Expensify (EXFY) Risk Analysis

We receive, process, store and use business and personal data relating to our employees, business contacts, members and customers around the world (collectively, "Personal Data"), including the United States and the European Economic Area ("EEA"). As a result, our business is subject to a number of federal, state, local and foreign laws, regulations, regulatory codes and guidelines governing data privacy, data protection and security, including with respect to the collection, storage, use, processing, transmission, disclosure and protection of Personal Data. For example, in the United States, the data protection landscape is rapidly growing and evolving on both the state and federal level. As our operations and business grow, we may become subject to or affected by new or additional data protection laws and regulations and face increased scrutiny or attention from regulatory authorities. For example, over a third of U.S. states have passed their own comprehensive consumer privacy laws that have or will soon go into effect that introduce new data privacy rights for consumers and new operational requirements for companies. For instance, the California Consumer Privacy Act ("CCPA") provides data privacy rights for California residents and operational requirements for covered businesses. Among other things, companies covered by the CCPA must provide new disclosures to California residents and afford such residents certain privacy rights relating to their Personal Data. The CCPA also considers certain financial information to be "sensitive personal information" imposing additional requirements on businesses. The CCPA is enforceable by the California Attorney General and the California Privacy Protection Agency, a new, additional enforcement bureau. The California Privacy Protection Agency is continuously amending the CCPA regulations, building upon the requirements in the CCPA, including with respect to automated decision making, risk assessment, and cybersecurity audits. In the event of an actual or perceived violation of the CCPA, these regulators could seek severe statutory damages, injunctive relief or agreed settlements providing for ongoing audit and reporting requirements. There is also a private right of action relating to certain data security incidents. Additionally, laws in all fifty U.S. states require notification of certain incidents to a number of third parties, such as impacted customers, regulators, credit reporting agencies or others when certain information has been compromised as a result of a security breach. We cannot fully predict the impact of these laws, or subsequent guidance, regulations or rules on our business or operations, but they may increase our compliance costs and potential liability, particularly in the event of a data breach, and could have a material adverse effect on our business, including how we use Personal Data, our financial condition, and the results of our operations or prospects. Further, if we become subject to new state-level privacy laws, guidelines or regulations in the future, we may be required again to modify our data collection or processing practices and policies and to incur substantial costs and expenses in an effort to comply and increase our potential exposure to regulatory enforcement and/or litigation. Furthermore, at the federal level, we are also subject to laws, regulations and standards covering financial institutions, marketing, advertising, cookies, tracking technologies, e-marketing, and other activities conducted by telephone, email, mobile devices and the internet, such as the Gramm-Leach-Bliley Act ("GLBA"), the Federal Wiretap Act, the Telephone Consumer Protection Act, the Controlling the Assault of Non-Solicited Pornography and Marketing Act, and similar state consumer protection and communication privacy laws. The GLBA regulates, among other things, the use of certain information about individuals ("non-public personal information") in the context of the provision of financial services. The GLBA includes both a "Privacy Rule," which imposes obligations on financial institutions relating to the use or disclosure of non-public personal information, and a "Safeguards Rule," which imposes obligations on financial institutions and, indirectly, their service providers to implement and maintain physical, administrative and technological measures to protect the security of non-public personal financial information. Any failure to comply with the GLBA could result in substantial financial penalties. Additionally, the Federal Trade Commission ("FTC") and many state Attorneys General continue to enforce federal and state consumer protection laws against companies for online collection, use, dissemination and security practices that appear to be unfair or deceptive. For example, according to the FTC, failing to take appropriate steps to keep consumers' Personal Data secure can constitute unfair acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act. The FTC expects a company's data security measures to be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities. There are a number of legislative proposals in the United States, at both the federal and state level, and in the EU and more globally, that could impose new obligations in areas such as e-commerce and other related legislation or liability for copyright infringement by third parties. We cannot yet determine the impact that these future laws, regulations and standards may have on our business. In addition, the EU General Data Protection Regulation (the "EU GDPR") and to the United Kingdom General Data Protection Regulation and Data Protection Act 2018 (collectively, the "UK GDPR") (the EU GDPR and UK GDPR together referred to as the "GDPR") which impose stringent data protection requirements for processing the Personal Data of individuals. The GDPR places data protection obligations on processors and controllers of personal data, including, for example, disclosure and transparency requirements, limitations on retention and processing of personal data, and mandatory data breach notification requirements. In addition, the GDPR regulates transfers of Personal Data subject to the GDPR to third countries that have not been found to provide adequate protection to such Personal Data, and we expect the existing legal complexity and