Mitek Systems (MITK) Risk Factors

New lines of business, products or services could have a significant impact on the effectiveness of our system of internal controls and could reduce our revenues and potentially generate losses. New products and services, or entrance into new markets, may require substantial time, resources and capital, and profitability targets may not be achieved. Entry into new markets entails inherent risks associated with our inexperience, which may result in costly decisions that could harm our profit and operating results. There are material inherent risks and uncertainties associated with offering new products, and services, especially when new markets are not fully developed or when the laws and regulations regarding a new product are not mature. Factors outside of our control, such as developing laws and regulations, regulatory orders, competitive product offerings and changes in commercial and consumer demand for products or services may also materially impact the successful implementation of new products or services. Failure to manage these risks, or failure of any product or service offerings to be successful and profitable, could have a material adverse effect on our financial condition and results of operations.

In the past, third parties have brought claims against us and against our customers who use our products asserting that certain technologies incorporated into our products infringe on their intellectual property rights. Although we have resolved past claims against us that we have infringed on third-party patents, there can be no assurance that we will not receive additional claims against us asserting that our products infringe on the intellectual property rights of third parties or that our products otherwise utilize such third parties' proprietary information. Since 2018, United Services Automobile Association ("USAA") has filed suit against various parties alleging patent infringement concerning four USAA-owned patents related to mobile deposits, including Wells Fargo Bank, N.A. ("Wells Fargo") and PNC Bank. While these lawsuits do not name the Company as a defendant, given (among other factors) the Company's prior history of litigation with USAA and the continued use of the Company's products by its customers, on November 1, 2019, the Company filed a complaint in the U.S. District Court for the Northern District of California seeking declaratory judgment that its products do not infringe certain patents held by USAA (collectively, the "Subject Patents"). On January 15, 2020, USAA filed motions requesting the dismissal of the declaratory judgement of the Subject Patents and transfer of the case to the Eastern District of Texas, both of which the Company opposed. On April 21, 2020, the Court in the Northern District of California transferred the Company's declaratory judgement action to the Eastern District of Texas and did not rule on USAA's motion to dismiss. On April 28, 2021, the Court in the Eastern District of Texas granted USAA's motion to dismiss the Company's declaratory judgment action on jurisdictional grounds. The Court's ruling did not address the merits of the Company's claim of non-infringement. The Company appealed the ruling on the motion to dismiss and the decision to transfer the declaratory judgment action from California to Texas to the U.S. Court of Appeals for the Federal Circuit. The Federal Circuit heard oral argument on the Company's appeal on April 4, 2022 and on May 20 2022, issued an opinion vacating and remanding the district court's order granting USAA's motion to dismiss. On August 1, 2022, the parties submitted additional briefing to the district court in light of Federal Circuit's opinion. The court held another hearing on USAA's motion to dismiss the Company's declaratory judgment action on jurisdictional grounds, and once again granted USAA's motion to dismiss on February 23, 2023. The Company timely filed a notice of appeal to the U.S. Court of Appeals for the Federal Circuit. The appeal is fully briefed, and the Company is awaiting oral argument. The Company continues to believe that its products do not infringe the Subject Patents and will vigorously defend the right of its end-users to use its technology. On July 29, 2022, USAA filed another patent infringement lawsuit against Truist Bank ("Truist") in the Eastern District of Texas. The lawsuit alleges infringement of the '090 Patent, the '432 Patent, and the U.S. Patent No. 11,182,753 ("the '753 Patent"). The Company was not named as a defendant or mentioned in connection with any alleged infringement. On October 5, 2022, Truist's integration partner, NCR Corporation, sent an indemnification demand to the Company requesting indemnification from all claims related to the lawsuit. For the same reasons discussed above in connection with the PNC Lawsuits, the Company does not believe it is obligated to indemnify NCR Corporation or end-users of NCR Corporation resulting from the patent infringement allegations by USAA. On October 7, 2022, Truist filed a motion to transfer venue to the Western District of North Carolina. The motion was denied on April 8, 2023. On December 30, 2022, Truist filed a motion for leave to file counterclaims against USAA alleging patent infringement of U.S. Patent Nos. 7,336,813; 7,519,214; 8,136,721; and 9,760,797, which was granted on April 8, 2023. On March 13,2023, USAA moved for leave to file a First Amended Complaint, adding an additional allegation of patent infringement of U.S. Patent No. 11,544,944 ("the '944 Patent"). On April 4, 2023, Truist sent another indemnification demand to the Company requesting indemnification related to the lawsuit. On May 3, 2023, USAA moved for leave to file a Second Amended Complaint, adding an additional allegation of patent infringement of U.S. Patent No. 11,625,770 ("the '770 Patent"). On May 30, 2023, Truist sent another indemnification demand to the Company requesting indemnification related to the Second Amended Complaint. On October 6, 2023, the parties filed a Notice of Settlement and Joint Motion and Stipulation of Dismissal. All claims and causes of action between the parties were dismissed with prejudice on October 10, 2023 in view of the settlement. Furthermore, we may initiate other claims or litigation against parties for infringement of our intellectual property rights or to establish the validity of our intellectual property rights. Litigation, either as plaintiff or defendant, could result in significant expense to us, whether or not such litigation is resolved in our favor. Even if we were to prevail, any litigation could be costly and time-consuming and would divert the attention of our management and key personnel from our business operations.

