Paymentus Holdings (PAY) Risk Analysis

A substantial portion of our business and platform relies on key technologies developed or licensed by third parties. These third-party software components could become obsolete, defective or incompatible with future versions of our services. Relationships with third-party licensors or technology providers may deteriorate, or our agreements may expire or be terminated. Future licenses or rights may not be available on acceptable terms, or at all, which could prevent our platform from remaining competitive. Our inability to obtain licenses on favorable terms could materially and adversely affect our business and results of operations. Furthermore, using non-exclusive licenses in our products could limit our ability to protect our own IP and prevent third parties from developing similar or competitive technology using the same licensed IP. We believe we have all the necessary licenses and other grants of rights from third parties to use technology and software that we do not own. However, a third party could allege we are infringing its rights, deterring our ability to obtain licenses or causing litigation. If we were to obtain a non-exclusive license, it would give competitors access to the same technology. We could also be liable for significant monetary damages, including treble damages and attorneys' fees, for willful infringement of a patent or other IP right. Any such litigation or the failure to obtain any necessary licenses or other rights could adversely impact our business, financial position, results of operations and liquidity.

We continuously modify, enhance, upgrade and implement new systems, procedures and controls in our software and technology to reflect changes in our business, technological advancements and changing industry trends. These updates may contain undetected errors, viruses or defects. Despite extensive testing, we have discovered and may discover defects or errors in our software and technology, which could materially harm our business, operating results and financial condition, and increase cybersecurity risk. Defects and performance problems could: - Be costly for us and adversely affect our clients' businesses. - Harm our reputation and result in reduced sales or loss of market acceptance of our solutions. - Cause clients to terminate or fail to renew contracts, delay or withhold payment or assert claims. - Result in liability, lost business, increased insurance costs, difficulty collecting accounts receivable, costly litigation or regulatory actions. Our software incorporates open-source code, and defects or security vulnerabilities in this code could increase cybersecurity risk and adversely affect our business. We rely on third-party technology and software that may also contain undetected errors or defects. Software defects and errors or delays in electronic bill presentment or payment processing facilitation could result in additional development costs, diversion of resources, loss of credibility, harm to reputation and exposure to liability claims. Our platform uses open source software, which may subject us to restrictive requirements, such as publicly disclosing source code for modifications or granting licenses on unfavorable terms. Since open source licenses are often not judicially interpreted, there is a risk of unanticipated conditions or restrictions on our ability to provide our platform. The public availability of this software may also make it easier for others to compromise our platform. Despite our monitoring efforts on such software, inadvertent use that breaches open source terms could occur or be claimed. We could face claims from third parties regarding ownership or demanding the release of our proprietary source code, or seeking to enforce license terms. These claims could result in costly litigation, requiring us to: - Make our source code freely available. - Purchase a costly license or cease offering the implicated products or services. - Re-engineer our platform, which is costly and time-consuming. A release of our proprietary code could allow competitors to create similar offerings with lower development effort, leading to a loss of competitive advantages. Open source licensors generally provide no support, warranties or indemnification, entailing greater risks than commercial software. Legal precedent is limited, and any requirement to disclose proprietary source code or pay damages could harm our business and aid competitors. These risks are difficult to manage and could materially affect our business, operating results and financial condition.

Our platform enables our clients and partners to communicate with consumers via email, text messages and telephone calls, and to record and monitor calls for training and quality assurance purposes. We also send communications directly to consumers. These activities are subject to U.S. federal and state laws, rules and regulations, such as the Telephone Consumer Protection Act (TCPA), the CAN-SPAM Act, and others related to telemarketing and communication recording and monitoring. The TCPA prohibits telemarketing calls to numbers listed in the Federal Do-Not-Call Registry and imposes other obligations on calls and text messages to consumers. The requirements and obligations under the TCPA continue to evolve, complicating efforts to comply. For example, in 2025, the FCC implemented a consent revocation rule, which strengthens consumer rights under the TCPA to revoke consent to receive autodialed calls or prerecorded messages as well as text messages. Also, several states have enacted stricter "mini-TCPAs." The CAN-SPAM Act regulates commercial email messages, requiring opt-out mechanisms. These and other communications laws are subject to varying, subjective interpretations, making compliance challenging. We often rely on our billers and partners to obtain legally required consents from consumers. However, we cannot guarantee compliance will always be successful. Any change in law, or our or our billers' or partners' failure to comply, could: - Significantly restrict our or their ability to use our platform's communication capabilities. - Result in significant financial penalties, litigation (including class action), consent decrees, injunctions, adverse publicity and other negative consequences. - Adversely affect our business, operating results and financial condition, and significantly harm our reputation.

