Gen Digital (GEN) Risk Analysis

Under the terms of our agreement with Zero Hash, we are not directly involved in any digital asset transactions or the exchange of fiat funds for digital asset at or through Zero Hash, and therefore, we do not currently expect to be subject to money services business, money transmitter licensing or other licensing or regulatory requirements specific to transactions relating to virtual currencies. However, state and federal regulatory frameworks around virtual currencies, including digital assets, continue to evolve and are subject to interpretation and change, which may subject us to additional licensing and other requirements. The Zero Hash entities are registered as money services businesses with FinCEN and hold active money transmitter licenses (or the state equivalent of such licenses) in all U.S. states and the District of Columbia except for (i) California and Hawaii, where Zero Hash relies upon licensing exemptions; and (ii) Montana, which does not currently have a money transmitter licensing requirement. The Zero Hash entities currently engage in digital asset activities in all U.S. states and the District of Columbia. Zero Hash is the custodian of all customer digital assets. It uses both multi-party computation (i.e., "warm") and cold omnibus wallets, generally on a per asset basis, and Zero Hash holds an inventory of digital assets in omnibus wallets for the purpose of providing customers instant access to purchased digital assets. Zero Hash has a custodial agreement with Coinbase Trust Company, LLC, which is based in the State of New York, for the provision of cold wallet storage and related services. As we are not directly involved in the custody, trading or pricing of any digital assets and, instead, enable Zero Hash to offer its digital asset services to MoneyLion Crypto customers, we do not maintain insurance policies covering the digital assets in which MoneyLion Crypto customers transact. In addition, our agreement with Zero Hash does not require Zero Hash to indemnify us or MoneyLion Crypto customers for any risk of loss related to customers' underlying digital assets, nor does it require Zero Hash to maintain an insurance policy with respect to the digital assets of MoneyLion Crypto customers custodied with Zero Hash. Zero Hash does not maintain separate insurance coverage for any risk of loss with respect to the digital assets that they custody on behalf of customers. As a result, customers who purchase digital assets through MoneyLion Crypto may suffer losses with respect to their digital assets that are not covered by insurance and for which no person is liable for damages and may have limited rights of legal recourse in the event of such loss. In the case of virtual currencies, state regulators such as the NYSDFS have created regulatory frameworks. For example, in July 2014, the NYSDFS proposed the first U.S. regulatory framework for licensing participants in digital asset business activity. The regulations, known as the "BitLicense" (23 NYCRR Part 200), are intended to focus on consumer protection. The NYSDFS issued its final BitLicense regulatory framework in June 2015. The BitLicense regulates the conduct of businesses that are involved in virtual currencies in New York or with New York consumers and prohibits any person or entity involved in such activity from conducting such activities without a license. Zero Hash LLC has received a BitLicense and is approved to conduct digital asset business activity in New York by the NYSDFS. Other states, such as Louisiana and California, have and may in future adopt similar statutes and regulations which will require us or our partners to obtain a license to conduct digital asset activities. Other states, such as Texas, have published guidance on how their existing regulatory regimes governing money transmitters apply to virtual currencies. Some states, such as Alabama, North Carolina and Washington, have amended their state's statutes to include virtual currencies in existing licensing regimes, while others have interpreted their existing statutes as requiring a money transmitter license to conduct certain digital asset business activities. It is likely that, as blockchain technologies and the use of virtual currencies continues to grow, additional states will take steps to monitor the developing industry and may require us or our regulated partners to obtain additional licenses in connection with our digital asset activity.

