Paysafe (PSFE) Risk Factors

We are subject to a number of laws, rules, directives, and regulations, as well as requirements imposed on us by contracts with clients, relating to the collection, use, retention, storage, destruction, security, processing, transfer, and sharing of personal information about our customers and employees in the countries where we operate. Our business relies on the processing of data in many jurisdictions and the movement of data across national borders. As a result, much of the personal information that we process, especially financial information, is regulated by multiple privacy laws and, in some cases, the privacy laws of multiple jurisdictions. In many cases, these laws apply not only to third-party transactions, but also to transfers of information between or among us, our subsidiaries, and other parties with which we have commercial relationships. These laws and regulations may at times be conflicting, and the requirements to comply with these regulations could result in a negative impact to our business. Regulatory scrutiny of privacy, data protection, and the collection, use, storage, destruction, security, processing, transfer and sharing of personal information is increasing around the world. There is uncertainty associated with the legal and regulatory environment relating to privacy and data protection laws, which continue to develop in ways we cannot predict, including with respect to evolving technologies such as cloud computing and blockchain technology. Additionally, these laws and regulations may change or be interpreted and applied differently over time and from jurisdiction to jurisdiction, and it is possible they will be interpreted and applied in ways that will materially and adversely affect our business. For example, we are subject to enhanced compliance and operational requirements under the General Data Protection Regulation ("GDPR"), which became effective in May 2018. Since 2016, we have engaged in a large, transformative program regarding data privacy in connection with GDPR compliance requirements. The GDPR applies to companies processing personal data of EU residents, imposes a strict data protection compliance regime with severe penalties for noncompliance of up to the greater of 4% of worldwide annual turnover or €20 million. The penalties for noncompliance with the GDPR could have a material adverse effect on our business, financial condition, results of operations and cash flows. We have incurred and we expect to continue to incur significant expenses to meet the obligations of the GDPR, which have required us to make significant changes to our business operations. Although the GDPR applies across the EU without a need for local implementing legislation, each EU member state has the ability to interpret the GDPR opening clauses, which permit country-specific data protection legislation and which have created inconsistencies, on a country-by-country basis. Brexit and ongoing developments in the UK have created uncertainty with regard to data protection regulation in the UK and could result in the application of new data privacy and protection laws and standards to our operations in the UK, our handling of personal data of users located in the UK, and transfers of personal data between the EU and UK. The UK GDPR, effective as of January 1, 2021, and the UK Data Protection Act of 2018 (as amended on January 1, 2021) and which supplements the UK GDPR, now apply to our processing of personal data in the UK and elsewhere, if the processing is of UK residents. While the UK GDPR broadly mirrors the GDPR, the UK Government has indicated an intention to diverge from some areas of European legislation and following Consultation, a new Bill is now underway with respect to changes to the UK's Data Protection Act 2018. In respect of the transfer of personal data from the EU to the UK under the GDPR, the UK and EU Trade and Cooperation Agreement ("TCA") permitted data transfers from the EU to the UK to continue without restriction for four months post-Brexit (including a potential extension of two months) while the EU considered the UK's application for adequacy of its data protection procedures. Such an adequacy decision by the EU was adopted by the European Commission on June 28, 2021 and permits personal data transfers between the EU and UK without further safeguards in place (such as standard contractual clauses). Active changes in law by the UK government to diverge from GDPR, together with an intention not to follow changes being made within the EU, creates an increasing risk of divergence between the two and the potential loss of the UK's adequacy decision. If the UK was to lose its adequacy decision from the EU, we may be required to implement new processes and put new agreements in place, such as standard contractual clauses, to govern any transfers of personal data from the EU to the UK and any such changes could impact our ability to transfer personal data from the UK to the EU and other third countries. The divergence of the UK's data protection regime from GDPR could therefore lead to the removal of the European Commission adopted adequacy decision for the UK. Additionally, Brexit and the subsequent implementation of the UK GDPR and any divergences therefrom expose us to parallel and differing data protection regimes, each of which potentially authorizes similar significant fines and other potentially divergent enforcement actions for certain