Global Payments (GPN) Risk Analysis

We are, from time to time, involved in various litigation matters and governmental or regulatory investigations or similar matters arising out of our current or future business. Our existing insurance or indemnities may not cover all claims that may be asserted against us, and any claims asserted against us, regardless of merit or eventual outcome, may harm our reputation. Litigation could be costly, time-consuming and divert attention of our management and employees from daily operational needs. Furthermore, there is no guarantee that we will be successful in defending ourselves in pending or future litigation or similar matters under various laws. Should the ultimate judgments or settlements, costs or fines in any pending or future litigation or investigation significantly exceed our insurance coverage, such judgments could have a material adverse effect on our business, financial condition, results of operations and cash flows.

Changes in tax laws or their interpretations could result in changes to enacted tax rates and may require complex computations to be performed that were not previously required, significant judgments to be made in interpretation of the new or revised tax regulations and significant estimates in calculations, as well as the preparation and analysis of information not previously relevant or regularly produced. Future changes in enacted tax rates could adversely affect our business, financial condition, results of operations and cash flows. On July 4, 2025, the One Big Beautiful Bill Act ("OBBBA") was enacted in the U.S. The OBBBA includes provisions, such as the permanent extension of certain expiring provisions of the Tax Cuts and Jobs Act, modifications to the international tax framework, and the restoration of favorable tax treatment for certain business provisions. The legislation has multiple effective dates beginning in 2025. Various foreign taxing jurisdictions enacted local legislation formally adopting the Global Anti-Base Erosion Model Rules ("Pillar Two"), which generally provides for a minimum effective tax rate of 15%, as established by the Organization for Economic Co-operation and Development ("OECD") Pillar Two Framework. The Group of Seven (G7) countries have agreed that U.S. Multi-National Entities ("MNEs") should be excluded from certain aspects of the Pillar Two global minimum tax rules in exchange for the U.S. not imposing retaliatory taxes. On January 5, 2026, the OECD released additional guidance and announced the Side-by-Side package which introduces simplifications and new safe harbors for U.S. MNEs. The OBBBA and Pillar Two did not have a material effect on our financial statements for the year ended December 31, 2025, and we are continuing to evaluate the potential effect on future periods. Our tax returns and positions are subject to review and audit by federal, state, local and international taxing authorities. An unfavorable outcome to a tax audit could result in higher tax expense, thereby adversely affecting our business, financial condition, results of operations and cash flows. We exercise significant judgment and make estimates that we believe to be reasonable in calculating our worldwide provision for income taxes and other tax liabilities. However, relevant tax authorities may disagree with our estimates, interpretations or tax treatment of certain material items. Failure to sustain our position in these matters could adversely affect our business, financial condition, results of operations and cash flows.

We rely on a combination of contractual rights and copyright, trademark, patent and trade secret laws to establish and protect our proprietary technology. Despite our efforts to protect our intellectual property, third parties may infringe or misappropriate our intellectual property or may develop software or technology that competes with ours. Our competitors may independently develop similar technology, duplicate our services or design around our intellectual property rights. We may have to litigate to enforce and protect our intellectual property rights, trade secrets and know-how or to determine their scope, validity or enforceability, which is expensive and could cause a diversion of resources and may not prove to be successful. The loss of intellectual property protection or the inability to secure or enforce intellectual property protection could harm our business and ability to compete. We may also be subject to costly litigation in the event our services and technology are alleged to infringe upon another party's proprietary rights. Third parties may have, or may eventually be issued, patents that could be infringed by our services or technology. Any of these third parties could make a claim of infringement against us with respect to our services or technology. We may also be subject to claims by third parties for breach of copyright, trademark or license usage rights. Any such claims and any resulting litigation could subject us to significant litigation costs and potential liability for damages. An adverse determination in any litigation of this type could limit our ability to use the intellectual property subject to these claims and require us to design around a third party's intellectual property, which may not be possible, or to license alternative technology from another party, which may be costly. In addition, such litigation is often time consuming and expensive to defend and could divert the time and attention of our management and employees from other strategic matters.