We are a multinational company dual headquartered in the U.S. and the Czech Republic, with our principal executive offices in Tempe, Arizona. As such, we are subject to tax in multiple U.S. and international tax jurisdictions. Our effective tax rate could be adversely affected by several factors, many of which are outside of our control, including: - Changes to the U.S. federal income tax laws, including the recent changes due to the One Big Beautiful Bill Act, and the potential for additional future federal tax law changes put forward by Congress including potentially increased corporate tax rates, new minimum taxes and other changes to the way that our U.S. tax liability has previously been calculated following the 2017 Tax Cuts and Jobs Act. Such recent and potential changes could have significant retroactive adjustments adding cash tax payments/liabilities if adopted;- Changes to other tax laws, regulations, and interpretations in multiple jurisdictions in which we operate. The Organisation for Economic Co-operation and Development ("OECD") has proposed certain tax reforms, which, among other things, (1) shift taxing rights to the jurisdiction of the consumer ("Pillar One") and (2) establish a global minimum tax rate of 15% for multinational companies ("Pillar Two"). Ireland, Czech Republic and certain jurisdictions in which we operate have enacted legislation to implement Pillar Two and other countries are actively considering changes to their tax laws to adopt certain parts of the OECD's proposals. Additionally, on June 28, 2025, the G7 released a joint statement that it had reached an understanding with the United States for a side-by-side system based on certain accepted principles, including that U.S.-parented groups would be exempt from certain provisions of Pillar Two. Additionally, several countries have proposed or adopted digital services taxes on revenue earned by multinational companies from the provision of certain digital services, regardless of physical presence. We continue to assess the overall impact of potential changes as developments occur, consistent with our practice to monitor all changes in tax laws, and will reflect the impact of such legislative changes in future financial statements as appropriate;- Changes in the relative proportions of revenues and income before taxes in the various jurisdictions in which we operate that have differing statutory tax rates;- Changes in the valuation of deferred tax assets and liabilities and the discovery of new information in the course of our tax return preparation process;- The ultimate determination of our taxes owed in any of these jurisdictions is for an amount in excess of the tax provision we have recorded or reserved for;- The tax effects of, and tax planning and changes in tax rates related to significant infrequently occurring events (including acquisitions, divestitures and restructurings) that may cause fluctuations between reporting periods;- Tax assessments, or any related tax interest or penalties, that could significantly affect our income tax expense for the period in which the settlements take place; and - Taxes arising in connection to changes in our workforce, corporate and legal entity structure or operations as they relate to tax incentives and tax rates. From time to time, we receive notices that a tax authority in a particular jurisdiction believes that we owe a greater amount of tax than we have reported to such authority and we are consequently subject to tax audits. These audits can involve complex issues, which may require an extended period of time to resolve and can be highly judgmental. Additionally, our ability to recognize the financial statement benefit of tax refund claims is subject to change based on a number of factors, including but not limited to, changes in facts and circumstances, changes in tax laws, correspondence with tax authorities, and the results of tax audits and related proceedings, which may take several years or more to resolve. We ultimately sometimes have to engage in litigation to achieve the results reflected in our tax estimates, and such litigation can be time consuming and expensive. If the ultimate determination of our taxes owed in any of these jurisdictions is for an amount in excess of the tax provision we have recorded or reserved for, our operating results, cash flows, and financial condition could be materially and adversely affected.

In connection with the operation of our business, particularly in relation to our identity and information protection service and financial technology offerings, we collect, use, process, store, transmit or disclose (collectively, process) an increasingly large amount of confidential information, including personal information (which includes credit card information and other critical data) from employees and customers in multiple jurisdictions. The confidential and personal information we process is subject to an increasing number of federal, state, local and foreign laws regarding privacy, data security and the collection, and handling of PII and sensitive data, as well as contractual commitments, and this regulatory framework is rapidly evolving and likely to remain uncertain for the foreseeable future. For example, at the federal level, the GLBA (along with its implementing regulations) requires disclosures to consumers about our handling of their nonpublic personal information and empowers consumers to place restrictions on, or opt out of, our sharing