violations. Meanwhile, the Court of Justice of the European Union ("CJEU") issued a decision on July 16, 2020 (commonly known as "Schrems II") invalidating the EU-U.S. Privacy Shield Framework, a previously lawful mechanism of transfer for personal data from the EU to the United States. While the Schrems II decision did not invalidate standard contractual clauses, another lawful mechanism for making cross-border transfers, the decision has called their validity into question under certain circumstances, and had made the legality of transferring personal information from the EU to the United States more uncertain, and it may require government cooperation to resolve this issue. The issues and risks arising from the Schrems II decision are applied equally to transfers of personal information from the EU to any country which has not received an adequacy finding by the European Commission. Other jurisdictions could require us to make additional changes to the way we conduct our business and transmit data between the United States, the UK, the EU and the rest of the world. We had seen regulatory enforcement action arising from Schrems II, in particular the decisions of some European member state data protection authorities in prohibiting the transfer of Google Analytics data to the United States, the findings of which could apply to other / all transfers of personal data. The above data transfer risks have currently subsided following implementation of the EU / USA Data Transfer Framework ("DPF"), whereby the European Commission adopted its Adequacy decision for the DPF on the 10th July, 2023. This is a modification of the prior EU / US Privacy Shield and means that personal data can be transferred from the EU to companies which self-certify under the DPF without any other data transfer mechanisms (such as Standard Contractual Clauses or Binding Corporate Rules). Any failure, or perceived failure, by us to comply with our privacy policies, with applicable industry data protection or security standards, with any applicable regulatory requirements or orders, or with privacy, data protection, information security, or consumer protection-related laws and regulations in one or more jurisdictions could result in proceedings or actions against us by data protection authorities, governmental entities or others, including class action privacy litigation in certain jurisdictions, which could subject us to significant awards, fines, sanctions (including prohibitions on the processing of personal information), penalties, judgments, and negative publicity arising from any financial or non-financial damages suffered by any individuals. This could, individually or in the aggregate, materially harm our business. For example, GDPR (and other laws) requires us to delete data when we no longer have an overriding business need to retain such data and to also accept data deletion rights requests. Our systems do not always allow for such data to be deleted and/or to allow the exercise of such rights at all or within the required timeframe. Any failure, or perceived failure, by us to comply with privacy laws could result in proceedings or actions against us by data protection authorities, governmental entities or others, which could subject us to significant awards, fines, sanctions (including prohibitions on the processing of personal information), penalties, judgments, and negative publicity arising from any financial or non-financial damages suffered by any individuals. Policymakers around the globe are using these GDPR requirements as a reference to adopt new or updated privacy laws that could result in similar or stricter requirements in other jurisdictions. In the United States, the Gramm-Leach-Bliley Act of 1999 (along with its implementing regulations) restricts certain collection, processing, storage, use and disclosure of personal financial information, requires notice to individuals of privacy practices and provides individuals with certain rights to prevent the use and disclosure of certain nonpublic or otherwise legally protected information. These rules also impose requirements for the safeguarding and proper destruction of such information through the issuance of data security standards or guidelines. In addition, there are new state laws in the United States governing the collection and processing of personal information. Since the implementation of the California Consumer Privacy Act of 2018 (the "CCPA"), this has further been amended as below and there are now multiple states with privacy laws enacted including: California, Virginia, Colorado, Utah, and Connecticut. Further, the following states are in the implementation stage for new privacy legislation: Florida, Oregon, Montana, Iowa, Texas, Delaware, New Jersey, Tennessee, and Indiana. In respect of the CCPA, this imposes stringent data privacy and data protection requirements for the personal data of California residents, and provides for government penalties for noncompliance of up to $7,500 per violation, if willful, and provides for a private right of action in the event of a data breach affecting certain un-redacted or non-encrypted personal information of California residents. Implementing regulations for the CCPA were released in August 2020, and on November 3, 2020, California voters approved a new law, the California Privacy Rights Act, which will come into effect on January 1, 2023, applying to personal data collected on or after January 1, 2022. As a