uncertainty regarding international personal data transfers to continue. In particular, we expect the European Commission approval of the current EU-US Data Privacy Framework for data transfers to certified entities in the United States to be challenged and international transfers to the United States and to other jurisdictions more generally to continue to be subject to enhanced scrutiny by regulators. As the regulatory guidance and enforcement landscape in relation to data transfers continue to develop, we could suffer additional costs, complaints and/or regulatory investigations or fines; we may have to stop using certain tools and vendors and make other operational changes; we may have to implement alternative data transfer mechanisms under the GDPR and/or take additional compliance and operational measures; and/or it could otherwise affect the manner in which we provide our services, and could adversely affect our business, operations and financial condition. Since we are under the supervision of relevant data protection authorities in both the EEA and the UK, we may be fined under both the EU GDPR and UK GDPR for the same breach. Penalties for certain breaches are up to the greater of EUR 20 million/ GBP 17.5 million or 4% of our global annual turnover. In addition to fines, a breach of the GDPR may result in regulatory investigations, reputational damage, orders to cease/ change our data processing activities, enforcement notices, assessment notices for a compulsory audit and/or civil claims (including class actions). We are also subject to evolving EU and UK privacy laws on cookies, tracking technologies and e-marketing. In the EU and UK, informed consent is required for the placement of certain cookies or similar tracking technologies on an individual's device and for direct electronic marketing. Consent is tightly defined and includes a prohibition on pre-checked consents and a requirement to obtain separate consents for each type of cookie or similar technology. Recent European court and regulator decisions are driving increased attention to cookies and similar tracking technologies. In addition to the EU, a growing number of other global jurisdictions are considering or have passed legislation implementing data protection requirements or requiring local storage and processing of Personal Data or similar requirements that could increase the cost and complexity of delivering our platform, particularly as we expand our operations internationally. Some of these laws, such as the General Data Protection Law in Brazil, or the Act on the Protection of Personal Information in Japan, impose similar obligations as those under the GDPR. Others, such as those in Russia, India and China, could potentially impose more stringent obligations, including data localization requirements. We seek to comply with applicable laws, regulations, policies, legal obligations and industry standards and have developed privacy policies, data processing addenda and internal privacy procedures to reflect our practices designed to achieve such compliance. However, such laws, regulations, regulatory codes and guidelines regulations are complex, may be inconsistent across jurisdictions or conflict with other rules and their interpretation is rapidly evolving, making implementation and enforcement, and thus compliance requirements, ambiguous, uncertain, and potentially inconsistent and therefore, there can be no assurance that our policies and process will be fully implemented, complied with, or effective. For instance, laws in all fifty U.S. states and outside the United States (and sometimes contractual and/or other obligations) and certain international laws and regulations require notification of certain incidents to a number of third parties, such as impacted customers, regulators, credit reporting agencies or others when certain information has been compromised as a result of a security breach. Compliance with such laws may require changes to our data collection, use, transfer, disclosure, other processing, and certain other related business practices and may thereby increase compliance costs or have other material adverse effects on our business. Further, any significant change in applicable laws, regulations, or industry practices regarding the use or disclosure of our Personal Data, could require us to modify our platform, possibly in a material manner, and may limit our ability to develop new services and features that make use of Personal Data regarding our members and customers. If we are unable to develop and offer features that meet legal requirements or help our members and customers meet their obligations under the laws or regulations relating to privacy, data protection, or information security, or if we violate or are perceived to violate any laws, regulations, or other obligations relating to privacy, data protection, or information security, we may experience reduced demand for our platform, harm to our reputation and become subject to investigations, claims and other remedies, which would expose us to significant fines, penalties and other damages, all of which would harm our business. Further, given the breadth and depth of changes in global data protection obligations, compliance has caused us to expend significant resources, and such expenditures are likely to continue into the future as we continue our compliance efforts and respond to new interpretations and enforcement actions. In addition to laws relating to data privacy and security, we are subject to self-regulatory standards and industry certifications that may legally or contractually apply to us. These include the Payment Card Industry Data Security Standards ("PCI-DSS") with which we are currently compliant. In the event that we fail to comply with the PCI-DSS, we could be in breach of our obligations under customer and other contracts, fines and other penalties could result, and we may suffer reputational harm and damage to our operations, financial performance, reputation and business. Further, our clients may expect us to comply with more stringent privacy and data security requirements than those imposed by laws, regulations, or self-regulatory requirements, and we may be obligated contractually to comply with additional or different standards relating to our handling or protection of data on or by our offerings.

