Global Business Travel Group (GBTG) Risk Analysis

The travel industry is subject to changing client preferences and demands relating to travel and travel-related services, including in response to constant and rapid technological change. If we are unable to develop or enhance technology in response to such changes, products or technologies offered or developed by our competitors may render our services less attractive to travelers. Our ability to provide best-in-class service to our travelers depends upon the use of sophisticated information technologies and systems, including technologies and systems used for reservation systems, communications, procurement and administrative systems. As our operations grow in both size and scope, we continuously need to improve and upgrade our systems and infrastructure to offer and provide support for an increasing number of travelers and travel providers enhanced products, services, features and functionality, while maintaining the reliability and integrity of our systems and infrastructure. We may fail to effectively scale and grow our systems and infrastructure to accommodate these increased demands. Further, our systems and infrastructure may not be adequately designed with the necessary reliability and redundancy to avoid performance delays or outages that could be harmful to our business, or could contain errors, bugs or vulnerabilities. Our future success also depends on our ability to understand, adapt and respond to rapidly changing technologies in the travel industry that will allow us to address evolving industry standards and to improve the breadth, diversity and reliability of our services in a cost effective manner. For example, technological platforms that include the use of Large Language Models and Artificial Intelligence to analyze known traveler data and preferences in a highly efficient manner to develop a tailored travel plan are being developed. As they are in the early stages, we must understand and respond to the potential impacts and opportunities of such technology. We may not be successful, or may be less successful than our current or new competitors, in developing such technology, which would negatively impact our business and financial performance. If we are not able to maintain existing systems, obtain new technologies and systems, or replace or introduce new technologies and systems as quickly as our competitors or in a cost-effective manner, our business and operations could be materially adversely affected. Also, we may not achieve the benefits anticipated or required from any new technology or system or be able to devote financial resources to new technologies and systems in the future.

We are, and in the future, may be, subject to legal proceedings in the course of our business, including, but not limited to, actions relating to contract disputes, business practices, intellectual property and other commercial and tax matters. Such legal proceedings may involve claims for substantial amounts of money or for other relief or might necessitate changes to our business or operations, and the defense of such actions may be both time consuming and expensive. Further, if any such proceedings were to result in an unfavorable outcome, it could result in reputational damage and have a material adverse effect on our business, financial position and results of operations. Insurance may not cover such claims, may not provide sufficient payments to cover all of the costs to resolve one or more such claims and may not continue to be available on terms acceptable to us.

We are a multinational group and as such are subject to a variety of taxes in the United States and other jurisdictions where we operate. Tax laws and tax rates for income and other taxes in these jurisdictions may be subject to significant change as a result of the political and economic environment. Significant judgment is required in determining our worldwide provision for income taxes and our effective tax rate may change from year to year depending on a variety of factors including the mix of activities and income allocated or earned among various jurisdictions, the operation of tax laws in these jurisdictions, tax treaties between countries, our eligibility for benefits under those tax treaties, changes in uncertain tax provisions and the estimated values of deferred tax assets and liabilities. Such changes could result in an increase in the effective tax rate applicable to all or a portion of our income which would reduce our profitability. In the ordinary course of our business, our tax returns for both income and non-income taxes are routinely subject to audit and adjustment by local tax authorities. Uncertain tax positions for income taxes and non-income tax reserves are evaluated on a quarterly basis in light of all current facts and circumstances. Although we believe our tax estimates are reasonable, the amount could change as a result of changes in facts and circumstances, changes in tax law, new audit activity and effectively settled issues under audit. The interpretation of tax laws and the determination of any potential liability can be subject to different interpretations, and therefore the amount of our liability may exceed our established reserves. Additionally, our tax positions could be adversely impacted by changes to tax laws, tax treaties, or tax regulations or the interpretation or enforcement thereof by any tax authority in which we file income tax returns, particularly in the United States and United Kingdom. We cannot predict the outcome of any specific legislative proposals. Global taxing standards continue to evolve as a result of the Organization for Economic Co-Operation and Development ("OECD") recommendations aimed at preventing perceived base erosion and profit shifting ("BEPS") by multinational corporations. While these recommendations do not change tax law, the countries where we operate may implement legislation or take unilateral actions which may result in adverse effects to our income tax provision and financial statements. Under the BEPS measures many jurisdictions are introducing or have already introduced anti-hybrid legislation which aims to neutralize the effect of a mismatch in the tax treatment between one jurisdiction and another. While aimed at deliberate tax avoidance, the application of the rules is broad and can affect multi-national groups such as ours with significant U.S. ownership. The effect of this legislation was not material in the periods presented, however we are continuing to monitor and assess any future impacts. Current developments in tax legislation globally also mean that despite us having significant net operating losses ("NOLs"), the rate of monetization of these NOLs is likely to be affected. Furthermore, many tax authorities limit the utilization of NOLs to a percentage of current year taxable income (typically in the range of 50%-80%). This can result in cash tax outflows in years of profit even where significant NOLs exist.