result of these constant changes, it is still not certain how the various provisions of the CCPA and the CPRA will be interpreted and enforced. The CPRA expands the rights of consumers and establishes the California Privacy Protection Agency, providing the agency with investigative, enforcement and rule-making powers. The effects of the CCPA are potentially far-reaching, however, and may require us to continue to modify our data processing practices and policies and to incur substantial costs and expenses in an effort to comply. Certain other state laws impose or are in the process of imposing similar privacy obligations, including the recently passed VCDPA, that may be different from those under the CCPA, and, in addition, all 50 states have laws with varying obligations to provide notification of security breaches of personal information to affected individuals, state officers and/or others. The use or generation of biometric data as an aid to fraud prevention is becoming increasingly regulated through a patchwork of laws in both the EU and across the United States, with a number of state laws now requiring consent to such use. For example, Illinois has passed the Biometric Information Privacy Act ("BIPA"), Texas and Washington have passed similar laws, and other states plan to pass similar laws. The application of privacy laws to new technology, particularly in the area of artificial intelligence and machine learning, is not always clear and can pose additional regulatory risk and material harm to our business operations. Increasingly, we are seeing legal developments in respect of AI and which may not always be compatible with privacy laws. Some jurisdictions are also considering requirements for businesses that collect, process and/or store data within their borders ("data localization"), as well as prohibitions on the transfer of data abroad, leading to technological and operational implications. Other jurisdictions are considering adopting sector-specific regulations for the payments industry, including forced data sharing requirements or additional verification requirements that overlap or conflict with, or diverge from, general privacy rules. Failure to comply with these laws, regulations and requirements could result in fines, sanctions or other penalties, which could materially and adversely affect our results of operations, financial condition, and reputation. Collective or class-action litigations relating to data privacy violations are permitted under the GDPR and are beginning to arise in the EU, and are no longer unique to the United States. We may also be exposed to similar lawsuits in the UK with respect to Brexit. Regulation of privacy and data protection and information security often requires monitoring of and changes to our data practices in regard to the collection, use, disclosure, deletion, storage, transfer and/or security of personal information. We have incurred, and may continue to incur, significant expenses to comply with evolving mandatory privacy and security standards and protocols imposed by law, regulation, industry standards, shifting consumer expectations, or contractual obligations. In particular, with laws and regulations, such as the GDPR in the EU, the GDPR in the UK, the Personal Information Protection and Electronic Documents Act ("PIPEDA") in Canada (including its provincial laws), developments in South America, and the CCPA, CPRA, VCDPA and BIPA in the United States, imposing new and relatively burdensome obligations, and with substantial uncertainty over the interpretation and application of these and other laws and regulations, we may face challenges in addressing their requirements and making necessary changes to our policies and practices, and may incur significant costs and expenses in an effort to do so. New requirements or reinterpretations of existing requirements in these areas, or the development of new regulatory schemes related to the digital economy in general, may also increase our costs and could impact the products and services we offer and other aspects of our business, such as fraud monitoring, the development of information-based products and solutions and technology operations. We may not be able to respond quickly or effectively to regulatory, legislative, and other developments, and these changes may in turn impair our ability to offer our existing or planned features, products, and services and/or increase our cost of doing business. Any of these developments could materially and adversely affect our overall business and results of operations. In addition, fraudulent activity could encourage regulatory intervention, which could damage our reputation and reduce the use and acceptance of our integrated products and services or increase our compliance costs. Criminals are using increasingly sophisticated methods to capture consumer account information to engage in illegal activities such as counterfeiting or other fraud, including creating fake Paysafe websites or using stolen credentials from the dark web to attack customer accounts, where such customers are using the same credentials across multiple sites or accounts. While we are taking measures we believe will make payments more secure, increased fraud levels involving our products and services, or misconduct or negligence by third parties servicing our products and services, could lead to regulatory intervention, such as enhanced security requirements, as well as damage to our reputation.