A large portion of our paying customers authorize us to bill their credit card accounts through our third-party payment processing partners for our paid subscription plans. If customers pay for their subscription plans with stolen credit cards, we could incur substantial third-party vendor costs for which we may not be reimbursed. Further, our customers provide us with credit card billing information online, and we do not review the physical credit cards used in these transactions, which increases our risk of exposure to fraudulent activity. We also incur chargebacks from the credit card companies for claims that the customer did not authorize the credit card transaction for subscription plans, something that we have experienced in the past. If the number of claims of unauthorized credit card transactions becomes excessive, we could be assessed substantial fines for excess chargebacks, and we could lose the right to accept credit cards for payment. In addition, credit card issuers may change merchant standards, including data protection and documentation standards, required to utilize their services from time to time. Our third-party payment processing partners must also maintain compliance with current and future merchant standards to accept credit cards as payment for our paid subscription plans. Substantial losses due to fraud or our inability to accept credit card payments would cause our customer base to significantly decrease and would harm our business.

Our revenue generated from customers outside the United States was $12.4 million (9% of our revenue), $13.3 million (9% of our revenue), and $14.7 million (9% of our revenue) for the annual periods ended December 31, 2024, 2023 and 2022, respectively. Our core geographies are the United States, the United Kingdom, Canada and Australia. In the future, we may pursue expansion of our international operations. Operating in international markets requires significant resources and management attention and subjects us to regulatory, economic and political risks that are different from those in the United States. In addition, we face risks in doing business internationally that could adversely affect our business and results of operations, including: - the need to localize and adapt our platform and features for specific countries, including translation into foreign languages, tax and regulatory updates and associated expenses;- data privacy laws that impose different and potentially conflicting obligations with respect to how personal data is processed or require that customer data be stored in a designated territory;- more fragmented partner market which proves to be harder for our platform to integrate with;- difficulties in staffing and managing foreign operations;- regulatory and other delays and difficulties in setting up foreign operations;- different pricing environments, longer accounts receivable payment cycles and collections issues;- new and different sources of competition;- weaker protection for intellectual property and other legal rights than in the United States and practical difficulties in enforcing intellectual property and other rights outside of the United States;- laws and business practices favoring local competitors;- compliance challenges related to the complexity of multiple, conflicting and changing governmental laws and regulations;- exposure to liabilities under anti-corruption and anti-money laundering laws, including the U.S. Foreign Corrupt Practices Act, U.S. bribery laws, the UK Bribery Act and similar laws and regulations in other jurisdictions;- increased financial accounting and reporting burdens and complexities;- declines in the values of foreign currencies relative to the U.S. dollar;- restrictions on the transfer of funds;- potentially adverse tax consequences;- the cost of and potential outcomes of any claims or litigation;- future accounting pronouncements and changes in accounting policies;- changes in tax laws or tax regulations;- health or similar issues, such as a pandemic or epidemic; and - regional and local economic and political conditions. As we continue to expand our business globally, our success will depend, in large part, on our ability to anticipate and effectively manage these risks. These factors and others could harm our ability to increase international revenue and, consequently, would materially impact our business and results of operations. The expansion of our existing international operations and entry into additional international markets will require significant management attention and financial resources. Our failure to successfully manage our international operations and the associated risks effectively could limit the future growth of our business.