In order to provide our services, we process and store sensitive business and personal information, which may include credit and debit card numbers, bank account numbers, Social Security numbers, driver's license numbers, names and addresses and other types of sensitive personal or business information. Some of this information is also processed and stored by financial institutions, merchants and other entities, as well as third-party service providers to whom we outsource certain functions, and other agents, such as independent consultants and auditors, which we refer to collectively as our associated third parties. We may have responsibility to the card networks, financial institutions, regulators, and in some instances, our merchants, ISOs and/or individuals, for our failure or the failure of our associated third parties (as applicable) to protect this information. We are a regular target of malicious attempts to identify and exploit system vulnerabilities, and/or to penetrate or bypass our security measures, in order to gain unauthorized access to our networks and systems or those of our associated third parties. Such attempts at unauthorized access can lead, and occasionally have led, to the compromise of sensitive, business, personal or confidential information. To mitigate these risks, we follow a defense-in-depth model for cybersecurity, meaning we proactively seek to employ multiple methods at different layers to defend our systems against intrusion and attack and to protect the data we possess. We have adopted policies and procedures as part of our information security program, as well as an incident response plan, that are designed to facilitate the identification, assessment and management of those risks, including any risks that have the potential to be material. Our information security program, which is designed to address cybersecurity risks and is subject to oversight by both the Board of Directors and management, includes technical, physical and administrative controls that are designed to maintain the confidentiality, integrity and availability of our information and technical assets. However, we cannot provide any assurance that these cybersecurity risk management processes and controls will be fully complied with or effective, and we cannot be certain that these measures or others will always be successful or will always be sufficient to counter, or to rapidly detect, contain and remediate all current and emerging technology threats. More specifically, our computer systems and/or our associated third parties' computer systems have been, and we expect will continue to be, targeted on a regular basis, and our data protection measures may not prevent, and occasionally have not prevented, unauthorized access. The techniques used to obtain unauthorized access, disable or degrade services or sabotage systems change frequently. These techniques are often difficult to detect and they continually evolve and may become more sophisticated. These threats may be facilitated and exacerbated by the use of AI technologies, which may increase system complexity, expand data usage, and introduce new attack surfaces or modes of exploitation. Threats to our systems and our associated third parties' systems can derive from human error or malicious actions by employees or third parties, including state-sponsored organizations with significant financial and technological resources. In addition, we have experienced and may continue to experience system disruptions or delays caused by computer viruses and other malware or vulnerabilities that could infect our systems or those of our associated third parties. Denial of service, ransomware, phishing attempts, brute force attacks, exploiting software vulnerabilities (including "zero-day attacks"), supply chain attacks and other events or other methods of attacks could be launched against us for a variety of purposes, including to interfere with our services or to create a diversion for other malicious activities. Our defensive measures may not prevent downtime, unauthorized access or misuse of sensitive data. We have experienced all of the incident types described in this paragraph in the past, and we cannot guarantee that we will be able to detect and prevent all such incidents in the future. While we maintain first- and third-party insurance policies that may provide coverage for certain aspects of cybersecurity risks, such insurance coverage may be insufficient to cover all losses resulting from an incident. Companies we acquire may also require implementation of additional cybersecurity defense controls or processes to align with our information security program and, as a result, there may be a period of heightened risk between the acquisition date and the completion of such implementation. Furthermore, certain of our third-party relationships are subject to our vendor management program and are governed by written contracts that contain requirements relating to information security. We have designed our risk identification, assessment and management processes and procedures to account for cybersecurity risks associated with our use of third-party service providers. However, we do not control the actions of our associated third parties, and any disruptions in their services caused by cybersecurity attacks and/or security breaches could adversely affect our ability to service our customers or otherwise conduct our business. We impose contractual requirements on our counterparties, including vendors and other third parties, to comply with applicable privacy and security laws related to the use and security of sensitive or personal information. We cannot provide assurances that these contractual requirements will be followed or will be adequate to prevent the misuse of this data. We have occasionally received notifications from third parties informing us that our data stored on their systems has been accessed without authorization. Any future misuse or compromise of personal information stored on those systems, or any other failure by a vendor, partner or other third party to abide by our contractual requirements, could expose us to regulatory fines, third-party liability, protracted and costly litigation and, with respect to misuse of the personal information of our customers, lost revenue and reputational harm. Any type of security incident, cybersecurity attack, unintentional or intentional disclosure of sensitive business and personal information, or misuse of data described above or otherwise, whether experienced by us or an associated third party, could harm our reputation; deter existing and prospective customers from using our services or from making digital payments generally; cause a loss of revenue; increase our operating expenses in order to contain and remediate the incident; expose us to unanticipated or uninsured liability; disrupt our operations (including potential service interruptions); distract our management; increase our risk of litigation or regulatory scrutiny; and result in the imposition of penalties and fines under state, federal and foreign laws or by the card networks (which may not be covered by our insurance policies). Removal from the networks' lists of Payment Card Industry Data Security Standard ("PCI DSS") compliant service providers could mean that existing customers, sales partners or other third parties could cease using or referring others to our services. Also, prospective merchant customers, sales partners or other third parties could choose to terminate negotiations with us, or delay or choose not to consider us for their processing needs. In addition, as a global company, we are increasingly subject to complex and varied cybersecurity incident reporting requirements across numerous jurisdictions. With the often short timeframes required for cybersecurity incident reporting, there is a risk that we or our associated third parties will fail to meet the reporting deadlines for any given incident. Regardless of where an incident occurs, it may take considerable time for us to investigate and evaluate the full impact of a cybersecurity incident, particularly in the case of a sophisticated attack. These factors may inhibit our ability to provide prompt, full and reliable information about the cybersecurity incident to our customers, partners and regulators, as well as to the public. If we are unable to comply with reporting requirements, we could be subject to monetary damages, civil and criminal penalties, litigation, investigations and proceedings and damage to our reputation. Any of the foregoing could adversely affect our business, financial condition and results of operation.