nonpublic personal information with affiliated and nonaffiliated third parties for various purposes. Additionally, our investment adviser, ML Wealth, and broker-dealer, MoneyLion Securities LLC, are subject to SEC Regulation S-P, which requires that covered institutions maintain certain policies and procedures addressing the protection of consumer information and records. At the state level, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (CCPA) requires certain companies that collect, use, retain, share or sell personal information relating to California consumers to make disclosures to such consumers about their data collection, use, sharing and selling practices, provide such consumers with rights to know, correct and delete personal information relating to them, allow such consumers to opt out of the sale of their personal information or the use of their personal data for cross-context behavioral advertising or automated decision making, and provide such consumers with the right to limit the use and disclosure of certain of their sensitive personal information, all of which could impact our business. The CCPA provides for civil penalties for violations, as well as provides a private right of action for certain data breaches that result in the loss of personal information of California consumers. It remains unclear how various provisions of the CCPA and its regulations will be interpreted and enforced. In addition, other U.S. states have enacted comprehensive privacy laws and regulations providing data privacy rights to their respective residents that could impact our business, which laws may lead other U.S. states or even the U.S. Congress to pass comparable legislation. These new laws may result in additional uncertainty and require us to incur additional costs and expenses in our effort to comply. Additionally, the Federal Trade Commission (the FTC) and many state attorneys general are interpreting federal and state consumer protection laws to impose standards for the online collection, use, dissemination, and security of data. The burdens imposed by the new state privacy laws and other similar laws that may be enacted at the federal and state level may require us to modify our data processing practices and policies, adapt our goods and services and incur substantial expenditures in order to comply. Any failure or perceived failure by us to comply with such obligations has previously and may in the future result in governmental enforcement actions, fines, litigation (including class actions) or public statements against us by consumer advocacy groups or others and could cause our customers to lose trust in us, which could have an adverse effect on our reputation and business. Global privacy and data protection legislation and enforcement are rapidly expanding and evolving, and may be inconsistent from jurisdiction to jurisdiction. We may be or become subject to data localization laws mandating that data collected in a foreign country be processed and stored only or primarily within that country, which may require us to expand our data storage facilities there or build new ones in order to comply. The expenditure this would require, as well as costs of compliance generally, could harm our financial condition. Additionally, changes to applicable privacy or data security laws could impact how we process personal information and therefore limit the effectiveness of our solutions or our ability to develop new solutions. Because the interpretation and application of many privacy and data protection laws is uncertain, it is possible that these laws may be interpreted and applied in a manner that is inconsistent with our existing data management practices or the features of our products and services and platform capabilities. If so, in addition to the possibility of fines, lawsuits, regulatory investigations, government actions, consumer and merchant actions, and other claims, we could be required to fundamentally change our business activities and practices or modify our platform, which could have an adverse effect on our business. Any violations or perceived violations of these laws, rules and regulations by us, or any third parties with which we do business, may require us to change our business practices or operational structure, including limiting our activities in certain states and/or jurisdictions, addressing legal claims by governmental entities or private actors, sustaining monetary penalties, sustaining reputational damage, expending substantial costs, time and other resources and/or sustaining other harms to our business. Furthermore, our online, external-facing privacy policy and website make certain statements regarding our privacy, information security and data security practices with regard to information collected from our consumers or visitors to our website. Failure or perceived failure to adhere to such practices may result in regulatory scrutiny and investigation, complaints by affected consumers or visitors to our website, reputational damage and/or other harm to our business. If either we, or the third-party partners, service providers or vendors with which we share consumer data, are unable to address privacy concerns, even if unfounded, or to comply with applicable privacy or data protection laws, regulations and policies, it could result in additional costs and liability to us, damage our reputation, inhibit sales and harm our business, financial condition, results of operations and cash flows.