Our information technology ("IT") security systems, software and networks and those of the customers and third parties with whom we interact may be vulnerable to unauthorized access (from the Internet, from within or by third parties), computer viruses or other malicious code, denial of service or other cybersecurity threats, which could result in the unauthorized access, loss, theft, changes to, unavailability, destruction or disclosure of confidential, proprietary, financial or personal information relating to merchants, customers and employees. Such unauthorized access, loss, theft, changes to, unavailability, destruction or disclosure of confidential, proprietary, financial or personal information could result in identity theft, misuse of pin codes, the loss of card payment details that are stored on our system, and/or the loss of funds stored in customers' wallets and prepaid cards and other monetary loss or have other material impacts on our business. We, like other financial technology organizations, as well as our customers and third parties with whom we interact, are routinely subject to cybersecurity threats and our and their technologies, IT systems and networks have been victims of cyberattacks in the past. Information security risks for payment and technology companies such as ours have significantly increased in recent years and in particular with remote work driven by the pandemic, in part because of the proliferation of new technologies, the use of the internet and telecommunications technologies to conduct financial transactions, and the increased sophistication and activities of organized crime, hackers, terrorists and other external parties. Geopolitical events and resulting government activity could also lead to information security threats and attacks by affected jurisdictions and their sympathizers. We are responsible for data security for ourselves and for third parties with whom we partner, including with respect to complying with rules and regulations established by the payment networks and card networks. These third parties include merchants, our distribution partners, our third-party payment processors and other third-party service providers and agents. We and other third parties collect, process, store and/or transmit personal information, such as names, contact details, addresses, social security numbers, credit or debit card numbers, expiration dates, driver's license numbers, bank account numbers and bank routing information as well as certain information gathered during our Know Your Customer ("KYC") procedures. We have ultimate liability to the payment networks and our partner banks for our failure or the failure of third parties with whom we contract to protect this data in accordance with payment network requirements. The loss, destruction or unauthorized modification of merchant or consumer data by us or our contracted third parties could result in significant fines, sanctions, proceedings or actions against us by governmental bodies, regulatory and supervisory bodies, the payment networks, consumers, merchants or others, and could harm our business and reputation. In addition, a breach or other cybersecurity incident at a third party with whom we interact has in the past, and could in the future, result in our inability to safeguard our customers' information and funds. Certain products particular to our eCash Solutions division are identified by unique PIN codes assigned to them at the point of sale, and when a customer uses the voucher on a merchant website. These active voucher PINs are stored in our systems. Due to the anonymous nature of these PINs, a theft and subsequent fraudulent utilization of PINs (either due to third-party hacking or due to internal fraud by an employee) could result in the original voucher holder's inability to use his or her vouchers. While customer verification and fraud management procedures are in place to mitigate this risk, we would honor the payment by the original voucher holder from our own funds and therefore incur a loss. Our Digital Wallet business, on the other hand, could suffer from a loss of funds if a third-party hacker or an employee is successful in taking over one of our customer's accounts as well as suffer the costs of any subsequent reimbursement to customers. Additionally, loss of payment card information could also lead us to incur card re-issuing costs, which depending on the size of the data breach could be significant. Significant losses incurred as a result of such activity would have a material adverse effect on our results of operations and, depending on the nature of such fraudulent attacks, we may be required to notify relevant regulators and other authorities such as law enforcement. Any adverse publicity as a result of such theft and fraudulent utilization could adversely affect our reputation and the demand for our products. Despite various mitigation efforts that we undertake, there can be no assurance that we and our third party partners will be immune to these risks and not suffer material security incidents and resulting losses in the future, or that our insurance coverage would be sufficient to cover the related financial losses over and above the excess of the insurance policy. The techniques used to obtain unauthorized,improper, or illegal access to our systems, our data (including our confidential business information and intellectual property rights) or our customers' data (including our merchants and consumers), to disable or degrade our services, demand ransom or to sabotage our systems are constantly evolving and have become increasingly complex and sophisticated. These techniques may be difficult to detect quickly, and may not be recognized or detected until after they have been launched against a target. Threats to our IT systems and our associated third parties' IT systems may result from human error, fraud or malice on the part of employees or third parties, including state-sponsored organizations with significant financial and technological resources, organized crime groups or from accidental technological failure. For example, certain of our employees require access to sensitive data that could be used to commit identity theft or fraud. While we have internal controls in place surrounding system access and segregation of duties, if unauthorized individuals gain access to this data, the risk of malfeasance is heightened. Concerns about security increase when