Pra Group (PRAA) Risk Analysis

Our debt collection activities and business practices are subject to review by various governmental authorities and regulators, including the CFPB, which may commence investigations, reviews or enforcement actions targeted at businesses in the financial services industry. These investigations or reviews may involve individual consumer complaints or our debt collection policies and practices generally. Such investigations or reviews could lead to assertions by governmental authorities that we are not complying with applicable laws or regulations. In such circumstances, authorities may request or seek to impose a range of remedies that could involve potential compensatory or punitive damage claims, fines, restitution payments, sanctions or injunctive relief, that if agreed to or granted, could require us to make payments or incur other expenditures. The CFPB has the authority to obtain cease and desist orders (which can include orders for restitution or rescission of contracts, as well as other kinds of affirmative relief), recover costs, and impose monetary penalties (ranging from $5,000 per day to over $1.0 million per day, depending on the nature and gravity of the violation). In addition, where a company has violated Title X of the Dodd-Frank Act or CFPB regulations implemented thereunder, the Dodd-Frank Act empowers state attorneys general and other state regulators to bring civil actions to remedy violations under state law. Governmental authorities could also request or seek to require us to cease certain practices or institute new practices. Negative publicity relating to investigations or proceedings brought by governmental authorities could have an adverse impact on our reputation, harm our ability to conduct business with industry participants and result in financial institutions reducing or eliminating sales of nonperforming loan portfolios to us. Moreover, changing or modifying our internal policies or procedures, responding to governmental inquiries and investigations and defending lawsuits or other proceedings could require significant efforts on the part of management and result in increased costs to our business. In addition, such efforts could divert management's full attention from our business operations. All of these factors could have an adverse effect on our business, results of operations and financial condition. The CFPB has issued civil investigative demands ("CIDs") to many companies that it regulates, including PRA Group, and periodically examines practices regarding the collection of consumer debt. In April 2023, Portfolio Recovery Associates, LLC, our wholly owned subsidiary, entered into an order with the CFPB settling a previously disclosed investigation of certain debt collection practices (the "2023 Order"). We are currently executing both our redress plan and our compliance plan as required by the 2023 Order. There can be no assurance we will implement each requirement to the satisfaction of the CFPB or that additional litigation or new industry regulations currently under consideration by the CFPB would not have an adverse effect on our business, results of operations and financial condition. After the recent change in presidential administration, there have been some indications that the regulatory and enforcement activities of the CFPB may change, but the extent to which these or other future developments may impact our business remains uncertain.

We record reserves for uncertain tax positions based on our assessment of the probability of being able to successfully sustain the positions taken. Management may be required to exercise significant judgment when making these assessments, in determining whether a tax liability should be recorded and, if so, estimating the amount. Our tax filings are subject to audit by domestic and international tax authorities. If any tax filing positions are successfully challenged, payments could be required that are in excess of the amounts accrued, or we may be required to reduce the carrying amount of our deferred tax assets, either of which could be significant to our financial condition or results of operations. Although we believe our estimates are reasonable, the ultimate tax outcomes may differ from the amounts recorded in our financial statements and may adversely or beneficially affect our financial results in the period(s) in which such outcomes are determined. While we currently do not expect the implementation of Pillar Two will significantly increase our U.S. and international income taxes, there is a risk that final enactment and implementation throughout our global operations could have a material impact on our effective tax rate and our business, results of operations, financial condition and cash flow.