Our core services are based on software and computing systems that may encounter development delays, and the underlying software may contain undetected errors, viruses, defects or vulnerabilities. The hardware infrastructure on which our systems run may have faulty components or fail. Defects in our software services, underlying hardware or errors or delays in our processing of digital transactions could result in additional development costs, diversion of technical and other resources from our other development efforts and could result in loss of business, loss of credibility with current or potential customers, harm to our reputation and exposure to liability claims. We may not be able to effectively mitigate these risks or to implement new technology to address these risks in a timely fashion. In instances in which we rely on third-party software, our services are occasionally affected by defects, viruses, vulnerabilities, security incidents or other failures that take place at the vendor level. Depending on the circumstances, a vendor failure could cause delays, disruption or data loss or damage, and therefore cause harm to our credibility, reputation or financial condition. In addition, our insurance may not be adequate to compensate us for all losses or failures that may occur.

All of our businesses function at the intersection of rapidly changing technological, social, economic and regulatory developments that require a wide ranging set of expertise and intellectual capital. To successfully compete and grow, we must recruit, develop, retain and motivate personnel who can provide the needed expertise across the entire spectrum of intellectual capital needs. In addition, we must develop our personnel to fulfill succession plans capable of maintaining continuity in the midst of the inevitable unpredictability of human capital. However, the market for qualified personnel is extremely competitive, and we may not succeed in recruiting additional personnel or may fail to effectively replace current personnel who depart with qualified or effective successors, including key personnel, such as executive officers. Failure to retain, develop or attract key personnel could disrupt our operations and future growth and success, which could have a material adverse effect on our business, financial condition, results of operations and cash flows.

We depend on the efficient and uninterrupted operation of our computer systems, software, data centers and telecommunications networks, as well as the systems and services of third parties. Not only could we suffer damage to our reputation in the event of a system outage or data loss, but we could also be liable to third parties. Certain of our contractual agreements with customers require the payment of penalties if we do not meet certain operating standards. Our systems and operations or those of our third-party providers could be exposed to damage or interruption from, among other things, fire; climate-related events, including extreme weather events; natural disasters; pandemics; power loss; telecommunications failure; terrorist acts; war; unauthorized entry; cybersecurity attacks; human error; hardware failure; and computer viruses, vulnerabilities or other defects. We have been and continue to be exposed to defects in our systems or those of third parties, errors or delays in the processing of payment transactions, telecommunications failures, or other difficulties (including those related to system relocation), which could result in loss of revenues, loss of customers, loss of merchant and cardholder data, harm to our business or reputation, exposure to fraud losses or other liabilities, negative publicity, additional operating and development costs, litigation expenses, fines and other sanctions imposed by card networks or regulators and/or diversion of technical and other resources. There is also a risk that third-party suppliers of hardware and infrastructure required to support our employee productivity or our suppliers could be affected by supply chain disruptions or delays caused by the events described above. An extended supply chain disruption could also affect the delivery of our services. In addition, if we are unable to renew or renegotiate our agreements with key suppliers on favorable terms to us or at all, or find alternative third-party providers, our services may be affected. Any of the foregoing could have a material adverse effect on our business, financial condition, results of operations and cash flows.

From time to time, the card networks, including Visa and Mastercard, increase the fees that they charge processors. We often pass these increases along to our merchant customers; however, if merchants do not accept these increases, this strategy might result in the loss of customers to our competitors, thereby reducing our revenues and earnings. If competitive practices prevent us from passing along the higher fees to our merchant customers in the future, we may have to absorb all or a portion of such increases, thereby reducing our earnings.

