Marqeta (MQ) Risk Analysis

We, our customers, our vendors, and other third parties we do business with are subject to a wide variety of laws, regulations, and industry standards, including supervision and examination with respect to the foregoing by multiple authorities and governing bodies and in multiple countries, which govern numerous areas important to our business. While we currently operate our business in an effort to ensure our business itself is not subject to the same level of regulation or licensing as the Issuing Banks and Card Networks that we contract with, Issuing Banks and Card Networks operate in a highly regulated environment, and there is a risk that those regulations could become directly applicable to or directly impact us. We have structured our business in a manner reasonably designed to comply with applicable laws and regulations, including, but not limited to, applicable laws relating to money laundering, sanctions, consumer protection, and money transmission services; however, it is possible that a relevant regulator may disagree, which could expose us to penalties and/or censure. If a relevant regulator disagreed with our analysis of, and compliance with, applicable laws, we may be required to seek licenses, authorizations, or approvals from those regulators, which may be dependent on us meeting certain capital and other requirements, and may subject us to additional regulation and oversight, all of which could significantly increase our operating costs. As a program manager, we are responsible for aligning compliance with Issuing Bank requirements and Card Network rules, and we help create card programs for our customers designed to comply with applicable legal and regulatory requirements. In some cases, we have in the past and could continue to be exposed to liability or indemnification claims from our customers or other third parties in connection with the services we provide. We are directly, and indirectly through our contractual relationships with customers, Issuing Banks, and Card Networks, subject to regulation in areas which may include, but are not limited to, privacy, data protection and information security, global sanctions regimes and export controls, and anti-bribery, and those relating to payments services (such as payment processing and settlement services), AI, consumer protection, AML, and escheatment, as well as compliance with industry standards, such as PCI DSS. As our business and platform continue to develop and expand, we continue to become subject to additional laws, rules, regulations, and industry standards, including possible additional examination and supervision, in the United States and internationally. For example, in Canada, the Retail Payment Activities Act (the "RPAA") will subject payment service providers ("PSPs"), including a Marqeta subsidiary, to supervision by the Bank of Canada. One of our subsidiaries submitted an application for registration under the RPAA in November 2024, and we and other PSPs must establish, implement, and maintain a risk management and incident response framework that complies with the RPAA by September 8, 2025. New or expanded regulation or changes in interpretation or enforcement of existing regulations may have an adverse effect on our business, results of operations, and financial condition due to increased compliance costs and new restrictions affecting the offering of our platform, products and services. We may not be able to respond quickly or effectively to, or accurately predict the scope or applicability of, regulatory, legislative, or other developments, which may in turn impair our ability to offer our existing or planned features, products, and services and/or increase our cost of doing business. For example, regulatory scrutiny over banks that sponsor financial technology programs increased in fiscal 2024, and the heightened regulatory environment contributed to the Issuing Banks we work with focusing more on maintaining existing programs than launching new programs with us. As a result, we launched fewer programs than projected in fiscal 2024, adversely affecting our results of operations and business. In addition, we may become subject to audits, inquiries, whistleblower complaints, adverse media coverage, investigations, or criminal or civil complaints or sanctions, all of which may have an adverse effect on our reputation, business, results of operations, and financial condition. As a result of our business relationships, we may also be subject to direct or indirect supervision and examination by various authorities. The CFPB, for example, has indicated it has dormant authority to examine certain companies whose services may pose risk to consumers, which may include our company. The Board of Governors of the Federal Reserve System, the FDIC, and the Office of the Comptroller of the Currency (the "Federal Banking Agencies") have also issued a growing number of enforcement actions in connection with partnerships between banks and financial technology companies in recent years. The Federal Banking Agencies have also published interagency guidance for banks to develop and implement risk management practices for these arrangements, which clarifies supervisory expectations for banks to oversee the third parties with whom they partner. With respect to payment activities, including card issuing, the Federal Banking Agencies have indicated that they may further clarify their supervisory expectations. Accordingly, as a program manager for Issuing Banks, we are subject to the Issuing Banks' risk management standards for third-party relationships in accordance with supervisory guidance and examination by the Federal Banking Agencies. Should we or the Issuing Banks with whom we work be unable to satisfy these standards, we may have to discontinue certain programs or relationships or be unable to onboard new customers or products to the Issuing Banks, and, it is also possible that regulators could hold us or our customers responsible for actual or perceived deficiencies in connection with our arrangements with Issuing Banks, and our business, financial condition, and results of operations may be adversely affected. New or changing laws or regulations could require us to incur significant expenses and devote significant management attention to ensure compliance and could also prompt our Issuing Banks to alter their dealings with us in ways that may have adverse consequences for our business. In addition, increased supervisory scrutiny has in the past contributed to, and may in the future contribute to, the Issuing Banks with whom we currently have relationships reassessing the details of their arrangement with us and may deter new Issuing Banks from establishing a relationship with us or have other adverse impacts upon our business. Further, while we do not handle or interact with cryptocurrency and we only process transactions on our platform in fiat currencies, certain cryptocurrency businesses use our platform to provide card products to their customers and end users. The regulation of cryptocurrency is rapidly evolving and varies significantly among jurisdictions and is subject to substantial uncertainty. Various legislative and executive bodies in the United States and other countries may adopt laws, regulations, or guidance, or take other actions, which may impact our Issuing Banks and restrain the growth of cryptocurrency businesses and in turn impact the net revenue associated with our cryptocurrency business customers. While we have developed policies and procedures designed to assist in compliance with laws and regulations, no assurance can be given that our compliance policies and procedures will be effective. If we fail to comply or are alleged or perceived to have failed to comply with applicable laws and regulations, we may be subject to litigation or regulatory investigations or other proceedings, we may have to pay fines and penalties or become subject to civil or criminal liability or have additional obligations or restrictions imposed upon our business, and our customer relationships and reputation may be adversely affected, which could have a material adverse effect on our business, results of operations, and financial condition. In some cases, regardless of fault, it may be less time-consuming or costly to settle these matters, which may require us to implement certain changes to our business practices, provide remediation to certain individuals, or make a settlement payment to a given party or regulatory body.