In our processing of travel transactions, we or our travel suppliers and third-party service providers collect, use, analyze and transmit a large volume of personal information. There are numerous laws with a significant impact on our operations regarding privacy, cybersecurity and the storage, sharing, use, analysis, processing, transfer, disclosure and protection of personal information and consumer data, the scope of which are changing, subject to differing interpretations, and may be inconsistent between states within a country or between countries. For example, the GDPR has resulted and will continue to result in significantly greater compliance burdens and costs for companies with users and operations in the EU. The GDPR imposes numerous technical and operational obligations on processors and controllers of personal data and provides numerous protections for individuals in the EU, including, but not limited to, notification requirements for data breaches, the right to access personal information and the right to delete personal information. The GDPR provides data protection authorities with enforcement powers which include the ability to restrict processing activities and impose fines of up to 20 million Euros or up to 4% of the annual global revenues of the infringer, whichever is greater. In addition, the GDPR imposes strict rules on the transfer of personal data out of the EU to a "third country," including the United States. These obligations may be interpreted and applied in a manner that is inconsistent from one jurisdiction to another and may conflict with other requirements or our practices. We were awarded the Binding Corporate Rules which govern inter-company international data transfers that are intended to achieve compliance with such data transfer rules by the Dutch Data Protection Authority in January 2024 and are currently implementing them as we transition away from American Express's Binding Corporate Rules instance. The Binding Corporate Rules continue to be a compliant means of international transfers of data following the Schrems II ruling in 2021. The UK GDPR is the retained EU law version of the GDPR, following the United Kingdom's exit from the EU. The UK Data Protection Act, effective in May 2018 and amended in 2019, contains provisions, including its own derogations, for how the GDPR is applied in the United Kingdom ("UK Data Protection Act") and was enacted alongside the UK GDPR. From the beginning of 2021 (when the transitional period following Brexit expired), we have been required to continue to comply with GDPR and also the UK Data Protection Act and the UK GDPR, under which the applicable entities may be subject to fines for non-compliance that are of the same amount as provided for in the GDPR. On June 28, 2021, the EU approved adequacy decisions for the EU GDPR and the Law Enforcement Directive (LED). This means that in the majority of circumstances, data can continue to flow from the EU and the EEA to the United Kingdom without the need for additional safeguards. Both decisions are expected to last until June 27, 2025. It is expected that the European Commission in 2024 will commence work to determine whether or not to extend the adequacy decisions for the United Kingdom for a further period up to a maximum of four years. For completeness, the UK government has stated that transfers of data from the United King to the EEA in most cases are permitted to continue without change. It says it will keep this under review. Further, we are subject to evolving laws and regulations that dictate whether, how, and under what circumstances we can transfer, process and/or receive personal data. For example, in July 2020, the Court of Justice of the European Union ("CJEU") invalidated the "EU-US Privacy Shield," a framework for transfers of personal data from the European Economic Area to the United States. While the same CJEU decision considered and left intact the Standard Contractual Clauses ("SCCs"), another mechanism to safeguard data transfers from the EU to third countries, including the United States, reliance on SCCs is subject to enhanced due diligence on the data importer's national laws, according to the CJEU. Additional measures may have to accompany the SCCs for a transfer to be compliant. If a new transatlantic data transfer framework is not adopted and we are unable to continue to rely on SCCs or validly rely upon other alternative means of data transfers from the European Economic Area or the United Kingdom to the United States and other countries where safeguards for transfers of personal data are required under the GDPR (and UK GDPR), we may be unable to operate material portions of our business in the European Economic Area or the United Kingdom as a result of the CJEU's ruling and related guidance of competent European and national agencies, which would materially and adversely affect our business, financial condition, and results of operations. Additionally, if we are restricted from sharing data among our products and services, or if we are restricted from sharing data with our travel suppliers and third-party service providers, it could affect our ability to provide our services or the manner in which we provide our services. Our current data transfer practices may also be more closely reviewed by supervisory authorities and could become subject to private actions. In the United States, the California Consumer Privacy Act ("CCPA") limits how we may collect and use personal information, including by requiring companies that process information relating to California residents to make disclosures to consumers about their data collection, use and sharing practices, provide consumers with rights to know and delete personal information and allow consumers to opt out of certain data sharing with third parties. The CCPA also creates an expanded definition of personal information, imposes special rules on the collection of consumer data from minors, and provides for civil penalties for violations, as well as a private right of action for data breaches that is expected to increase the likelihood and cost of data breach litigation. Further, the California Privacy Rights Act ("CPRA"), which took effect in January 2023, creates certain additional rights for California residents. For example, the CPRA creates the new category of "sensitive personal information," which covers data types such as precise geolocation information, biometric information, race and ethnicity, and information regarding sex life or sexual orientation. The CPRA also creates new rights for California residents to direct a business to limit the use and disclosure of such information to that which is necessary to perform the services reasonably expected by the consumer and to request that a company correct inaccurate personal information that is retained by the company. The Virginia Consumer Data Protection Act, which took effect in January 2023, gives new data protection rights to Virginia residents and imposes additional obligations on controllers and processors of consumer data similar to the CCPA and CPRA. A number of other U.S. states have recently signed into law or are considering legislation governing the handling of personal data, indicating a trend toward more stringent privacy legislation in the United States. In addition to the existing framework of data privacy laws and regulations, the U.S. Congress, U.S. state legislatures and many states and countries outside the United States are considering new privacy and security requirements that would apply to our business. Compliance with current or future privacy, cybersecurity, data protection, data governance, account access and information and cybersecurity laws requires ongoing investment in systems, policies and personnel and will continue to impact our business in the future by increasing our legal, operational and compliance costs and could significantly curtail our collection, use, analysis, sharing, retention and safeguarding of personal information and restrict our ability to fully maximize our closed-loop capability, deploy data analytics or AI technology or provide certain products and services, which could materially and adversely affect our profitability. We or our third-party service providers could be adversely affected if legislation or regulations are expanded to require changes in our or our third-party service providers' business practices or if governing jurisdictions interpret or implement their legislation or regulations in ways that negatively affect our or our third-party service providers' business, results of operations or financial condition. As a merchant that processes and accepts cards for payment, we have adopted and implemented internal controls over the use, storage and security of card data pursuant to the Payment Card Industry Data Security Standards ("PCI-DSS"). We assess our compliance with the PCI-DSS rules on a periodic basis and make necessary improvements to our internal controls. If we fail to comply with these rules or requirements, we may be liable for card issuing banks' costs, subject to fines and higher transaction fees, and lose our ability to accept credit and debit card payments from our clients, or facilitate other types of online payments, and our business and operating results could be adversely affected. For existing and future payment options we offer to both our business clients and travel suppliers, we may become subject to additional regulations and compliance requirements, such as the EU Payment Services Directive or local tokenization requirements including obligations to implement enhanced authentication processes, which could result in significant costs to us and our travel suppliers and reduce the ease of use of our payments options. While we have taken steps to comply with privacy, cybersecurity, data protection, data governance, account access and information and cybersecurity laws and PCI-DSS, any failure or perceived failure by us, our third-party service providers, our independent travel advisors or our partners or affiliates to comply with the privacy policies, privacy- or cybersecurity-related obligations to travelers or other third parties, or privacy- or cybersecurity-related legal obligations could result in potentially significant regulatory and/or governmental investigations and/or actions, litigation, fines, sanctions, monetary penalties and damages, ongoing regulatory monitoring and increased regulatory scrutiny, client attrition, diversion of management's time and attention, decreases in the use or acceptance of our cards and damage to our reputation and our brand, all of which could have a material adverse effect on our business and financial performance. In recent years, there has been increasing regulatory enforcement and litigation activity in the areas of privacy, data protection and information and cybersecurity in the United States, the EU and various other countries in which we operate.

