PROG Holdings (PRG) Risk Analysis

The industries in which our businesses operate are highly and increasingly competitive. For example, Progressive Leasing and Vive face competition from national, regional and local operators of lease-to-own stores, virtual lease-to-own companies, traditional and e-commerce retailers (including many that offer layaway programs and title or installment lending), traditional and online sellers of used merchandise, and various types of consumer finance companies that may enable our customers to shop at traditional or online retailers, as well as with rental stores that do not offer their customers a purchase option. Similarly, Four faces competition from other companies who offer buy now, pay later products, many of whom are larger than Four, in addition to some of the competitors mentioned above. These competitors may have significantly greater financial and operating resources, greater name recognition in certain markets and more developed products and services, which may allow them to grow faster, including through acquisitions, and to offer more aggressive exclusivity, rebate and/or other incentive payments to existing and potential POS partners, some of whom may be our POS partners. This in turn may enable these competitors to enter new markets, which may decrease opportunities for us in those markets. Greater name recognition, or better public perception of a competitor's reputation, may help the competitor divert market share, even in established markets. Some competitors may be willing to offer competing products on an unprofitable basis (or may have looser decisioning standards or be willing to relax their decisioning standards) in an effort to gain market share, which could compel us to match their pricing and/or decisioning strategy or lose business. In addition, some of Progressive Leasing's competitors may be willing to lease certain types of products that we will not agree to lease, enter into customer leases that have services, as opposed to goods, as a significant portion of the lease value, or engage in other practices related to pricing, aggressive rebates and other incentive payments to POS partners, compliance, and other areas that we will not, in an effort to gain market share at our expense. Our business relies heavily on relationships with POS partners. An increase in competition may cause our POS partners to no longer offer our product and services in favor of our competitors, or to offer our product and services and the products of our competitors simultaneously at the same store locations, which may slow growth in our business and limit or reduce profitability. Furthermore, our virtual lease-to-own competitors may deploy different business models, such as direct-to-consumer strategies, that forego reliance on POS partner relationships that may prove to be more successful.

We are constantly striving to improve the user experience for our customers. Some of these changes may have the effect of reducing our short-term revenue or profitability if we believe that the benefits will ultimately improve our financial performance over the long-term. Any short-term reductions in revenue or profitability may be more severe than we anticipate or these decisions may not produce the long-term benefits that we expect, in which case several aspects of our performance may be materially and adversely affected.

In recent years, federal regulatory authorities have increasingly focused on alternative consumer financial services products, including consumer protection within the subprime financial marketplace in which our businesses operate. For example, in April 2020, our Progressive Leasing business entered into a settlement with the FTC (the "FTC Settlement") to resolve allegations by the FTC that certain of Progressive Leasing's advertising and marketing practices violated the FTC Act, even though Progressive Leasing believed it was in compliance with the FTC Act, and thus, did not admit any violations of that act or any other laws. Under the FTC Settlement, Progressive Leasing paid $175 million to the FTC and agreed to enhance certain of its compliance-related activities, including augmenting disclosures to its customers and expanding its POS partner monitoring programs. If federal regulatory authorities continue to focus on alternative consumer financial services products, including within the industries in which our businesses operate, this may result in increased compliance costs and the possibility of significant monetary penalties, remediation expenses and costly changes to the manner in which we conduct our businesses. State regulatory authorities have also been focused on the subprime financial marketplace, including the lease-to-own industry. For example, in August 2022, a complaint was filed by the Pennsylvania Attorney General against the Company's Progressive Leasing business alleging, among other things, that Progressive Leasing had violated the Pennsylvania Rental Purchase Agreement Act by failing to disclose certain terms and conditions of rent-to-own ("RTO") transactions on "hang tags" physically attached to RTO merchandise. Although the Company believed the Pennsylvania Attorney General's claims were without merit, it entered into a settlement with the Pennsylvania Attorney General in January 2024, pursuant to which the Attorney General agreed to release its claims against Progressive Leasing. That settlement was approved by the court where the lawsuit was pending on January 26, 2024. Although no other states have alleged such claims against Progressive Leasing, we expect that certain state regulatory authorities will continue their increased focus on alternative consumer financial services products, and, as a result, businesses transacting with subprime consumers, for example, may be held to higher standards of monitoring, disclosure and reporting, regardless of whether new laws or regulations governing our industry are adopted. This increased attention may significantly increase the compliance costs for our businesses, result in additional fines or monetary penalties or settlements due to future government investigations, and materially and adversely impact the manner in which they operate, which may be materially adverse to several aspects of our performance. In addition, certain aspects of our businesses, such as the content of their advertising and other disclosures to customers about transactions, their respective data collection practices, the manner in which they may contact their customers, the decisioning process regarding whether to enter into a transaction with a potential customer, their credit reporting practices, and the manner in which they process and store certain customer, employee and other information are subject to federal and state laws and regulatory oversight. For example, the California Consumer Privacy Act of 2018 (the "CCPA") gives residents of California expanded rights to access and delete their personal information, opt out of certain personal information sharing, and receive detailed information about how their personal information is used, and also provides for civil penalties for violations and private rights of action for data breaches. In addition, the California Privacy Rights Act ("CPRA"), which became effective on January 1, 2023, significantly modifies the CCPA, including by expanding consumers' rights with respect to certain personal information and creating a new state agency to oversee implementation and enforcement efforts. The CCPA, CPRA, and other applicable state and federal privacy laws now require us to design, implement and maintain different types of privacy-related compliance controls and programs for our businesses simultaneously in multiple states, thereby further increasing the complexity and cost of compliance. In addition, certain states' laws limit the total cost that Progressive Leasing may charge a customer in order for the customer to achieve ownership of the leased merchandise at the end of the lease term. We have incurred and will continue to incur substantial costs to comply with federal, state and local laws and regulations, including rapidly evolving expected consumer protection standards. In addition to compliance costs, we may continue to incur substantial expenses to respond to regulatory and other third-party investigations and enforcement actions, proposed fines and penalties, criminal or civil sanctions, and private litigation, as well as potential "headline risks" that may negatively impact our business and may adversely affect our share price. Consumer complaints with respect to our industry have resulted in, and may in the future result in, state, federal and local regulatory and other investigations. In addition, while we are not aware of any whistleblower claims regarding the specific practices of our businesses, such claims are on the rise generally. We believe these claims will likely continue, in part because of the provisions enacted by the Dodd-Frank Act that provide for cash awards to persons who report alleged wrongdoing to the U.S. Securities and Exchange Commission, and because competitors may use it as a method to weaken their competitors, and others, like former personnel or other constituencies, may use it as means to extract payment or otherwise retaliate. Additionally, as we execute on our strategic plans, we may continue to expand into complementary businesses that engage in financial, consumer credit transactions or lending services, or lease-to-own or rent-to-rent transactions involving products that we do not currently offer our customers, or implement the use of new technologies in our existing businesses and products, such as machine learning and artificial intelligence-based technologies, all of which may be subject to a variety of statutes, laws and regulatory requirements in addition to those regulations currently applicable to our operations, which may impose significant costs, limitations or prohibitions on the manner in which we currently conduct our businesses as well as those we may acquire in the future.