We face significant competitive challenges from do-it-yourself approaches as well as companies that provide traditional horizontal platform solutions with expense management features, corporate card providers and niche expense management solutions. Traditional do-it-yourself approaches (for example, using spreadsheets, email, messaging and legacy project management tools) are people-intensive and involve internal personnel manually performing expense management processes. Many businesses using do-it-yourself approaches believe that these manual processes are adequate and may be unaware that Expensify can replace several expensive, disconnected services with one fully connected preaccounting platform for a fraction of the cost, resulting in an inertia that can be difficult to overcome. It is difficult to predict adoption rates and demand for our platform, the future growth rate and size of the market for expense management and other preaccounting products, or the entry of competitive offerings. The expansion of the expense management and other preaccounting products market depends on a number of factors, including the cost, performance and perceived value associated with these solutions. If expense management and other preaccounting solutions do not achieve widespread adoption, or there is a reduction in demand for expense management and other preaccounting products caused by a lack of customer acceptance, technological challenges, weakening economic conditions, security or privacy concerns, competing technologies and products, decreases in corporate spending, or otherwise, it could result in decreased revenue, and our business, results of operations and financial condition would be adversely affected. In addition, there are a number of competing companies that provide traditional horizontal platform solutions with expense management features, some of which have substantially greater revenue, personnel and other resources than we do. These firms have historically targeted primarily large enterprise customers, but many of them also market to SMBs in search of growth in revenue or market share. We also face competition from a growing number of other businesses offering expense management solutions and corporate cards. Our smaller competitors who currently focus their product offerings on SMBs may be better positioned than larger competitors to increase their market share with SMBs, whether by competing based on price, service, or otherwise. Increased competition may impact our ability to add new customers at the rates we have historically achieved. Additionally, competition may increase in the future from new market entrants. With the introduction of new technologies and the entry of new companies into the market, we expect competition to persist and intensify. This could harm our ability to increase our customer base, maintain subscription renewals and maintain our prices. Additionally, it is possible that large enterprises with substantial resources that operate in adjacent accounting, finance or compliance verticals may decide to pursue expense management automation and become immediate, significant competitors. Merger and acquisition activity in the technology industry could increase the likelihood that we compete with other large technology companies. Many of our existing competitors have, and our potential competitors could have, substantial competitive advantages such as greater name recognition, longer operating histories, larger sales and marketing budgets and resources, greater customer support resources, lower labor and development costs, larger and more mature intellectual property portfolios and substantially greater financial, technical and other resources. Some of our larger competitors also have substantially broader product lines and market focus and will therefore not be as susceptible to downturns in a particular market. Conditions in our market could change rapidly and significantly as a result of technological advancements, partnering by our competitors, or continuing market consolidation. New startup companies that innovate, and large companies that are making significant investments in research and development, may invent similar or superior products and technologies that compete with our platform, including the addition of bottom-up adoption features. Some of our larger competitors use broader product offerings to compete, including by selling at zero or negative margins, by bundling their product, or by closing access to their technology platforms. Potential customers may prefer to purchase from their existing suppliers rather than a new supplier regardless of product performance or features. Furthermore, potential customers may be more willing to incrementally add solutions to their existing infrastructure from competitors than to replace their existing infrastructure with our platform. These competitive pressures in our market, or our failure to compete effectively, may result in price reductions, fewer new customers, lower revenue and loss of market share. Any failure to successfully and effectively compete with current or future competitors could cause us to lose business and harm our revenue growth, business, results of operations and financial condition.

We believe that the brand identity that we have developed has significantly contributed to the success of our business. We also believe that maintaining and enhancing the "Expensify" brand is critical to expanding our customer base and establishing and maintaining relationships with partners. Successful promotion of our brand will depend largely on the effectiveness of our marketing efforts, our ability to ensure that our platform remains high-quality, reliable, useful and competitively priced, the quality and perceived value of our platform, our ability to successfully differentiate our platform and features from those of our competitors and the ability of our customers to achieve successful results by using our platform and features. Maintaining and enhancing our brand may require us to make substantial investments not just in our core expense management service but also in newer features, such as our financial chat services, and to make substantial investments in foreign markets, and these investments may not be successful. We also plan to enhance our brand and drive interest in our overall platform by introducing certain consumer-focused features, which may not be successful. Substantial advertising expenditures may be required to maintain and enhance our brand, which may not prove successful. Advertising and other brand promotion activities may not generate customer awareness or increase revenue, and even if they do, any increase in revenue may not offset the expenses we incur in building our brand. For example, in 2023 we opened the Expensify Lounge in San Francisco, CA as a brand awareness campaign, but it ultimately did not yield the expected results and was shut down in late 2023. Further, in 2023 we hosted our third ExpensiCon, an invite-only, all-expenses paid industry conference set in an exotic location that included a full itinerary of events and excursions. We spent significant resources on ExpensiCon and achieved mixed results. There can be no assurance that similar initiatives will achieve desired results. Additionally, there could be a negative reaction to certain advertising campaigns and values-based activity and communications. If we fail to promote and maintain the "Expensify" brand, or if we incur excessive expenses in this effort, we may fail to attract or retain customers necessary to realize a sufficient return on our brand-building efforts or to achieve the widespread brand awareness that is critical for broad customer adoption of our platform and features. We anticipate that, as our market becomes increasingly competitive, maintaining and enhancing our brand may become more difficult and expensive.