Our agreements with Issuing Banks, Card Networks, customers, vendors, lessors, and other third parties include indemnification provisions under which we agree to indemnify them for losses or expenses suffered or incurred in certain circumstances, including, for example, in relation to claims arising out of the breach of such agreements, services to be provided by us, or from intellectual property infringement claims made by third parties. Some of these agreements provide for uncapped liability for indemnification claims and some indemnity provisions survive termination or expiration of the applicable agreement. In some cases, we have in the past and could continue to be exposed to liability or indemnification claims from our customers, Card Networks, or Issuing Banks in connection with the services we provide. Large payments to customers, Card Networks, or Issuing Banks could harm our business, results of operations, and financial condition. Any dispute with a customer, Card Network, or Issuing Bank with respect to these obligations could have adverse effects on our relationship with that counterparty and other existing or prospective customers, Card Networks, or Issuing Banks, and harm our business and results of operations. Further, although we carry insurance, our liability insurance may not cover all potential claims made against us or be sufficient to cover us for all liability that may be imposed, and any such coverage may not continue to be available to us on acceptable terms or at all.

We are subject to income taxes in the United States and numerous foreign jurisdictions. Our domestic and international tax liabilities are dependent upon the location of earnings among these different jurisdictions. Any changes in tax legislation, regulations, policies, or practices in the jurisdictions in which we operate could increase our effective tax rate and materially increase the amount of taxes we owe, thereby negatively impacting our results of operations as well as our cash flows from operations. Additionally, successful assertion by one or more states, or foreign jurisdictions, requiring us to collect sales, value added, or similar indirect taxes where we presently do not do so, or to collect more of such indirect taxes in a jurisdiction in which we currently do collect some indirect taxes, could result in substantial tax liabilities, including taxes on past sales, as well as penalties and interest. Furthermore, compliance with changing tax laws and regulations could require us to make substantial changes to our business practices, allocate additional resources, and increase our costs, potentially negatively affecting our business, results of operations, and financial condition. As we grow internationally, we may also be subject to taxation and review by taxation authorities in additional jurisdictions with increasingly complex tax laws, the application of which can be uncertain, and which could increase the amount of taxes we pay, potentially adversely affecting our liquidity and results of operations.

