, including the United States, and the efficacy and longevity of current transfer mechanisms between the E.U. and the United States remains uncertain. For example, in 2016, the E.U. and United States agreed to a transfer framework for data transferred from the E.U. to the United States, called the Privacy Shield, but the Privacy Shield was invalidated in July 2020 by the Court of Justice of the European Union ("CJEU"). The CJEU also raised questions about whether the European Commission's Standard Contractual Clauses, one of the primary mechanisms used by companies to transfer personal data out of the EEA, complies with the GDPR. While the CJEU upheld the validity of the Standard Contractual Clauses, the CJEU ruled that the underlying data transfers must be assessed on a case-by-case basis by the data controller to determine whether the personal data will be adequately protected. At present, there are few if any viable alternatives to the Standard Contractual Clauses and, therefore, there is uncertainty regarding how to ensure that transfers of personal data from Europe to the United States comply with the GDPR. As such, any transfers by us of personal data from Europe may not comply with European data protection laws and may increase our exposure to the GDPR's heightened sanctions for violations of its cross-border data transfer restrictions. Loss of our ability to transfer personal data from Europe may also require us to increase our data processing capabilities in those jurisdictions at significant expense. Further, following the United Kingdom's withdrawal from the E.U. and the end of the related transition period, as of January 1, 2021, companies may be subject to both GDPR and the United Kingdom GDPR, or UK GDPR, which, together with the amended UK Data Protection Act 2018, retains the GDPR in UK national law. The UK GDPR mirrors the fines under the GDPR, imposing fines up to the greater of €20 million (£17.5 million) or 4% of global turnover. The relationship between the United Kingdom and the E.U. in relation to certain aspects of data protection law remains unclear, and it is unclear how United Kingdom data protection laws and regulations will develop in the medium to longer term, and how data transfers to and from the United Kingdom will be regulated in the long term. These changes will lead to additional costs and increase our overall risk exposure. Currently there is a four to six-month grace period agreed in the E.U. and United Kingdom Trade and Cooperation Agreement, ending June 30, 2021 at the latest, while the parties discuss an adequacy decision. The European Commission published a draft adequacy decision on February 19, 2021. If adopted, the decision will enable data transfers from E.U. member states to the United Kingdom for a four-year period, subject to subsequent extensions. While we have instituted a GDPR compliance strategy and program that we continue to evaluate and improve as our platform changes and expands, we still do not know how E.U. regulators will interpret or enforce many aspects of the GDPR, and some regulators may do so in an inconsistent manner, making such a prediction even more difficult. In addition to the E.U., a growing number of other global jurisdictions are considering or have passed legislation implementing data protection requirements or requiring local storage and processing of data or similar requirements that could increase the cost and complexity of delivering our platform, particularly as we expand our operations internationally. Some of these laws, such as the General Data Protection Law in Brazil, or the Act on the Protection of Personal Information in Japan, impose similar obligations as those under the GDPR. Others, such as those in Russia, India and China, could potentially impose more stringent obligations, including data localization requirements. If we are unable to develop and offer features that meet legal requirements or help our members and customers meet their obligations under the laws or regulations relating to privacy, data protection, or information security, or if we violate or are perceived to violate any laws, regulations, or other obligations relating to privacy, data protection, or information security, we may experience reduced demand for our platform, harm to our reputation and become subject to investigations, claims and other remedies, which would expose us to significant fines, penalties and other damages, all of which would harm our business. Further, given the breadth and depth of changes in global data protection obligations, compliance has caused us to expend significant resources, and such expenditures are likely to continue into the future as we continue our compliance efforts and respond to new interpretations and enforcement actions. In addition to laws relating to data privacy and security, we are subject to self-regulatory standards and industry certifications that may legally or contractually apply to us. These include the Payment Card Industry Data Security Standards ("PCI-DSS") with which we are currently compliant. In the event that we fail to comply with the PCI-DSS, we could be in breach of our obligations under customer and other contracts, fines and other penalties could result, and we may suffer reputational harm and damage to our operations, financial performance, reputation and business. Further, our clients may expect us to comply with more stringent privacy and data security requirements than those imposed by laws, regulations, or self-regulatory requirements, and we may be obligated contractually to comply with additional or different standards relating to our handling or protection of data on or by our offerings.