The use of checks has declined in recent years as a result of advances in technologies that have enabled the development of check alternatives like Zelle and Venmo, which have caused certain changes in consumer behavior. Though we are developing and offering new technologies, many of our current product offerings center around solutions involving the use of checks by banking customers. As check alternatives become more widely accepted by consumers, the use of checks could continue to decline, which could have a negative effect on our business. In addition, as the mobile banking market matures, the growth of active mobile banking users is slowing, which may negatively impact our ability to grow our business, which therefore could adversely affect our financial condition and results of operations.

The long sales cycle and the implementation cycles for our software and services may cause operating results to vary significantly from period to period. The sales cycle for our products can be six months or more and varies substantially from customer to customer. Because we sell complex and deeply integrated solutions, the sale of our software and services may require a significant commitment of capital and other resources and it can take many months of customer education to secure sales and implement our product. Since our potential customers may evaluate our products before, if ever, executing definitive agreements, we may incur substantial expenses and spend significant management and legal effort in connection with a potential customer.

We generate revenue in markets outside of the U.S. The risks inherent in global operations include: - lack of familiarity with, and unexpected changes in, foreign laws and legal standards, including employment laws, Artificial Intelligence, and privacy laws, which may vary widely across the countries in which we sell our products;- increased expense to comply with U.S. laws that apply to foreign corporations, including the Foreign Corrupt Practices Act (the "FCPA");- compliance with, and potentially adverse tax consequences of foreign tax regimes;- fluctuations in currency exchange rates, currency exchange controls, price controls, and limitations on repatriation of earnings;- local economic conditions;- increased expense related to localization of products and development of foreign language marketing and sales materials;- longer accounts receivable payment cycles and difficulty in collecting accounts receivable in foreign countries;- increased financial accounting and reporting burdens and complexities;- restrictive employment regulations;- difficulties and increased expense in implementing corporate policies and controls;- international intellectual property laws, which may be more restrictive or may offer lower levels of protection than U.S. law;- compliance with differing and changing local laws and regulations in multiple domestic and international jurisdictions, including Artificial Intelligence and data privacy laws, as well as compliance with U.S. laws and regulations where applicable in these jurisdictions; and - limitations on our ability to enforce legal rights and remedies. If we are unable to successfully manage these and other risks associated with managing and expanding our international business, the risks could have a material adverse effect on our business, results of operations, or financial condition. Further, operating in international markets requires significant management attention and financial resources. Due to the additional uncertainties and risks of doing business in foreign jurisdictions, international acquisitions tend to entail risks and require additional oversight and management attention that are typically not attendant to acquisitions made within the U.S. We cannot be certain that the investment and additional resources required to establish, acquire or integrate operations in other countries will produce desired levels of revenue or profitability.

