First Advantage (FA) Risk Analysis

Our intellectual property rights and other proprietary rights are important to our business, and our ability to compete and our success depend, in part, on obtaining, maintaining, protecting, and enforcing such rights. In particular, the technology solutions we have created to deliver screening solutions, automate and integrate our platforms with third-party human capital management and applicant tracking systems, and gather and process information from various data sources and suppliers are critical to the success of our business. We rely on a combination of patent, copyright, trademark, and trade secret laws, as well as licensing agreements, intellectual property assignment agreements, third-party nondisclosure agreements, and other confidentiality agreements with our employees, customers, vendors, partners, and others to protect our intellectual property rights. These protections may not be adequate to prevent our competitors from copying our products and solutions or otherwise infringing on, misappropriating, or violating our intellectual property rights, and we may need to devote significant additional resources and time to ensure our intellectual property rights are adequately protected, including by bringing litigation against third parties to enforce our intellectual property rights. We cannot guarantee that we will be successful in prevailing in any such matters, regardless of our expenditures and efforts. Our efforts to enforce our intellectual property and other proprietary rights may be met with defenses, counterclaims, and countersuits attacking the validity and enforceability of our intellectual property and other proprietary rights, and if such defenses, counterclaims, or countersuits are successful, it could diminish or we could otherwise lose valuable intellectual property and other proprietary rights. In addition, some of the laws in foreign markets in which we operate do not protect intellectual property and other proprietary rights to the same level of protection as do the laws of the United States, and the mechanisms for enforcement of intellectual property and other proprietary rights in such countries may be inadequate. In addition, our competitors and other third parties may also design around or independently develop similar technology or otherwise duplicate or mimic our products such that we would not be able to successfully assert our intellectual property or other proprietary rights against them. We cannot assure that any future patent, trademark, or service mark registrations will be issued for our pending or future applications or that any of our current or future patents, copyrights, trademarks, or service marks (whether registered or unregistered) will be valid, enforceable, sufficiently broad in scope, provide adequate protection of our intellectual property or other proprietary rights, or provide us with any competitive advantage. Furthermore, we may also be subject to claims of intellectual property infringement, misappropriation, or violation by third parties, including our competitors. Even if we are unaware of such rights, we may be found by courts to be infringing upon, misappropriating, or violating them. If successfully asserted against us or if we decide to settle such matters, we could be required to pay substantial damages or ongoing royalty payments, obtain licenses, which may not be available on commercially reasonable terms, or at all, modify our products and solutions (including our applications), or discontinue certain products. We may also be obligated to indemnify applicants, customers, vendors, or partners in connection with any such claim or litigation. Even if we prevail in a dispute, any litigation regarding intellectual property could be costly, time-consuming, and require the deployment of significant resources, and could result in lasting harm being done to our brand and reputation, results of operations or financial condition, or have other adverse consequences.

A quickly evolving legal and regulatory environment may cause us to incur increased research and development costs, or divert resources from other development efforts, to address social, ethical, and legal issues related to artificial intelligence and machine learning. We are increasingly building artificial intelligence and machine learning into many of our offerings and utilize data gathered from various sources in our services to train our machine-learning models. As with many cutting-edge innovations, artificial intelligence and machine learning present new risks and challenges, and existing laws and regulations may apply to us in new ways, the nature and extent of which are difficult to predict. The continuous development, maintenance and operation of our machine-learning models is expensive and complex, and may involve unforeseen difficulties including material performance problems, and undetected defects or errors with new machine-learning or other artificial intelligence capabilities. Some of those difficulties could arise from undetected or uncorrected inaccuracies or unrepresentative tendencies in the data. We may encounter technical obstacles, and it is possible that we may discover additional problems that prevent our machine-learning models from operating properly. If our machine-learning models do not function reliably, we may incorrectly process background checks or suffer extended processing times and other failures of our services, which could result in customer dissatisfaction. The risks and challenges presented by artificial intelligence and machine learning could undermine public confidence in artificial intelligence and machine learning which could slow its adoption and affect our business. Generally, machine-learning models use data about past decisions in a particular situation to create algorithms that make a new decision in a similar situation. If the past decisions on which our machine-learning models are based were affected by a disparate impact based on any legally prohibited classification (such as race or sex), then decisions made by our machine-learning models could have a similarly disparate impact. Consistently making decisions that result in disparate impact could subject us or our customers to legal or regulatory liability. In light of these risks and evolving concerns about the fairness of the effects of use of artificial intelligence, we expect there to be an increased focus on laws and regulations related to our business, because of the growing policy concerns with regard to the collection, use, accuracy, correction and sharing of personal information, and the use of algorithms, artificial intelligence and machine learning in business processes. Failure to adequately address these ethical, social, and legal issues that may arise with such use cases could negatively affect the adoption of our solutions and subject us to reputational harm, regulatory action, or legal liability, which may harm our financial condition and operating results.