The application of indirect taxes, such as sales tax, continues to be a complex and evolving issue, particularly with respect to the lease-to-own industry generally and our virtual lease-to-own business more specifically. Many of the fundamental statutes and regulations that impose these taxes were established before the growth of the lease-to-own industry and e-commerce and, therefore, in many cases it is not clear how existing statutes apply to our business. In addition, governments are increasingly looking for ways to increase revenues, which has resulted in discussions about tax reform and other legislative action to increase tax revenues, including through indirect taxes. This also may result in other adverse changes in or interpretations of existing sales, income and other tax regulations. For example, from time to time, some taxing authorities in the United States have notified us that they believe we owe them certain taxes imposed on transactions with our customers, including some state tax authorities suggesting that our virtual lease-to-own business may owe certain state taxes based on the locations of POS partners where our lease-to-own transactions are originated. Although these notifications have not resulted in material tax liabilities to date, there is a risk that one or more jurisdictions may be successful in the future, which may have a material adverse effect on several aspects of our performance.

Our businesses collect, store, use, disclose, process and transfer (collectively, "process") a wide variety of information, including personally identifiable information, for various purposes, including to help ensure the integrity of their services and to provide features and functionality to their customers and POS partners. The processing of the information they acquire in connection with their customers' and POS partners' use of their services is subject to numerous privacy, data protection, cybersecurity, and other laws and regulations. The automated nature of their businesses and their reliance on digital technologies may make them an attractive target for, and potentially vulnerable to, cyber-attacks, computer malware, computer viruses, social engineering (including phishing and ransomware attacks), general hacking, physical or electronic break-ins, or similar disruptions. While they and their vendors have taken steps to protect the confidential, proprietary, and sensitive information to which they have access and to prevent data loss, their security measures or those of their vendors could be breached, including as a result of employee theft, exfiltration, misuse or malfeasance, their actions, omissions, or errors, third-party actions, omissions or errors, unintentional events, or deliberate attacks by cyber criminals, any of which may result in the loss of, or unauthorized access to, their or their customers' data, their intellectual property, or other confidential, proprietary, or sensitive business information. Any accidental or willful security breaches or other unauthorized access to their platforms or servicing systems may cause confidential, proprietary, or sensitive information to be stolen and used for criminal or other unauthorized purposes. Security breaches or unauthorized access to confidential information may also expose our businesses to liability related to the loss of the information, time-consuming and expensive litigation and government investigations, enforcement actions and negative publicity. If security measures are breached for any of these reasons, the relationships our businesses have with their customers may be damaged, and significant liability could be incurred. Although we work hard to detect security breaches or instances of unauthorized access to confidential information, there is no guarantee that our monitoring efforts will be effective. The techniques used to obtain unauthorized, improper, or illegal access to our information technology systems are constantly evolving, may be difficult to detect quickly, and may not be recognized until after they have been launched. Unauthorized parties have in the past attempted and may in the future attempt to gain access to our information technology security systems through various means, including, among others, hacking into our or their POS partners' or customers' systems or facilities, or attempting to fraudulently induce employees, POS partners, customers or others into disclosing usernames, passwords, or other sensitive information, which may in turn be used to access systems and gain access to confidential, proprietary, or sensitive information. Such efforts may be state-sponsored and supported by significant financial and technological resources (such as evolving artificial intelligence tools), making them even more difficult to detect and prevent. As a result, there can be no assurance that the protections deployed by us will always be successful. For example, as we have previously disclosed, in September 2023, Progressive Leasing experienced a cybersecurity incident affecting certain of its systems. While there was no major operational impact to any of Progressive Leasing's services as a result of the incident, and our other subsidiaries were not impacted, this incident, as well as any other breach of our systems or facilities, or those of our other businesses, may continue to result in the risks discussed