AI, automated decision making, and ML technologies are increasingly subject to regulatory scrutiny and oversight, for example, under the comprehensive legal framework governing the use of artificial intelligence adopted by the European Parliament in the European Union (the "EU AI Act"). The EU AI Act imposes onerous obligations related to the development, deployment and use of AI/ML-related systems. In particular, the EU AI Act is likely to designate certain AI technologies, including technologies used in an employment-related context (such as in relation to recruitment, placement of targeted job advertisements, and decision-making concerning promotion, termination and task allocation), as ‘high risk' and subject to numerous onerous compliance obligations, including various transparency, conformity and risk assessment, monitoring and human oversight requirements. As our products and services develop, they mall fall within one or more of these categories. Under the EU AI Act, non-compliant companies may be subject to administrative fines of up to 35 million Euros or 7% of a company's total worldwide annual turnover for the preceding financial year, whichever is the higher. The EU AI Act has a phased implementation process and is likely to be fully effective by Spring 2026. Moreover, in the United Kingdom, the government has confirmed its position that existing regulators are to implement certain specific principles (safety, security and robustness; transparency and explainability; fairness; accountability and governance; contestability and redress), within those regulators' existing remits, to guide and inform the responsible development and use of AI/ML within their relevant sectors / competences. Additionally, several United States jurisdictions have enacted measures related to the use of AI in products and services for their potentially discriminatory effects. For example, New York City passed a law to regulate the use of automated employment decision tools by employers and employment agencies. Certain of these laws may be materially unfavorable to our interests and/or inconsistent with our existing operations, policies, practices or plans (or may be interpreted as such). We expect other jurisdictions will adopt similar laws. Additionally, certain privacy laws extend rights to consumers (such as the right to delete certain personal data) and regulate automated decision making, which may be incompatible with our use of AI (including generative AI) and ML technologies in our products and services. These obligations may make it harder for us to conduct our business using AI/ML, lead to regulatory fines or penalties, require us to change our business practices, retrain our AI/ML, or prevent or limit our use of AI/ML. For example, the FTC has required other companies to turn over (or disgorge) valuable insights or trainings generated through the use of AI/ML where they allege the company has violated privacy and consumer protection laws. If we cannot use AI/ML or that use is restricted, our business may be less efficient, or we may be at a competitive disadvantage. Moreover, AI/ML models may create flawed, incomplete, or inaccurate outputs, some of which may appear correct. This may happen if the inputs that the model relied on were inaccurate, incomplete or flawed (including if a bad actor "poisons" the AI/ML with bad inputs or logic), or if the logic of the AI/ML is flawed (a so-called "hallucination"). We may use AI/ML outputs to make certain decisions. Due to these potential inaccuracies or flaws, the model could be biased and could lead us to make decisions that could bias certain individuals (or classes of individuals), and adversely impact their rights, employment, and ability to obtain certain pricing, products, services, or benefits. Furthermore, any sensitive information (including confidential, competitive, proprietary, or personal data) that we input into a third-party generative AI/machine learning platform could be leaked or disclosed to others, including if sensitive information is used to train the third party's AI/machine learning model. Additionally, where such a model ingests personal data and makes connections using such data, those technologies may reveal other personal or sensitive information generated by the model. Given that AI, automated decision making and ML technologies are core to our business, any increased regulation over these technologies, including the EU AI Act, could make it harder for us to conduct our business, significantly complicate our compliance efforts, increase legal risk and compliance costs for us, the third parties upon whom we rely, and our customers, increase our cost of doing business, impede or prevent our growth plans (including into Europe), require us to change our business operations at significant cost (such as retaining or rebuilding our AI/ML models), and reduce demand for our products. While we endeavor to implement policies, procedures, and systems designed to achieve compliance with these regulatory requirements, we cannot assure you that these policies, procedures, or systems will be adequate or that we or our personnel will not violate these policies and procedures or applicable laws and regulations. Violations of these laws or regulations may harm our reputation and deter government agencies and other existing or potential customers or partners from purchasing our solutions. Furthermore, non-compliance with applicable laws or regulations could result in fines, damages, criminal sanctions against us, our officers, or our employees, restrictions on the conduct of our business, and damage to our reputation.