Third parties have claimed and, from time to time, additional third parties may claim that we have infringed their intellectual property rights, including claims regarding patents, copyrights and trademarks. For additional information on such claims, please refer to Note 18 of the Notes to the Condensed Consolidated Financial Statements included in this Quarterly Report on Form 10-Q. Because of constant technological change in the segments in which we compete, the extensive patent coverage of existing technologies, and the rapid rate of issuance of new patents, it is possible that the number of these claims may grow. In addition, former employers of our former, current or future employees may assert claims that such employees have improperly disclosed to us confidential or proprietary information of these former employers. Any such claim, with or without merit, could result in costly litigation and distract management from day-to-day operations. If we are not successful in defending such claims, we could be required to stop selling, delay shipments of, or redesign our solutions, pay monetary amounts as damages, enter into royalty or licensing arrangements, or satisfy indemnification obligations that we have with some of our partners. We cannot assure you that any royalty or licensing arrangements that we may seek in such circumstances will be available to us on commercially reasonable terms or at all. We license and use software from third parties in our business and generally must rely on those third parties to protect the licensed rights and avoid infringement. Third-party software components may become obsolete, defective or incompatible with future versions of our services, or our relationships with the third-party licensors or technology providers may deteriorate, expire or be terminated. These third-party software licenses may not continue to be available to us on acceptable terms or at all and may expose us to additional liability. Our inability to obtain licenses or rights on favorable terms could have a material and adverse effect on our business and results of operations. Even if such licenses or other grants of rights are available, we may be required to pay the licensor (or other applicable counterparty) substantial royalties, which may affect the margins on our products and services. Furthermore, incorporating intellectual property or proprietary rights in our products or services licensed from or otherwise made available to us by third parties on a non-exclusive basis could limit our ability to protect the intellectual property and proprietary rights in our products and services and our ability to restrict third parties from developing, selling or otherwise providing similar or competitive technology using the same third-party intellectual property or proprietary rights. This liability, or our inability to use any of this third-party software, could result in delivery delays or other disruptions in our business that could materially and adversely affect our operating results. If we fail to comply with any of the obligations under our license agreements, we may be required to pay damages and the licensor may have the right to terminate the license, which would cause us to lose valuable rights, and could prevent us from selling our products and services, or inhibit our ability to commercialize current or future products and services. Our business may suffer if any current or future licenses or other grants of rights to us terminate, if the licensors (or other applicable counterparties) fail to abide by the terms of the license or other applicable agreement, if the licensors fail to enforce the licensed intellectual property rights against infringing third parties, or if the licensed intellectual property rights are found to be invalid or unenforceable. Third parties from whom we currently license intellectual property and technology could refuse to renew our agreements upon their expiration or could impose additional terms and fees that we otherwise would not deem acceptable, requiring us to obtain the intellectual property or technology from another third party, if any is available, or to pay increased licensing fees or be subject to additional restrictions on our use of such third-party intellectual property or technology.

Because we offer very complex solutions, errors, defects, disruptions, or other performance problems with our solutions may occur and have occurred. For example, we may experience disruptions, outages and other performance problems due to a variety of factors, including infrastructure changes, human or software errors, fraud, security attacks or capacity constraints due to an overwhelming number of users accessing our websites simultaneously. As we continue to expand the number of our customers and the products and services available through our platform, we may not be able to scale our technology to accommodate the increased capacity requirements. The failure of data centers, internet service providers or other third-party service providers or vendors to meet our capacity requirements could result in interruptions or delays in access to our platform or impede our ability to grow our business and scale our operations. In some instances, we may not be able to identify the cause or causes of these performance problems within an acceptable period of time. Interruptions in our solutions could impact our revenues ,prevent our customers from accessing their accounts, damage our reputation with current and potential customers, expose us to liability, cause us to lose customers, cause the loss of critical data or personal information, prevent us from supporting our platform, products or services or processing transactions with our customers or cause us to incur additional expense in arranging for new facilities and support or otherwise harm our business, any of which could have a material and adverse effect on our business, financial condition, results of operations and cash flows in a disaster recovery scenario. To the extent we use or are dependent on any particular third-party data, technology or software, we may also be harmed if such data, technology, or software becomes non-compliant with existing regulations or industry standards, becomes subject to third-party claims of intellectual property infringement, misappropriation or other violation, or malfunctions or functions in a way we did not anticipate. Any loss of the right to use any of this data, technology or software could result in delays in the provisioning of our products and services until equivalent or replacement data, technology or software is either developed by us, or, if available, is identified, obtained and integrated, and there is no guarantee that we would be successful in developing, identifying, obtaining or integrating equivalent or similar data, technology or software, which could result in the loss or limiting of our products or services or features available in our products or services.

Many of our customers rely on our customer support services to resolve issues, including technical support, billing and subscription issues, that may arise. If demand increases, or our resources decrease, we may be unable to offer the level of support our customers expect. Any failure by us to maintain the expected level of support could reduce customer satisfaction and negatively impact our customer retention and our business.