The travel industry, and the business travel services industry, are highly competitive, and if we cannot compete effectively against the number and type of sellers of travel-related services, we may lose sales to our competitors, which may adversely affect our financial results and performance. We currently compete, and will continue to compete, with a variety of travel and travel-related companies, including other business travel management service providers, consumer travel agencies and emerging and established online travel agencies. We also compete with travel suppliers, such as airlines and hotels, where they market their products and services directly to business travelers through their platforms to book and fulfill travel, including by offering more favorable rates, exclusive products and services and loyalty points to business travelers who purchase directly from such travel suppliers ("B2C"). B2C may include business travelers who purchase travel outside of a company-sponsored and managed channel, or whose companies do not have such a channel. We compete, to a lesser extent, with credit card loyalty programs, online travel search and price comparison services, facilitators of alternative accommodations such as short-term home or condominium rentals and social media and e-commerce websites. Some of our competitors may have access to more financial resources, greater name recognition and better established client bases in their target client segments, differentiated business models, technology and other capabilities or a differentiated geographic coverage, which may make it difficult for us and our Network Partners to retain or attract new clients. We cannot guarantee that we will be able to compete successfully against any current, emerging and future competitors or provide sufficiently differentiated products and services to our client and traveler base. Increasing competition from current and emerging competitors, consolidation of our competitors, the introduction of new technologies and the continued expansion of existing technologies may force us to make changes to our business models, which could materially and adversely affect our business, financial condition, results of operations and prospects. If we cannot compete effectively against the number and type of sellers of travel-related services, we may lose sales to our competitors, which may adversely affect our financial results and performance.