Our billers, financial institutions and consumers store personal and business information, financial information and other sensitive information on our platform. In addition, we receive, store, handle, transmit, use and otherwise process personal and business information, financial information and other sensitive data, subjecting us to contractual obligations, industry standard requirements and a complex, rapidly evolving global framework of laws related to privacy, data protection and information security. Finally, our direct collection, use, sharing and other processing of personal information from customers, potential customers, website visitors and others may be subject to international, federal, state or industry sector-specific requirements. This framework includes: - U.S. federal laws governing the security, collection, processing, storage, use, disclosure and other processing of certain types of data, such as the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the Gramm Leach Bliley Act and others. - Federal Trade Commission and state attorneys general interpretations of consumer protection laws. - State and local laws, such as the CCPA, as amended by the CPRA in California, which broadly defines personal information, gives California residents expanded privacy rights and protections, including the right to access and delete certain personal information or targeted advertising, as well as the right to opt-out of certain sales of personal information, and provides for civil penalties for violations and a private right of action for data breaches. Amended regulations have also addressed the use of personal information with respect to AI technologies. This has prompted similar laws in a number of jurisdictions, including approximately 20 other states. - International regulations, such as the European Union's GDPR, which imposes robust obligations, heavy documentation requirements and potential administrative fines of up to the greater of €20 million or 4% of total global turnover for non-compliance, in addition to potential civil litigation claims. Several other countries have followed suit with similar requirements, such as India's Digital Personal Data Protection Act, which began a phased implementation date starting in November 2025, as well as around 140 to 160 countries and jurisdictions around the globe with comprehensive data protection laws. - An increasing focus by legislators, courts and regulators on the collection, use and sharing of data by websites. This includes comprehensive U.S. state privacy laws such as CCPA in California or the CPA in Colorado, which now require enhanced opt-out measures (such as honoring Global Privacy Control and other universal opt-out mechanisms). There are also targeted international laws, such as the European Union's e-Privacy directive, which regulates cookies and other ad-tracking technologies. Finally, there is increased litigation exposure in California, Florida and other states under recent and evolving interpretations of existing wiretapping laws such as the California Invasion of Privacy Act, which have been expanded to include the use of cookies, pixels and third-party ad-tracking technologies, and which carry significant statutory penalties. This results in potential exposure to companies regarding their use of such technologies and their implementation of safeguards such as cookie banners or consent management platforms. - HIPAA, as amended by HITECH, and related state laws regulating business associates, like us, that perform certain services involving the use or disclosure of individually identifiable health information for covered entities. - Self-regulatory standards imposed by privacy advocates and industry groups. The scope and interpretation of these laws are often uncertain, conflicting or inconsistent, and rapidly evolving, which may require us to modify our data collection practices and incur substantial costs. Additionally, our billers, financial institutions or partners may be subject to differing privacy laws, rules and legislation, which may mean that they require us to be bound by varying contractual requirements applicable to certain other jurisdictions. Any actual or perceived failure to comply with these laws, regulations, policies or industry standards could result in governmental investigations, substantial enforcement actions, significant fines and penalties, costly litigation (including class actions) or indemnification exposure, and adverse publicity, which could severely impact our reputation and ability to develop new functionality. If we are unable to comply with these regulations, we may be forced to discontinue certain products or fundamentally change our business activities, which would negatively affect our business and operating results.

We expect to continue expending substantial resources on various initiatives, and the increased costs may fail to generate the expected benefits. These investments include: - Sales and marketing, including expansion of our sales team and initiatives to drive expansion of our IPN and partner ecosystem. - Our technology infrastructure, including systems architecture, scalability, availability, performance and security. - Product development, including investments in our product development team and the development of new products and new functionality for our AI-enabled platform. - Regulatory and legal compliance and risk management to support growth and new product offerings. - Acquisitions or strategic investments. - Expansion into new channels, verticals and international markets. - General administration, including increased legal and accounting expenses as a public company. If our revenue growth is insufficient to offset the expected cost increase, our business, operating results and financial condition will be harmed, and we may not maintain long-term profitability. Specifically, net income and adjusted EBITDA may be adversely impacted by investments in our platform and IPN, increased public company operating costs, integration of future acquisitions, if any, and amortization of related intangible assets. As the number of billers and financial institutions increases and market penetration rates rise, our growth rate may decline over time. This slowdown could negatively affect investor perception and the market price of our Class A common stock. In that scenario, our business performance will rely more heavily on retaining existing revenue and increasing platform adoption by existing billers and financial institutions.

The adoption of our platform by large enterprise billers and financial institutions, in lieu of legacy solutions, in-house technologies or competitor products, is a key factor in our growth and financial performance and involves specific risks, such as longer, unpredictable sales cycles, varying levels of engagement and the need to navigate multilayered approval processes. Our sales efforts require considerable time and expense to evaluate specific organizational needs and sell and educate multiple decision-makers at potential billers and financial institutions about our platform's capabilities and value. Because large enterprises impact more consumers, they involve multiple levels of evaluation, specific requirements and often senior management participation. As a result, sales cycles are long and unpredictable, leading to potential fluctuations in our operating results. Decisions by large organizations are influenced by factors not directly related to our platform features, such as projected business growth, economic uncertainty, capital budgets, anticipated cost savings, preference for internal software, perceptions about our business and platform, more favorable competitor terms, prior technology investments and personnel changes during the sales or implementation phases. Decision-makers may also have vested interests in existing solutions, making a sale more difficult. Large organizations also impose wide-ranging ancillary requirements, such as exhaustive security audits for handling sensitive consumer billing and payment data. Overall, selling to large enterprises requires extensive effort and a significant investment of human resources, expense and time, including from our senior management, with no guarantee of success. If sales efforts do not yield sufficient revenue to justify our investments, our business, operating results and financial condition could be adversely affected.