herein. Any actual or perceived failure to comply with legal and regulatory requirements applicable to our businesses, including those relating to information security, or any failure to protect the information that our businesses collect from their customers and POS partners, including personally identifiable information, may result in, among other things, regulatory or governmental investigations, administrative enforcement actions, sanctions, criminal liability, private litigation, civil liability and constraints on our ability to continue to operate. Furthermore, federal and state regulators and many federal and state laws and regulations require notice of any data security breaches that involve personal information. These mandatory disclosures regarding a security breach are costly to implement and often lead to widespread negative publicity, which may cause consumers to lose confidence in the effectiveness of our data security measures. Any security breach suffered by us or our vendors, any unauthorized, accidental, or unlawful access or loss of data, or the perception that any such event has occurred, may result in a disruption to our operations, litigation, an obligation to notify regulators and affected individuals, the triggering of indemnification and other contractual obligations, regulatory investigations, government fines and penalties, reputational damage, and loss of customers and ecosystem partners, and our business may be materially and adversely affected. In addition, we may incur significant costs and operational consequences in connection with investigating, mitigating, remediating, eliminating, and putting in place additional tools and devices designed to prevent future actual or perceived security incidents, as well as in connection with complying with any notification or other obligations resulting from any security incidents. Our insurance policies carry retention and coverage limits, which may not be adequate to reimburse us for losses caused by security breaches, and we may not be able to collect fully, if at all, under these insurance policies. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, may adversely affect our businesses. Furthermore, we cannot be certain that insurance coverage will continue to be available on acceptable terms or at all, or that the insurer will not deny coverage as to any future claim, including claims related to the cybersecurity incident experienced by Progressive Leasing discussed above. Reduced confidence and participation in our platforms and our data security measures may also adversely affect customers' willingness to perform their obligations under their lease or loan, as the case may be, which could result in reduced collections.

We have taken, and may in the future take, steps to significantly reduce our cost structure in order to drive efficiencies and right-size variable costs, while minimizing the negative impact on growth-related initiatives. For example, in January 2024, we announced the continuation of our prior cost reduction initiatives, including a termination of certain independent sales agent agreements, a reduction in our workforce and office space reduction and consolidation. While we believe these prior cost reduction initiatives have benefited the Company, particularly as they relate to aligning our servicing costs with our expectations regarding GMV and revenue, such initiatives may ultimately prove to be inadequate or have unintended consequences disruptive to our businesses, including those relating to the continued implementation of a global workforce outsourcing strategy for certain of the Company's information technology and customer service functions. We may also be required to undertake additional cost reduction steps, including a further reduction of our workforce, which could also be disruptive to our businesses and potentially lower the anticipated benefits with respect to our future performance, including with respect to GMV and revenue. As a result, we may not be fully successful in realizing the efficiencies we are seeking with respect to our prior cost reduction initiatives or any future cost reduction initiatives, which are subject to many estimates and assumptions and other factors we may not be able to control.

Our businesses maintain business continuity and disaster recovery plans that, as discussed above, are expected to be enhanced in 2025 by migrating a large portion of our enterprise-wide applications to a third-party cloud provider. However, in the event of a disruption in service on their platforms, including a disruption in service from a required vendor to those platforms or as a result of the expected enhancements, the business continuity and disaster recovery plans may not have sufficient capacity to recover all data and services in the event of an outage. For example, they may be unable to process transactions or post payments on their platforms, which could damage their brands and reputations, divert the attention of their employees, reduce our revenue, subject us and them to liability, and cause consumers or merchants to abandon their platforms. In addition, in the event of damage or interruption, our insurance policies may not adequately compensate us for any losses that we incur. The impact of any of these events may have a material and adverse effect on several aspects of our performance.