Some of our travel suppliers, including some of the largest airlines, have sought to increase usage of direct distribution channels. For example, these travel suppliers are trying to move more client traffic to their proprietary websites. This direct distribution trend enables them to apply pricing pressure on intermediaries and negotiate travel distribution arrangements that are less favorable to intermediaries. With travel suppliers' adoption of certain technology solutions over the last decade, air travel suppliers have increased the proportion of direct bookings relative to indirect bookings. In the future, airlines may increase their use of direct distribution, which may cause a material decrease in their use of our services. Travel suppliers may also offer travelers advantages through their websites such as special fares and bonus miles, which could make their offerings more attractive than those available from us. The possible loss of content (e.g., certain fares, including net fares and NDC content, and availability) from our travel suppliers would also negatively impact us. In addition, with respect to ancillary products, travel suppliers may choose not to comply with the technical standards that would allow ancillary products to be immediately distributed via intermediaries, thus resulting in a delay before these products become available through us relative to availability through direct distribution. In addition, if enough travel suppliers choose not to develop ancillary products in a standardized way with respect to technical standards our investment in adapting our various systems to enable the sale of ancillary products may not be successful. Companies with close relationships with end clients, like Facebook, as well as new entrants introducing new paradigms into the travel industry, such as metasearch engines like Google, may promote alternative distribution channels by diverting client traffic away from intermediaries and travel agents, which may adversely affect our business, financial condition and results of operations.

The global travel industry, and as a result, our business and financial performance, are affected by macroeconomic conditions. Travel expenditures are sensitive to personal and business-related discretionary spending levels and tend to decline or grow more slowly during economic downturns, including during periods of slow, slowing or negative economic growth, higher unemployment or inflation rates, weakening currencies and concerns over government responses such as higher taxes or tariffs, increased interest rates and reduced government spending. Concerns over government responses to declining economic conditions such as higher taxes and reduced government spending could impair consumer and business spending and have an adverse effect on travel demand. In addition, our relative exposure to certain sectors compared to the broader economy may mitigate or exacerbate the effect of macroeconomic conditions. The global travel industry, which historically has grown at a rate in excess of global GDP growth during economic expansions, has experienced cyclical downturns in the past in times of economic decline or uncertainty. Future adverse economic developments in areas such as employment levels, business conditions, interest rates, tax rates, environmental impacts, fuel and energy costs and other matters could reduce discretionary spending and cause the travel industry to contract. Other macroeconomic uncertainties beyond our control, such as oil prices, geopolitical tensions, consumer confidence, large-scale business failures, tightened credit markets and stock market volatility, terrorist attacks, changing, unusual or extreme weather or natural disasters such as earthquakes, hurricanes, tsunamis, floods, fires, droughts and volcanic eruptions (whether due to climate change or otherwise), travel-related health concerns including pandemics and epidemics such as COVID-19 and any existing or new variants, Ebola and Zika, political instability, changes in economic conditions, wars and regional and international hostilities, such as Russia's invasion of Ukraine and the ongoing conflicts in the Middle-East, emerging tensions between China and Taiwan, the imposition of taxes, tariffs or surcharges by regulatory authorities, changes in trade policies or trade disputes, changes in immigration policies or other travel restrictions or travel-related accidents have previously and may in the future create volatility in the travel market and negatively impact client travel behavior. In addition, an increased focus on the environmental impact of travel could also affect the travel market and travel behavior due to the rise of sustainability regulations. While we strive to promote our and our clients' mutual commitment to a more sustainable future for business travel, if we are unable to find economically viable and/or publicly acceptable solutions that allow us to maintain our commitment to sustainability and net-zero emissions, we could lose business or experience reputational harm. As an intermediary in the travel industry, a significant portion of our revenue is affected by prices charged by our travel suppliers, including airlines, hotels and car rental companies. Events or weaknesses specific to a supplier industry segment could negatively affect our business. For example, events specific to the airline industry that could impact us include air fare fluctuations, airport, airspace and landing fee increases, increases in fuel prices, environmental impacts, seat capacity constraints, removal of destinations or flight routes, travel-related strikes or labor unrest, political instability and wars. Similarly, travel suppliers often face destination overcapacity issues and imposition of taxes or surcharges by regulatory authorities, which can lower their travel volumes and impact our revenue. During periods of poor economic conditions, airlines and hotels tend to reduce rates or offer discounted sales to stimulate demand, thereby reducing our commission-based income. A slowdown in economic conditions, macroeconomic volatility, inflationary pressures and fuel and energy cost volatility that result in the bankruptcy of travel suppliers or otherwise cause them to cease or limit their operations, may also result in a decrease in transaction volumes and have an adverse effect on our business and results of operations. While decreases in prices for flights and other travel products generally increase demand, such price decreases generally also have a negative effect on the commissions and other financial incentives we earn. The overall effect of price increases or decreases in the global travel industry is therefore uncertain. The uncertainty of macroeconomic factors and their impact on client behavior, which may differ across regions, makes it more difficult to forecast industry and client trends and the timing and degree of their impact on our markets and business, which in turn could adversely affect our ability to effectively manage our business and could materially and adversely affect our business, financial condition and results of operations.