A variety of jurisdictions in which we operate have laws and regulations concerning privacy, AI, cybersecurity and the protection of personal data, including the EU GDPR, the UK GDPR, the U.S. GLBA, the EU Artificial Intelligence Act, the EU Digital Operational Resilience Act, and the California Consumer Privacy Act of 2018. These laws and regulations create certain privacy rights for individuals and impose prescriptive operational requirements for covered businesses relating to the processing and protection of personal data, the use of AI and may also impose substantial penalties for non-compliance. Laws and regulations relating to privacy, AI, cybersecurity and data protection are rapidly evolving, and any such proposed or new legal frameworks could significantly impact our operations, financial performance and business. The application and enforcement of these evolving legal requirements is uncertain and may require us to further change or update our information practices, and could impose additional compliance costs and regulatory scrutiny. If we fail to effectively implement and maintain data governance structures across our business, or to effectively interpret and utilize such data, our operations could be exposed to additional adverse impacts, and we could be at a competitive disadvantage. In addition, we rely on data provided to us by credit reference agencies and servicing providers. If these agencies and service providers were to stop providing us with data for any reason; for example, due to a change in governmental regulation, there could be a material adverse effect on our business, results of operations and financial condition. We may incur significant costs complying with legal obligations and inquiries, investigations or any other government actions related to privacy, cybersecurity, and data protection. Such legal requirements and government actions also may impede the development of our business, make existing services or businesses unprofitable, increase our operating costs, require substantial management resources, result in adverse publicity and subject us to remedies that harm our business or profitability, including penalties or orders that may change or terminate current business practices. Our insurance policies may be insufficient to insure us against such risks, and future escalations in premiums and deductibles under these policies may render them uneconomical.

Our business is highly dependent on our ability to process and monitor a large number of transactions across markets and in multiple currencies. We rely on IT systems to conduct our business, including IT systems developed and administered by third parties. Many of these IT systems contain sensitive and confidential information, including personal data, our trade secrets and proprietary business information, and information and materials owned by or pertaining to our customers, vendors and business partners. The secure maintenance of this information, and the IT systems on which they reside, is critical to our business strategy and our operations and financial performance. As our reliance on IT systems increases, maintaining the security of such IT systems and our data becomes more challenging. Our IT systems and infrastructure may be vulnerable to computer viruses, cyber-attacks, security breaches caused by employee error or malfeasance, or other disruptions. Although we take a number of steps to protect our IT systems, the attacks that companies have experienced have increased in number, sophistication and complexity in recent years, including threats from the malicious use of AI. Additionally, as we shift more employees to work-from-home arrangements, remote access to our systems has increased significantly, which exposes us to additional cybersecurity risks. As a result of our reliance on IT systems, we may suffer data security incidents or other cybersecurity incidents, which could compromise our IT systems and networks, creating disruptions and exploiting vulnerabilities in our services. Any such breach or other incident could result in the personal data or other confidential or proprietary information stored on our systems and networks, or our vendors' systems and networks, being improperly accessed, acquired or modified, publicly disclosed, lost, or stolen, which could subject us to liability to our customers, vendors, business partners and others. We seek to detect and investigate such incidents and to prevent their occurrence where practicable through preventive and remedial measures, but such measures may not be successful. Should a cybersecurity incident occur, we may be required to expend significant resources to notify affected parties, modify our protective measures, or investigate and remediate vulnerabilities or other exposures. Additionally, such cybersecurity events could cause reputational damage and subject us to fines, penalties, litigation costs and settlements, and financial losses that may not be fully covered by our cybersecurity insurance. To date, disruptions to our IT systems, due to outages, security breaches or other causes, including cybersecurity incidents, have not had a material impact on our business, results of operations or financial condition.

To improve our operational and labor efficiencies, we have offshored a portion of our collection and related support activities to third-party service providers located in Asia. As a result of offshoring some of these activities, we may experience a loss of continuity, loss of accumulated knowledge and/or inefficiency. We also cannot predict the availability of qualified workers, interruptions in collections or the impact of macroeconomic drivers in the countries we utilize for these activities. There is inherent risk beyond our control, including exposure to political uncertainty and foreign regulatory restrictions. One or more of these factors, or any other factors not yet identified related to our offshoring activities, could result in unexpected increases in operating expenses and make it more difficult for us to manage our costs and operations, which could cause our profitability to decline. Additional risks related to offshoring are further discussed within this section under International Operations Risks.