A large portion of our paying customers authorize us to bill their credit card accounts through our third-party payment processing partners for our paid subscription plans. If customers pay for their subscription plans with stolen credit cards, we could incur substantial third-party vendor costs for which we may not be reimbursed. Further, our customers provide us with credit card billing information online, and we do not review the physical credit cards used in these transactions, which increases our risk of exposure to fraudulent activity. We also incur chargebacks from the credit card companies for claims that the customer did not authorize the credit card transaction for subscription plans, something that we have experienced in the past. If the number of claims of unauthorized credit card transactions becomes excessive, we could be assessed substantial fines for excess chargebacks, and we could lose the right to accept credit cards for payment. In addition, credit card issuers may change merchant standards, including data protection and documentation standards, required to utilize their services from time to time. Our third-party payment processing partners must also maintain compliance with current and future merchant standards to accept credit cards as payment for our paid subscription plans. Substantial losses due to fraud or our inability to accept credit card payments would cause our customer base to significantly decrease and would harm our business.

We face significant competitive challenges from do-it-yourself approaches as well as companies that provide traditional horizontal platform solutions with expense management features, corporate card providers and niche expense management solutions. Traditional do-it-yourself approaches (for example, using spreadsheets, email, messaging and legacy project management tools) are people-intensive and involve internal personnel manually performing expense management processes. Many businesses using do-it-yourself approaches believe that these manual processes are adequate and may be unaware that Expensify can replace several expensive, disconnected services with one fully connected preaccounting platform for a fraction of the cost, resulting in an inertia that can be difficult to overcome. It is difficult to predict adoption rates and demand for our platform, the future growth rate and size of the market for expense management and other preaccounting products, or the entry of competitive offerings. The expansion of the expense management and other preaccounting products market depends on a number of factors, including the cost, performance and perceived value associated with these solutions. If expense management and other preaccounting solutions do not achieve widespread adoption, or there is a reduction in demand for expense management and other preaccounting products caused by a lack of customer acceptance, technological challenges, weakening economic conditions, security or privacy concerns, competing technologies and products, decreases in corporate spending, or otherwise, it could result in decreased revenue, and our business, results of operations and financial condition would be adversely affected. In addition, there are a number of competing companies that provide traditional horizontal platform solutions with expense management features, some of which have substantially greater revenue, personnel and other resources than we do. These firms have historically targeted primarily large enterprise customers, but many of them also market to SMBs in search of growth in revenue or market share. We also face competition from a growing number of other businesses offering expense management solutions and corporate cards. Our smaller competitors who currently focus their product offerings on SMBs may be better positioned than larger competitors to increase their market share with SMBs, whether by competing based on price, service, or otherwise. Increased competition may impact our ability to add new customers at the rates we have historically achieved. Additionally, competition may increase in the future from new market entrants. With the introduction of new technologies and the entry of new companies into the market, we expect competition to persist and intensify. This could harm our ability to increase our customer base, maintain subscription renewals and maintain our prices. Additionally, it is possible that large enterprises with substantial resources that operate in adjacent accounting, finance or compliance verticals may decide to pursue expense management automation and become immediate, significant competitors. Merger and acquisition activity in the technology industry could increase the likelihood that we compete with other large technology companies. Many of our existing competitors have, and our potential competitors could have, substantial competitive advantages such as greater name recognition, longer operating histories, larger sales and marketing budgets and resources, greater customer support resources, lower labor and development costs, larger and more mature intellectual property portfolios and substantially greater financial, technical and other resources. Some of our larger competitors also have substantially broader product lines and market focus and will therefore not be as susceptible to downturns in a particular market. Conditions in our market could change rapidly and significantly as a result of technological advancements, partnering by our competitors, or continuing market consolidation. New startup companies that innovate, and large companies that are making significant investments in research and development, may invent similar or superior products and technologies that compete with our platform, including the addition of bottom-up adoption features. Some of our larger competitors use broader product offerings to compete, including by selling at zero or negative margins, by bundling their product, or by closing access to their technology platforms. Potential customers may prefer to purchase from their existing suppliers rather than a new supplier regardless of product performance or features. Furthermore, potential customers may be more willing to incrementally add solutions to their existing infrastructure from competitors than to replace their existing infrastructure with our platform. These competitive pressures in our market, or our failure to compete effectively, may result in price reductions, fewer new customers, lower revenue and loss of market share. Any failure to successfully and effectively compete with current or future competitors could cause us to lose business and harm our revenue growth, business, results of operations and financial condition.