we transmit information electronically, even though we encrypt certain communications and data to reduce this risk, because such transmissions can be subject to attack, interception or loss. Also, computer viruses can be distributed and spread rapidly over the internet and could infiltrate our systems or those of our contracted third parties. Denial of service, ransomware, or other attacks could be launched against us for a variety of purposes, including interfering with our services or to create a diversion for other malicious activities. These or similar types of actions and attacks could disrupt our delivery of services or make them unavailable. As cybersecurity threats continue to evolve, we may be required to expend significant additional resources to continue to modify or enhance our protective measures or to investigate and remediate any information security vulnerabilities. Any of the risks described above could materially adversely affect our overall business, financial condition and results of operations. We and our third party partners have experienced and will likely continue to regularly experience denial-of-service and other cyberattacks and security events. In such circumstances, our data encryption practices and other protective measures have not always prevented and in the future may not prevent, as applicable, unauthorized access service disruption or system sabotage. Regardless of whether an actual or perceived breach is attributable to our products, such a breach could, among other things: - interrupt our operations;- result in our systems or services being unavailable;- result in improper disclosure of data;- result in a demand for a ransom payment;- materially harm our reputation and brands;- result in significant regulatory scrutiny, including enforcement action such as fines, and legal and financial exposure,- cause us to incur significant remediation costs;- lead to loss of customer confidence in, or decreased use of, our products and services;- divert the attention of management from the operation of our business;- result in significant compensation or contractual penalties from us to our customers and their business partners as a result of losses to them or claims by them; and - adversely affect our business and results of operations. In addition, a significant cybersecurity breach of our systems or communications could result in payment networks prohibiting us from processing transactions on their networks or the loss of our sponsor banks that facilitate our participation in the payment networks, either of which could materially impede our ability to conduct our business. We may also be subject to liability for claims relating to misuse of personal information, such as unauthorized marketing, or violation of data privacy laws. In addition, our agreements with our sponsor banks and our third-party payment processors (as well as payment network requirements) require us to take certain protective measures to ensure the confidentiality of merchant and consumer data. Any failure to adequately comply with these protective measures could result in fees, penalties, litigation or termination of our sponsor bank agreements. Although we generally require that our agreements with distribution partners or our service providers who may have access to merchant or consumer data include confidentiality obligations that restrict these parties from using or disclosing any merchant or consumer data except as necessary to perform their services under the applicable agreements, we cannot guarantee that these contractual measures will be followed or will be adequate to prevent the unauthorized access, use, modification, destruction or disclosure of data or allow us to seek damages from the contracted party. In addition, many of our merchants are small and medium businesses that may have fewer resources dedicated to data security and may thus experience data breaches. Any unauthorized use, modification, destruction or disclosure of data could result in protracted and costly litigation, and cause us to incur significant losses.

The global payments industry is highly competitive, rapidly changing, very innovative, and increasingly subject to regulatory scrutiny. We compete against a wide range of businesses, including businesses that are larger than we are with substantially greater financial and other resources than we have, have a more dominant and secure position, or offer other products and services to consumers and merchants that we do not offer, as well as smaller companies that may be able to respond more quickly to regulatory and technological changes. These competitors may act on business opportunities within our specialized industry verticals, which may reduce our ability to maintain or increase our market share. In addition, the services of our various competitors are differentiated by features and functionalities such as brand recognition, customer service, trust and reliability, distribution network and channel options, convenience, price, speed, variety of payment methods, service offerings and innovation. In addition, our competitors may be able to offer more attractive economic terms to our current and prospective clients. If competition requires us to offer more attractive economics by reducing our fees or otherwise modifying our terms in order to maintain market share and continue growing our client base, we will need to aggressively control our costs in order to maintain our profit margins and our revenues may be adversely affected, and our ability to control our costs is limited because we are subject to fixed transaction costs related to payment networks. Competition could also result in a loss of existing clients and greater difficulty in attracting new clients. One or more of these factors could have a material adverse effect on our business, financial condition and results of operations. Furthermore, many of the areas in which we compete evolve rapidly with changing and disruptive technologies, shifting user needs, and frequent introductions of new products and services. Competition may also intensify as businesses enter into business combinations and alliances, and established companies in other segments expand to become competitive with different aspects of our business. If we cannot compete effectively, the demand for our products and services may decline, which would adversely impact our competitive position, business and financial performance.