We derive a portion of our revenues from sales to U.S. federal, state and local governmental and education customers and higher-tier contractors to governmental customers. Doing business with government entities and their higher-tier contractors presents a variety of risks in addition to those involved in sales to other customers. The procurement process for governments and their agencies is highly competitive, can be time-consuming, requires us to incur significant up-front time and expense, and subjects us to additional compliance risks and costs, without any assurance that we will win a contract. In certain jurisdictions, our ability to win business may be constrained by political and other factors unrelated to our competitive position in the market. Demand for our products and services may be affected by public sector budgetary cycles and changes in funding, including reduced, delayed, or unavailable funding or changed spending priorities in any given fiscal cycle, and extended federal government shutdowns, any of which could materially adversely affect demand for our products and services and could impact our ongoing government contracts if government funding for such projects is reduced or eliminated. We must comply with laws and regulations relating to government contracts, which affect how we do business with our customers and may result in additional costs to our business. Any failure to comply with applicable laws and regulations, including as a result of misconduct by employees, subcontractors, agents, suppliers, business partners and others working on our behalf, could result in contract termination, damage to our reputation, price or fee reductions or suspension or debarment from contracting with the government, each of which could materially adversely affect our business, financial condition and results of operations. Significant laws and regulations that affect sales to government entities and higher-tier contractors to governmental customers include: - federal, state and local laws and regulations regarding the formation, administration and performance of government contracts;- the federal Civil False Claims Act (and similar state and local false claims acts), which provides for substantial civil penalties for violations, including for submission of or causing the submission of a false or fraudulent claim to the U.S. government for payment or approval; and - federal, state, and local laws and regulations regarding procurement integrity, including gratuity, bribery and anti-corruption requirements as well as limitations on political contributions and lobbying. Further, entities providing services to governments are required to comply with a variety of complex laws, regulations and contractual provisions relating to the formation, administration, or performance of government contracts that give public sector customers substantial rights and remedies, many of which are not typically found in commercial contracts. These may include rights with respect to price protection, the accuracy of information provided to the government, contractor compliance with supplier equal opportunity, socio-economic and affirmative action policies and reporting requirements and other terms that are particular to government contracts. Federal, state and local governments routinely investigate and audit contractors for compliance with these requirements, and the qui tam provisions of the federal Civil False Claims Act (and similar state and local false claims acts) authorize a private person to file civil actions on behalf of the federal and state governments and retain a share of any recovery, which can include treble damages and civil penalties. If it is determined that we have failed to comply with these requirements, we may be subject to civil and criminal penalties and administrative sanctions, including termination of contracts, forfeiture of profits, costs associated with the triggering of price reduction clauses, fines and suspension or debarment from future government business, and we may suffer reputational damage. Further, the negative publicity that could arise from any such penalties, sanctions or findings could have a material adverse effect on our reputation and reduce our ability to compete for new contracts with both government and commercial customers. In addition, governmental customers and higher-tier contractors may have contractual, statutory or regulatory rights to modify without our consent or terminate current contracts with us for convenience (for any reason or no reason) or due to a default. If a contract is terminated for convenience, we may only be able to collect fees for products or services delivered prior to termination and settlement expenses. If a contract is terminated due to a default, we may be liable for excess costs incurred by the customer for procuring alternative products or services or be precluded from doing further business with government entities. Governmental customers and higher-tier contractors may also have broad intellectual property rights in products and data developed under our contracts. Compliance with complex regulations and contracting provisions in a variety of jurisdictions can be expensive and consume significant management resources. In addition, government entities may revise existing contract rules and regulations or adopt new contract rules and regulations at any time. Any of these changes could impair our ability to obtain new contracts or renew contracts under which we currently perform when those contracts are eligible for re-competition.