We believe that the brand identity that we have developed has significantly contributed to the success of our business. We also believe that maintaining and enhancing the "Expensify" brand is critical to expanding our customer base and establishing and maintaining relationships with partners. Successful promotion of our brand will depend largely on the effectiveness of our marketing efforts, our ability to ensure that our platform remains high-quality, reliable, useful and competitively priced, the quality and perceived value of our platform, our ability to successfully differentiate our platform and features from those of our competitors and the ability of our customers to achieve successful results by using our platform and features. Maintaining and enhancing our brand may require us to make substantial investments not just in our core expense management service but also in newer features, such as our financial chat services, and to make substantial investments in foreign markets, and these investments may not be successful. We also plan to enhance our brand and drive interest in our overall platform by introducing certain consumer-focused features, which may not be successful. Substantial advertising expenditures may be required to maintain and enhance our brand, which may not prove successful. Advertising and other brand promotion activities may not generate customer awareness or increase revenue, and even if they do, any increase in revenue may not offset the expenses we incur in building our brand. For example, in 2023 we opened the Expensify Lounge in San Francisco, CA as a brand awareness campaign that ultimately did not yield the expected results and was shut down in late 2023. As another example, in 2023 we hosted our third ExpensiCon, an invite-only, all-expenses paid industry conference set in an exotic location that includes a full itinerary of events and excursions. The goal of this ExpensiCon was to increase our market consensus among our Approved! Accounting partners and increase adoption of our platform. We have spent significant resources on this initiative, and there can be no assurance that we will be successful in achieving those goals or that the nature of the event will not expose us to additional risks. Additionally, there could be a negative reaction to certain advertising campaigns and values-based activity and communications. If we fail to promote and maintain the "Expensify" brand, or if we incur excessive expenses in this effort, we may fail to attract or retain customers necessary to realize a sufficient return on our brand-building efforts or to achieve the widespread brand awareness that is critical for broad customer adoption of our platform and features. We anticipate that, as our market becomes increasingly competitive, maintaining and enhancing our brand may become more difficult and expensive.

Our revenue generated from customers outside the United States was $13.3 million (9% of our revenue), $14.7 million (9% of our revenue), and $15.2 million (11% of our revenue) for the annual periods ended December 31, 2023, 2022 and 2021, respectively. Our core geographies are the United States, the United Kingdom, Canada and Australia. We intend to pursue expansion of our international operations. Operating in international markets requires significant resources and management attention and subjects us to regulatory, economic and political risks that are different from those in the United States. In addition, we face risks in doing business internationally that could adversely affect our business and results of operations, including: - the need to localize and adapt our platform and features for specific countries, including translation into foreign languages, tax and regulatory updates and associated expenses;- data privacy laws that impose different and potentially conflicting obligations with respect to how personal data is processed or require that customer data be stored in a designated territory;- more fragmented partner market which proves to be harder for our platform to integrate with;- difficulties in staffing and managing foreign operations;- regulatory and other delays and difficulties in setting up foreign operations;- different pricing environments, longer accounts receivable payment cycles and collections issues;- new and different sources of competition;- weaker protection for intellectual property and other legal rights than in the United States and practical difficulties in enforcing intellectual property and other rights outside of the United States;- laws and business practices favoring local competitors;- compliance challenges related to the complexity of multiple, conflicting and changing governmental laws and regulations;- exposure to liabilities under anti-corruption and anti-money laundering laws, including the U.S. Foreign Corrupt Practices Act, U.S. bribery laws, the UK Bribery Act and similar laws and regulations in other jurisdictions;- increased financial accounting and reporting burdens and complexities;- declines in the values of foreign currencies relative to the U.S. dollar;- restrictions on the transfer of funds;- potentially adverse tax consequences;- the cost of and potential outcomes of any claims or litigation;- future accounting pronouncements and changes in accounting policies;- changes in tax laws or tax regulations;- health or similar issues, such as a pandemic or epidemic; and - regional and local economic and political conditions. As we continue to expand our business globally, our success will depend, in large part, on our ability to anticipate and effectively manage these risks. These factors and others could harm our ability to increase international revenue and, consequently, would materially impact our business and results of operations. The expansion of our existing international operations and entry into additional international markets will require significant management attention and financial resources. Our failure to successfully manage our international operations and the associated risks effectively could limit the future growth of our business.

While we have historically transacted in U.S. dollars with the majority of our customers and vendors, we have transacted in some foreign currencies with such parties and for our payroll in those foreign jurisdictions where we have operations, and expect to continue to transact in more foreign currencies in the future. Accordingly, declines in the value of foreign currencies relative to the U.S. dollar can adversely affect our revenue and results of operations due to remeasurement that is reflected in our earnings. Also, fluctuations in the values of foreign currencies relative to the U.S. dollar could make it more difficult to detect underlying trends in our business and results of operations.