We rely on third-party service providers to conduct collection and other activities on our behalf through both outsourcing and offshoring arrangements. These third parties include law firms, collection agencies, data providers, tracing service providers, business process outsourcing companies and information technology firms. If our third-party service providers fail to perform their service obligations in a timely manner or at a satisfactory quality level, or fail to handle the case volume assigned, the quality of our services and operations, as well as our reputation could be adversely impacted. Furthermore, we may not be able to find alternative third parties in a timely manner on terms that are acceptable to us, or because of contractual restrictions that limit our flexibility in responding to disruptions from these third parties. If any of these third-party service providers fail to implement proper controls to meet our industry's regulatory requirements, violate laws, do not fulfill their contractual obligations, or act inappropriately in conducting their services on our behalf, our operations and reputation could be negatively impacted and result in regulatory fines and penalties. Our reliance on these third parties to collect, store, process and transmit confidential and sensitive customer and employee data increases our cybersecurity threat profile. A third-party cybersecurity incident could compromise the security, integrity or availability of data, or result in theft, unauthorized access or processing, or disruption of access to data, which could negatively impact our operations. We rely on these third parties to maintain the security of all software code, information technology ("IT") systems and data provided to them and used while providing their services to us. Cybersecurity incidents involving third parties on which we rely, as further discussed below, could negatively affect our reputation, our competitive position and our financial performance, and we could face regulatory scrutiny, investigations, lawsuits and potential liability.

Our business has been sensitive to, and our financial performance is in part dependent on, the general business and economic conditions in the markets in which we operate. Our financial performance may be adversely affected by an economic recession, a significant rise in inflation including sustained high inflation, interest rate uncertainty, and the effects of governmental fiscal and monetary policies in the markets in which we operate. Any prolonged economic downturn or volatility in the financial or credit markets could place financial pressure on and negatively affect the ability of consumers to pay their debts, which could adversely affect collections and the value of our receivable portfolios. In addition, levels of consumer or commercial lending and financing could decline, thus reducing the volume of nonperforming loans available for purchase, which could adversely affect our business and financial results in the markets in which we operate.

We are a global business with operations in 18 countries. In 2024, our international operations represented 46% of our total portfolio income. Managing a global business is complex, and our international operations are subject to additional risks that may not exist in the U.S., or may be more significant compared to the U.S. This could expose us to adverse economic, industry and political conditions that may have a negative impact on our ability to manage our international operations, which could have a negative impact on our business, results of operations and financial condition. The global nature of our operations expands the risks and uncertainties described elsewhere in this section, including the following: - changes in geopolitical conditions and the political, economic, social and labor conditions in the markets in which we operate;- foreign exchange controls on currency conversion and the transfer of funds that might prevent us from repatriating cash earned in countries outside the U.S. in a tax-efficient manner;- currency exchange rate fluctuations, currency restructurings, inflation or deflation and our ability to manage these fluctuations through a foreign exchange risk management program;- different employee/employer relationships, laws and regulations, union recognition and the existence of employment tribunals and works councils;- laws and regulations imposed by international governments, including those governing data security, sharing and transfer;- potentially adverse tax consequences resulting from changes in tax laws in the jurisdictions in which we operate, or challenges to our interpretation and application of complex international tax laws;- logistical, communication and other challenges caused by distance and cultural and language differences, each making it harder to do business in certain jurisdictions;- volatility of global credit markets and the availability of consumer credit and financing in our international markets;- uncertainty as to the enforceability of contract rights under local laws;- the potential of forced nationalization of certain industries, or the impact on creditors' rights, consumer disposable income levels, flexibility and availability of consumer credit and the ability to enforce and collect aged or charged-off debts stemming from international governmental actions, whether through austerity or stimulus measures or initiatives, intended to control or influence macroeconomic factors such as wages, unemployment, national output or consumption, inflation, investment, credit, finance, taxation or other economic drivers;- the potential for widening military conflicts;- the potential damage to our reputation due to non-compliance with international and local laws; and - the complexity and necessity of using non-U.S. representatives, consultants and other third-party vendors. Any one of these factors could adversely affect our business, results of operations, liquidity, cash flow and financial condition.