We have in the past and may in the future be accused of infringing, misappropriating, or otherwise violating the intellectual property or other proprietary rights of third parties. Although we seek to comply with the statutory, regulatory, and judicial frameworks and the terms and conditions of statutory licenses, we cannot assure you that we are not infringing or violating any third-party intellectual property rights, or that we will not do so in the future. The costs of litigation can be considerable, and we cannot assure you that we will achieve a favorable outcome of any such claim. Although we carry insurance, our insurance may not cover potential claims of this type or may not be adequate to cover us for all liability that may be imposed. If any such claim is valid, we may be required to stop using such intellectual property or other proprietary rights and pay damages, which could adversely affect our business. Even if such claims were not valid, defending them could be expensive and distract our management team. We have agreed to defend, indemnify, and hold harmless certain of our customers and other counterparties from damages and costs arising from the infringement or claimed infringement by our products of third-party intellectual property rights. The scope of these indemnity obligations varies. Even if we are not a party to any litigation between a customer or other counterparty and a third party relating to alleged infringement in relation to our products, an adverse outcome in any such litigation could make it more difficult for us to defend our solutions against intellectual property infringement claims in any subsequent litigation where we are a named party. Any of these results could harm our brand and adversely affect our results of operations.

Our continued growth depends on the efficient operation of our platform. Any significant disruption, outage, data loss, or errors in service on our platform, including events beyond our control, such as infrastructure changes or failures, or human or software errors could have a material and adverse effect on our business and financial condition. We have experienced such performance incidents in the past and expect that we will continue to periodically experience such performance issues in the future. Our platform is designed to process a high number of transactions and deliver reports and other information related to those transactions at high processing speeds. We have in the past and may in the future experience errors, inaccuracies, or omissions in our processing, reconciling, or reporting of transactions. The risk of performance issues has increased in recent periods due to the significant increase in our TPV and increases further with new product launches and geographical expansion. We release regular updates to our platform, which have in the past contained, and may in the future contain, undetected errors, failures, and bugs. Any platform performance issues could lead to claims by customers, vendors, Card Networks, Issuing Banks, or other third parties, or other claims, regulatory fines, or proceedings. It could also damage ours and our customers' businesses and, in turn, hurt our brand and reputation. The performance, availability, and connectivity of the data centers, cloud-based solutions, and other third parties that provide computing and storage infrastructure for our platform are outside of our control. If any of these infrastructure providers fail to provide sufficient capacity to support our platform or otherwise experience service outages, we may experience interruptions in our ability to operate our platform and our business could be adversely affected. We have experienced, and expect to continue to periodically experience, outages of the services provided by these providers. If we are not able to maintain the level of service uptime and performance needed by our customers, they could face longer processing times or downtime as a result. If customers are unable to access our platform within a reasonable amount of time, or at all, we may not be able to meet the service level commitments typically provided for in our customer contracts and we would be contractually obligated to provide service level credits. We have experienced incidents, including incidents outside our control, and expect we may experience incidents in the future requiring us to pay service level credits and other customer service concessions. In addition, our insurance policies may not adequately compensate us for any losses that we may incur as a result of damage or interruption. Further, we are continuing to refine our enterprise resilience functions such as business continuity, crisis management, and disaster recovery. Our disaster recovery plan has not been tested under actual disaster conditions, and we may not have sufficient capacity to recover all data and services in the event of an outage. Therefore, any performance issue, systems failure, outage, or interruption in the availability of our platform would adversely affect our business, and could subject us to financial penalties and liabilities.