We have operations in over 31 countries worldwide, including the United States, United Kingdom, Canada, Germany, Mexico, China and France, and we indirectly provide services to travelers worldwide through our partners and affiliates. Our international operations can pose complex management, compliance, foreign currency, legal, tax, labor, data privacy and economic risks that we may not adequately address, including changes in the priorities and budgets of international travelers and geopolitical uncertainties, which may be driven by changes in threat environments and potentially volatile worldwide economic conditions, various regional and local economic and political factors, risks and uncertainties, as well as U.S. foreign policy. We are also subject to a number of other risks with respect to our international operations, including: - the absence in some jurisdictions of effective laws to protect our intellectual property rights;- multiple and possibly overlapping and conflicting tax laws;- duties, taxes or government royalties, including the imposition or increase of withholding and other taxes on the activities of, and remittances and other payments by, our non-U.S. subsidiaries;- restrictions on movement of cash;- the burden of complying with a variety of national and local laws and regulations;- political, economic and social instability, including as a result of the war in Ukraine and the conflicts in the Middle East, along with any other geopolitical conflicts including emerging tensions between China and Taiwan;- currency fluctuations;- longer payment cycles;- price controls or restrictions on exchange of foreign currencies;- trade barriers; and - potential travel restrictions. The existence of any one of these risks could harm our international business and, consequently, our operating results. Additionally, operating in international markets requires significant management attention and financial resources and may negatively affect our business and financial results.

Governments, investors, customers, employees and other stakeholders are increasingly focusing on climate change and sustainability-related matters, including corporate ESG practices and disclosures, and expectations in this area are rapidly evolving. Changes in consumer and corporate preferences, travel patterns and legal requirements could impact our revenues or expenses or otherwise adversely affect our business, and/or our customers and partners. We occasionally announce new initiatives, including goals, under our ESG framework. This framework is aligned with our areas of interest as a purpose led company and includes environment and sustainability, social impact, diversity, equity and inclusion, effective governance and supply chain management, among others. The criteria by which our ESG practices are assessed may change due to the quickly evolving landscape, which could result in greater expectations of us and may cause us to undertake costly initiatives to satisfy such new criteria. Moreover, the increasing attention to corporate ESG initiatives could also result in reduced demand for travel related products, reduced profits and increased regulatory examinations, investigations and potential litigation. If we are unable to satisfy such new criteria, investors may conclude that our policies and/or actions with respect to ESG matters are inadequate. If we fail or are perceived to have failed to achieve previously announced initiatives or goals or to accurately disclose our progress on such initiatives or goals, our reputation, business, financial condition and results of operations could be adversely impacted.

Our functional and reporting currency is U.S. dollars and as a result, our consolidated financial statements are reported in U.S. dollars. We have acquired, and may in the future acquire, businesses that denominate their financial information in a currency other than the U.S. dollar and/or conduct operations or make sales in currencies other than U.S. dollars. When consolidating a business that has functional currency other than U.S. dollars, we will be required to translate the balance sheet and operational results of such business into U.S. dollars. As a result, changes in exchange rates between U.S. dollars and other currencies could lead to significant changes in our reported financial results from period to period. We currently do not engage in foreign currency hedging activities and although we may seek to manage our foreign exchange exposure, including by active use of hedging and derivative instruments, we cannot assure you that such arrangements will be entered into or available at all times when we wish to use them or that they will be sufficient to cover the risk.