The global payments technology industry depends heavily on the overall level of consumer, business and government spending. We are exposed to general economic conditions, including but not limited to, recessions, inflation, rising interest rates, high unemployment, currency fluctuations, and rising energy prices, that adversely affect consumer confidence, discretionary income and changes in consumer purchasing and spending habits. Adverse economic conditions have at times affected, and may continue to adversely affect, our financial performance by reducing the number or average purchase amount of transactions made using digital payments. A reduction in the level of consumer spending could result in a reduction to our revenues and profits. If our customers make fewer sales to consumers using digital payments, or consumers using digital payments spend less per transaction, we will have fewer transactions to process or lower transaction amounts, each of which would contribute to lower revenues. Moreover, competitors may respond to market conditions by lowering prices and attempting to lure away our customers to lower-cost solutions. Additionally, credit card issuers may reduce credit limits and become more selective in their card issuance practices. When such conditions arise, we evaluate where we may be able to implement cost-saving measures, including those related to headcount and discretionary expenses. Adverse macroeconomic conditions in any of our markets could force merchants or other customers to cease operations or petition for bankruptcy protection, resulting in lower revenue and earnings for us and greater exposure to potential credit losses and future transaction declines. We also have a certain amount of fixed costs, including rent, debt service, and salaries, which could limit our ability to quickly adjust costs and respond to changes in our business and the economy. Changes in economic conditions could also adversely affect our future revenues and profits and have a material adverse effect on our business, financial condition, results of operations and cash flows. In most of the markets in which we operate, we collect fees from our merchants on the first day after the monthly billing period, which results in the build-up of substantial receivables from our customers. If a merchant were to go out of business during the billing period, we may be unable to collect such fees, which could also adversely affect our business, financial condition, results of operations and cash flows. In addition, our business, growth, financial condition or results of operations could be materially adversely affected by public health emergencies, political and economic instability or changes in a country's or region's economic conditions, changes in laws or regulations or in the interpretation of existing laws or regulations, whether caused by a change in government or otherwise, increased difficulty of conducting business in a country or region due to actual or potential political or military conflict or action by the United States or foreign governments that may restrict our ability to transact business in a foreign country or with certain foreign individuals or entities. Risks associated with heightened geopolitical and economic instability, include among others, reduction in consumer, government or corporate spending, international sanctions, embargoes, tariffs, heightened inflation and actions taken by central banks to counter inflation, volatility in global financial markets, increased cyber disruptions or attacks, higher supply chain costs and increased tensions between countries in which we may operate, which could result in charges related to the recoverability of assets, including financial assets, long-lived assets and goodwill, and other losses, and could adversely affect our business, financial condition and results of operations.

A portion of our indebtedness bears interest at a variable rate, and we may incur additional variable-rate indebtedness in the future. Elevated interest rates could increase our cost of debt, and reduce our operating cash flows, limit options to refinance existing debt on favorable terms or at all, and could hinder our ability to fund our operations, capital expenditures, acquisitions or joint ventures, share repurchases or dividends. We are also subject to risks related to the changes in currency exchange rates as a result of our investments in foreign operations and from revenues generated in currencies other than our reporting currency, the U.S. dollar. Revenues and profits generated by international operations will increase or decrease compared to prior periods as a result of changes in currency exchange rates. Volatility in currency exchange rates has affected and may continue to affect our financial results. In certain of the jurisdictions in which we operate, we may become subject to exchange control regulations that might restrict or prohibit the conversion of our foreign currencies into U.S. dollars or limit our ability to freely move currency in or out of particular jurisdictions. The occurrence of any of these factors could decrease the value of revenues we receive from our international operations and have a material adverse effect on our business, financial condition, results of operations and cash flows. We may seek to reduce our exposure to fluctuations in interest rates or currency exchange rates through the use of hedging arrangements. To the extent that we hedge our interest rate or currency exchange rate exposures, we forgo the benefits we would otherwise experience if interest rates or currency exchange rates were to change in our favor. Developing an effective strategy for dealing with movements in interest rates and currency exchange rates is complex, and no strategy can completely insulate us from risks associated with such fluctuations. In addition, a counterparty to the arrangement could default on its obligation, thereby exposing us to credit risk. We may have to repay certain costs, such as transaction fees or breakage costs, if we terminate these arrangements.