We acquired Power Finance in the first quarter of 2023 and released our credit card issuing capabilities publicly in October 2023. Net revenue growth attributed to credit card issuing is dependent on increasing the number of existing customers or new customers who use our credit card issuing capabilities. We have limited experience administering our credit card issuing platform, and failure to scale due to our limited experience or a competitive market could adversely affect our business and financial results. The success of our credit issuing capabilities and other credit programs also depends on our ability to effectively manage related risks for us and our Issuing Banks. While the Issuing Banks or other third parties we work with bear the credit risk, in some cases they rely on our credit decisioning engine and managed services to underwrite and/or to otherwise support the management of credit card programs in accordance with their credit policies. Our current and future efforts and the efforts of our Issuing Banks and other partners to expand the capacity of our Issuing Banks and mitigate risk to our credit issuing capabilities and other credit programs may not be successful. Numerous factors, many of which are outside of our control, can adversely affect the evaluation of credit risk. The information we use in processing credit transactions may be inaccurate or incomplete as a result of error or fraud, both of which may be difficult to detect and avoid. If a fraudulent applicant is approved based on our credit risk model, we may be liable for the losses incurred by the Issuing Bank, which could adversely affect our business and results of operations. There may be risks that exist, or that develop in the future, including market risks, interest rate risks, economic risks, and other external events, that we have not appropriately anticipated, identified, or mitigated that would impact our Issuing Banks or our ability to support credit products. If our credit risk tools do not effectively and accurately model the credit risk of potential cards issued by our Issuing Banks, greater than expected losses may result on such card programs and, as a result, our customers may stop marketing their card programs, potential customers may be less likely to initiate card programs, and Issuing Banks may stop using our platform for credit card issuing. Further, if our platform does not operate as intended or is inaccurate, it may be alleged that we and/or our Issuing Banks have failed to comply with applicable laws and regulations, we and/or our Issuing Banks may be subject to litigation or regulatory investigations or other proceedings, we and/or our Issuing Banks may have to pay fines and penalties or become subject to civil or criminal liability or have additional obligations or restrictions imposed upon our respective businesses, and our customer relationships and reputation may be adversely affected, which could have a material adverse effect on our business, results of operations, and financial condition. The Issuing Banks face the risk that our customers' cardholders will default on their payment obligations, creating the risk of potential charge-offs. While we are not contractually obligated to pay for any credit-related delinquencies or charge-offs, we have in the past and may in the future make payments to our Issuing Banks in association with our relationship with them, regardless of whether we were compelled to under law or contract. Incremental charge-offs may also affect the Issuing Bank's future credit decisioning which could impact the volume of transactions processed and the number of cards issued. This may adversely affect our business and results of operations.

We rely on our relationships with Issuing Banks and Card Networks to provide certain services in connection with our platform, products, and services. We have in the past and may in the future pay certain amounts in association with these relationships, regardless of whether we were compelled to under law or contract. In addition, we have in the past and may in the future have disagreements with Issuing Banks and Card Networks. If we are unable to maintain the quality of these relationships or fail to comply with our related contractual requirements, our business would be adversely affected. A significant portion of our payment transactions are settled through a small number of Issuing Banks. For the years ended December 31, 2024, 2023, and 2022, 70%, 76%, and 82%, respectively, of TPV was settled through one Issuing Bank, Sutton Bank. If Sutton Bank terminates our agreement with them or is unable or unwilling to settle our transactions for any reason, we may be required to switch some or all of our processing volume to one or more other Issuing Banks, including to any of the other Issuing Banks with which we currently contract. Switching processing volume to another Issuing Bank would take time and could result in additional costs or loss of revenue or customers, which may adversely affect our business. We also have agreements with Card Networks that, among other things, provide us certain monetary incentives based on the processing volume of our customers' transactions routed through the respective Card Network. The timing and extent of amendments or new contracts related to our volume incentive arrangements with Card Networks could result in incentive payments that are recorded in a current period and based on volume processed in a prior period. We currently include Card Network fees in the pricing arrangements with the majority of our customers who engage us to arrange their use of one of more of the Card Networks. If these customers were to manage the relationship with the Card Networks directly, our reported net revenue may decrease. For example, the August 2023 Block Amendment provides that Block will be responsible for defining and managing the Cash App program with respect to the primary Card Network going forward which has the effect of reducing reported net revenue. We intend to continue expanding and deepening our relationships with Issuing Banks and Card Networks. Diversifying these contractual relationships and operations increases the complexity of our operations and has lead and may continue to lead to increased costs. The Issuing Banks and Card Networks we work with may fail to process transactions, breach their agreements with us, or refuse to renew or renegotiate our agreements with them on terms that are favorable, commercially reasonable, or at all. They might also take actions that could degrade the functionality of our platform, impose additional costs or requirements on us, or give preferential treatment to competitive services, including their own. If we are unsuccessful in establishing, renegotiating, or maintaining relationships with Issuing Banks or Card Networks, our business may be adversely affected.