We operate in the global entertainment verticals, which include: iGaming, travel, streaming/video gaming, retail/hospitality and digital assets. Although this focus distinguishes us from industry peers, it also increases risks inherent in our business and broader industry. For example: - the industries we serve are extensively regulated, and their regulation is evolving and subject to frequent change and uncertain interpretation. As a result of regulatory actions, we have had to exit a market altogether, limit services we provide, or otherwise modify our business in ways that have adversely impacted profitability. We are also exposed to a higher risk of losses resulting from related investigations, regulatory actions and litigation. See "-Regulatory, Legal and Tax Risks-We generate a significant portion of our revenue by processing online payments for merchants and customers engaged in the online gambling and foreign exchange trading sectors";- serving the entertainment verticals creates greater operational complexity, including for our compliance, legal and risk functions;- with respect to certain industries (such as iGaming), the laws related to, or the legal status of, such industries vary significantly among the countries in which we operate and, in the U.S., from state to state, further adding operational complexity particularly in compliance and risk mitigation;- we may have difficulty obtaining or maintaining relationships with merchants and third-party service providers for our business, such as banks and payment card networks, including as a result of their assessment and appetite for the compliance,cost, government regulation, risk of consumer fraud or public pressure that can be associated with some of the industries that we operate in. For example, merchants may compel us to change our operations or add bespoke or enhanced internal controls in order to do business with them; and - from time to time, the industries we serve (and we by association) are the subject of negative publicity, which can harm our reputation if we are viewed as associated to the industry vertical. In addition, any negative publicity could deter future consumers and merchants from adopting our products and services and influence our third-party service providers' assessment of our business. The enhanced risks resulting from our core focus can materialize suddenly and without warning, which may result in increased volatility in our results of operations compared with other companies in our industry that do not provide services to companies in the entertainment verticals, and could result in a material adverse effect on our business, financial condition, results of operations and future prospects.

We believe that maintaining, protecting and enhancing our strong and trusted brand is critical to achieving widespread acceptance of our products and services and expanding our base of customers. Maintaining and promoting our brand will depend largely on our ability to continue to provide useful, reliable, secure, and innovative products and services, as well as our ability to maintain trust and be a technology leader. We may introduce, or make changes to, features, products, services, privacy practices, or terms of service that customers do not like, which may materially and adversely affect our brand. Our brand promotion activities may not generate customer awareness or increase revenue, and even if they do, any increase in revenue may not offset the expenses we incur in building our brand. The introduction and promotion of new products and services, as well as the promotion of existing products and services, may be partly dependent on our visibility on third-party advertising platforms, such as Google, Twitter, or Facebook. Changes in the way these platforms operate or changes in their advertising prices, data use practices or other terms could make the maintenance and promotion of our products and services and our brand more expensive or more difficult. If we fail to successfully promote and maintain our brand or if we incur excessive expenses in this effort, our business could be materially and adversely affected. Harm to our brand can arise from many sources, including failure by us or our partners and service providers to satisfy expectations of service and quality, inadequate protection or misuse of sensitive information, failure to meet applicable legal and regulatory requirements, including compliance failures and allegations, litigation and other claims, employee misconduct, fraud, fictitious transactions, bad transactions, negative customer experiences, and misconduct by our partners, service providers, or other counterparties. We have also been in the past, and may in the future be, the target of incomplete, inaccurate, and misleading or false statements about our Company, our business, and our products and services that could damage our brand and deter consumers and merchants from adopting our products and services. From time to time, the industry verticals we serve (and we, by association) are the subject of negative publicity, which can harm our brand and deter consumers and merchants from adopting our products and services. See "-Our focus on the global entertainment verticals can increase our risks relative to other companies in our industry." Any negative publicity about our industry or our company, the quality and reliability of our products and services, our risk management processes, changes to our products and services, our ability to effectively manage and resolve customer complaints, our privacy, data protection, and information security practices, litigation, regulatory activity, policy positions, and the experience of our customers with our products or services could adversely affect our reputation and the confidence in and use of our products and services. If we do not successfully maintain a strong and trusted brand, our business could be materially and adversely affected. In addition, the registered or unregistered trademarks or trade names that we own may be challenged, infringed, declared generic, or determined to be infringing on or dilutive of other marks. We may not be able to protect our rights in these trademarks and trade names, which we need in order to build name recognition with potential customers. Moreover, third parties may use, or file for registration of trademarks similar or identical to our trademarks; if they succeed in registering or otherwise developing common law rights in such trademarks, and if we are not successful in challenging such third-party's use of such trademarks, our own trademarks may no longer be useful to develop brand recognition of our technologies, products or services. Furthermore, there could be potential trade name or trademark infringement claims brought by owners of other trademarks, including trademarks that incorporate variations of our registered or unregistered trademarks or trade names. If we are unable to establish name recognition based on our trademarks and trade names, we may not be able to compete effectively, which could have a material adverse effect on our competitive position, business, financial condition, results of operations, and prospects.