Federal, state and foreign governments and supervising authorities have enacted, and may in the future enact, laws and regulations concerning the solicitation, collection, processing, disclosure, transfer and use of personal information. Such laws and regulations require or may in the future require us or our customers to implement additional and revise existing privacy and security policies and practices; permit individuals to access, correct or delete personal information stored or maintained by us or our customers; inform individuals of security breaches that affect their personal information; and, in some cases, obtain consent to use certain personal information for certain purposes. Other proposed laws and regulations could, if enacted, impose additional requirements and prohibit the use of specific technologies, such as those that track individuals' activities on web pages or record when individuals click on a link contained in an email message and systems reliant on such technologies. Such laws and regulations could restrict our and our customers' ability to collect and use web browsing data and personal information, which may reduce our customers' demand for our solutions. The laws in this area are complex and developing rapidly. In the United States, many states have adopted legislation that regulates how businesses operate online, including measures relating to privacy, data security and data breaches. Laws in all states require businesses to provide notice to customers whose personal information has been disclosed as a result of a data breach. The laws are not identical, and compliance in the event of a widespread data breach is costly, as we must ensure our compliance with each individual state law. Further, states have continued adopting new laws or amending existing laws, requiring attention to frequently changing regulatory requirements. For example, California enacted the California Consumer Privacy Act (the "CCPA") on June 28, 2018, which went into effect on January 1, 2020. The CCPA gives California residents expanded rights to access and delete their personal information, opt out of certain personal information sharing and receive detailed information about how their personal information is used by requiring covered companies to provide new disclosures to California consumers (as that term is broadly defined) and provides such consumers new ways to opt-out of certain sales of personal information. The CCPA provides for civil penalties for violations, as well as a private right of action for data breaches that is expected to increase data breach litigation. The CCPA may increase our compliance costs and potential liability. The California Privacy Rights Act (the "CPRA") revised and expanded the CCPA, adding additional data protection obligations on covered businesses, including additional consumer rights processes, limitations on data uses, new audit requirements for higher risk data, and opt outs for certain uses of sensitive data. It also created a new California data protection agency authorized to issue substantive regulations and could result in increased privacy and information security enforcement. The CPRA was in full effect as of January 1, 2023. Similar laws passed in Virginia, Colorado, Connecticut, and Utah took effect in 2023. Additionally, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Kentucky, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Rhode Island have adopted privacy laws, which take effect at different dates through 2026. Additional U.S. states have enacted, or are considering, similar data privacy laws. We cannot fully predict the impact of these state laws on our business or operations, but it may require us to modify our data processing practices and policies and to incur substantial costs and expenses in an effort to comply. We expect that new legislation proposed or enacted in various other states will continue to shape the data privacy environment nationally. Certain state laws may be more stringent or broader in scope, or offer greater individual rights, with respect to confidential, sensitive and personal information than federal, international or other state laws, and such laws may differ from each other, which may complicate compliance efforts. In addition to the growing number of state-level privacy laws, the U.S. Congress has been actively considering a federal privacy law for some time which, if passed, would likely create a comprehensive national framework for data protection and privacy. This law could supersede many state privacy laws and establish uniform privacy protections across the country, addressing issues such as data security, artificial intelligence governance and consumer rights. The final form, timeline, and effective date of a potential U.S. federal privacy law is uncertain at this time. Changing industry standards and industry self-regulation regarding the collection, use and disclosure of data may have similar effects. Existing and future privacy and data protection laws and increasing sensitivity of consumers to unauthorized disclosures and use of personal information may also negatively affect the public's perception of our customers' sales practices. If our solutions are perceived to cause, or are otherwise unfavorably associated with, insecurity of personal information, whether or not illegal, we or our customers may be subject to public criticism. Public concerns regarding data collection, privacy and security may also cause some consumers to be less likely to visit our customers' websites or otherwise interact with our customers, which could limit the demand for our solutions and inhibit the growth of our business. Any failure on our part to comply with applicable privacy and data protection laws, regulations, policies and standards or any inability to adequately address privacy or security concerns associated with our solutions, even if unfounded, could subject us to liability, damage our reputation, impair our sales and harm our business. Furthermore, the costs to our customers of compliance with, and other burdens imposed by, such laws, regulations, policies and standards may limit adoption of and demand for our solutions.