Demand for our products and solutions is subject to our customers' continual evaluation of their need for our products and solutions and is impacted by several factors, including their hiring and workforce needs, changing regulatory landscape, and budget availability. Demand for our offerings is also dependent on the size of our customers' operations. Our customers could reduce their operations for a variety of reasons, including general economic slowdown, divestitures and spin-offs, business model disruption, poor financial performance, or as a result of increasing workforce automation. Demand for drug screenings may decline as a result of evolving U.S. drug laws. For example, the legalization of cannabis in several U.S. states has led to a decrease in orders for marijuana screenings. Our revenues may be significantly reduced should our customers decide to downsize their screening programs or take such programs in-house.

We operate in an industry that involves the risk of negative publicity, especially relating to cybersecurity, privacy, and data protection, and adverse developments with respect to our industry may also, by association, negatively impact our reputation. For example, when information services companies are involved in high-profile events involving data theft, these events could result in increased legal and regulatory scrutiny, adverse publicity, and potential litigation concerning the commercial use of such information for our industry in general. If there is a perception that the practices of our business or our industry constitute an invasion of privacy, our business and results of operations may be negatively impacted. There have been and may continue to be perception issues, social stigmas, and negative media attention regarding the collection, use, accuracy, correction, and sharing of personal data, which could materially adversely affect our business, results of operations, and financial condition.

We are subject to evolving anti-corruption laws, economic and trade sanctions, and anti-money laundering rules in several jurisdictions in which we operate, including the U.S. FCPA and the U.K. Bribery Act. The evolution of this regulatory regime has generally brought about more aggressive investigations and enforcement, which, if targeted towards us, could materially adversely impact our business. We have policies and procedures in place to assist us with monitoring the evolution of these laws and ensuring our ongoing compliance. We are continuously in the process of reviewing, upgrading, and enhancing these protocols. However, we cannot guarantee that our employees, consultants, or agents will not take actions that amount to a violation of these laws and regulations for which we may be ultimately responsible or that our policies and procedures will be adequate in protecting us from liability. Further, our services agreements with several customers contain contractual provisions mandating our ongoing compliance with applicable anti-corruption, economic, and trade sanctions or anti-money laundering laws or regulations. If we are deemed to be in violation of any such rules, our business activities could be restricted or terminated. In addition, we could face civil and criminal penalties, including fines, which could damage our reputation and customer relationships and materially impact our results of operations or financial condition.

Our products and solutions are subject to various complex laws and regulations governing cybersecurity, privacy, and data protection on the federal, state, and local levels, and in foreign jurisdictions. The regulatory framework for privacy issues is rapidly evolving and is likely to remain uncertain and inconsistently enforced for the foreseeable future. Many federal, state, and foreign governmental bodies and agencies have adopted or are considering adopting laws and regulations regarding collecting, processing, handling, maintenance, storage, use, disclosure, sale, and transmission of personal and other sensitive information, including mandatory consumer notification should the unauthorized access of consumer information occur, and further expansion of requirements is possible. It is possible that these restrictions could limit our current or future service offerings, reduce our profitability, or otherwise materially and adversely affect our ability to conduct our business or to do so economically. Further, if our practices or products are perceived to violate applicable laws or regulations, we may be subject to increased scrutiny and public criticism, litigation, investigation, fines, and reputational harm, which could disrupt our business and expose us to liability. Given the nature of our business and the volume data processed in the ordinary course of our operations, it is possible for breaches to occur, whether intentionally from hackers or other third parties, or unintentionally, for example, if we inadvertently send or otherwise make available information to an unauthorized recipient. In the United States, we are subject to numerous federal and state laws governing the collection, processing, use, transmission, disclosure, and sale of personal data (which may also be referred to as personal information, personally identifiable information, and/or non-public personal information). For example, in California, the CCPA, provides for enhanced consumer protections for California residents, a private right of action for data breaches of certain personal information and statutory fines and damages for such data breaches or other CCPA violations, as well as a requirement of "reasonable" cybersecurity. Other states also have or are in the process of imposing similar privacy obligations. In addition, laws such as the Biometric Information Privacy Act in Illinois have also restricted the use of biometric information. These and other laws and regulations require us to continuously review our data processing practices and policies, may cause us to incur substantial costs with respect to compliance, and could require us to adapt our products and solutions, which may reduce their utility to our customers. Outside of the United States, we are subject to foreign rules and regulations. For example, we are subject to enhanced compliance and operational requirements under the GDPR, which expanded the scope of data protection in the European Union ("EU") to foreign companies who process the personal data of EU residents, imposed a strict data protection compliance regime with stringent penalties for noncompliance and included new rights for data subjects such as the "portability" of personal data. In particular, under the GDPR, fines of up to 20 million euros, or up to 4% of the annual global revenue of the noncompliant company, whichever is greater, could be imposed for violations of certain of the GDPR's requirements. If we were found to be in breach of the GDPR, or the UK's version of the GDPR, the potential penalties we might face could have a material adverse impact on our business, financial condition, results of operations, and cash flows. Compliance with the GDPR requires time and expense and may require us to make changes to our business operations. The effects of U.S. state, U.S. federal, local, and international laws and regulations that are currently in effect or that may go into effect in the future are significant and may require us to modify our data processing practices and policies, cease offering certain products and solutions, and incur substantial costs and potential liability in an effort to comply with such laws and regulations. Any actual or perceived failure to comply with these and other cybersecurity, privacy, and data protection laws and regulations could result in regulatory scrutiny or investigation and increased exposure to the risk of litigation or the imposition of consent orders, resolution agreements, requirements to take particular actions with respect to training, policies or other activities, and civil and criminal penalties, including fines, which could have an adverse effect on our business, results of operations, and financial condition. Moreover, allegations of non-compliance, whether or not true, could be costly, time-consuming, and distracting to management and cause reputational harm.

Our Global Operating Center in Bangalore, India provides critical support for our operations by processing screening requests, undertaking a manual review of records and verifications work, handling certain customer calls and interactions, and completing certain internal shared service support functions. We also have other important operational sites, including Fishers, Indiana; Atlanta, Georgia; Manila, Philippines; and Mumbai, India. If our operations at our Global Operating Center or such other sites are disrupted, even for a brief period of time, whether due to malevolent acts, defects, computer viruses, climate change, natural disasters such as earthquakes, fires, hurricanes or floods, power or telecommunications failures, or other external events beyond our control, it could result in interruptions in service to our customers, damage to our reputation, harm to our customer relationships, and reduced revenues and profitability. In addition, strikes, wars, terrorism, and other geopolitical unrest could cause disruptions in our business and lead to interruptions, delays, or loss of critical data. We may not have sufficient protection or recovery plans in certain circumstances, such as a significant natural disaster, and our business interruption insurance may be insufficient to compensate us for losses that occur. In the case of such an event, customers could elect to terminate our relationship, delay or withhold payment to us, or even make claims against us.

We rely extensively on data, information, and services provided by or derived from a variety of external sources, including our suppliers, customers, strategic partners, various public filings, credit bureaus, publicly available information, and government authorities. Our suppliers could at any point decline to continue providing data or provide untimely or inaccurate data. These data sources have in the past increased the costs for their services, and we expect they will continue to do so from time to time. It may not be possible for us to recover any or all of the costs of any increases in fees by passing such costs along to our customers. If we try to do so, it could have a negative impact on customer relationships. In addition, the increase in such costs could cause our customers to choose to forgo certain services, thereby reducing demand for our products and solutions. Our suppliers could also request or require us to enter into minimum order contracts with clawback enforcement provisions. Some suppliers, such as certain criminal data suppliers and drug testing laboratories and collection sites we use, are also owned or may in the future be acquired by one or more of our competitors, which could make us especially vulnerable to unforeseen price increases or outright declinations to continue our relationships. Because our agreements with third-party data providers are generally non-exclusive, we are subject to the risk they may choose to enter into an exclusive arrangement with one of our competitors or maintain an exclusive proprietary database that is not shared with us. These risks could be exacerbated if our customers request we engage with a particular provider for their orders. We cannot guarantee that we will be able to identify and engage replacement providers on acceptable terms or obtain data from alternative sources in the event our suppliers are no longer able or are unwilling to provide us with certain data or services. If we were to lose access to external data or if our access or use were restricted or were to become less economical or desirable, our ability to timely complete requested services and products at a level of quality acceptable to our customers could be negatively impacted, which could adversely affect our business, results of operations and financial condition. Data collection and verification by screening providers is dependent on access to databases run by government and law enforcement agencies, including the FBI, state, and federal courthouses, and records systems. If we were to lose or face diminished access to one or more of these data sources, or if government personnel were unable or unwilling to access these data sources on our behalf, our operations could be negatively impacted, and our sales could suffer. Such interruptions could result from government shutdowns or slowdowns, changing laws and regulations, or natural disasters such as earthquakes, hurricanes, or floods. The inability to access or a delay in accessing essential information could result in lengthened and unsatisfactory turnaround times or our inability to offer certain of our products and solutions.