Our operations and performance depend significantly on global and regional economic conditions. Uncertainty about global and regional economic events and conditions may impact our ability to conduct business in certain areas and may result in consumers and businesses postponing or lowering spending in response to, among other factors: - tighter credit;- inflation;- supply chain issues;- financial market volatility;- fluctuations in foreign currency exchange rates and interest rates;- changes and uncertainties related to government fiscal and tax policies, U.S. and international trade relationships, agreements, policies, treaties and restrictive actions, including increased duties, tariffs, or other restrictive actions;- geopolitical events in countries we operate or have offices, including natural disasters, public health issues, pandemics, changes in political conditions, acts of war and terrorism, including the military hostilities commenced in Ukraine (operations in Russia, Ukraine and Israel represented approximately 1% of revenues for the year ended December 31, 2023);- higher unemployment;- consumer debt levels or reduced consumer confidence;- complying with all applicable restrictions and sanctions that may impact our operations, including complying with any applicable sanctions imposed on Russia;- government austerity programs; and - other negative financial news, macroeconomic developments or pandemics. In addition, many of our merchants are small businesses and these businesses may be disproportionately adversely affected by economic downturns or conditions and may fail at a higher rate than larger or more established businesses. If spending by their customers declines, or if customer behavior is otherwise adversely impacted by rising inflation, these businesses would experience reduced sales and process fewer payments with us or, if they cease to operate, stop using our products and services altogether. Small businesses frequently have limited budgets and limited access to capital, and they may choose to allocate their spending to items other than our financial or marketing services, especially in times of economic uncertainty or in recessions. These and other global and regional economic events and conditions could have a material adverse impact on the demand for our products and services. Furthermore, any financial turmoil affecting the banking system or financial markets could cause additional consolidation of the financial services industry, significant financial service institution failures, new or incremental tightening in the credit markets, low liquidity, and extreme volatility or distress in the fixed income, credit, currency, and equity markets, which could have a material adverse impact on our results of operations, financial condition and future prospects.

We have extensive international operations and our customers are resident in over 120 countries and territories. There are risks inherent in doing business internationally on both a domestic (i.e., in-country) and cross-border basis, including, but not limited to: - foreign currency and cross-border trade risks;- risks related to government regulation or required compliance with local laws;- local licensing and reporting obligations;- obligations to comply with local regulatory and legal obligations related to privacy, data security and data localization;- expenses associated with localizing our products and services, including offering customers the ability to transact business in the local currency, and adapting our products and services to local preferences (e.g., payment methods) with which we may have limited or no experience;- trade barriers and changes in trade regulations;- difficulties in developing, staffing, and simultaneously managing a large number of varying foreign operations as a result of distance, language and cultural differences;- stringent local labor laws and regulations;- credit risk and higher levels of payment fraud;- profit repatriation restrictions, foreign currency exchange restrictions or extreme fluctuations in foreign currency exchange rates for a particular currency;- political or social unrest, economic instability, repression or human rights issues;- geopolitical events, including natural disasters, public health issues, pandemics, acts of war and terrorism;- import or export regulations;- compliance with UK, Irish, U.S. and other international laws prohibiting corrupt payments to government officials, such as the U.S. Foreign Corrupt Practices Act, the UK Bribery Act, the Irish Criminal Justice (Corruption Offences) Act 2018 and other local anticorruption laws;- compliance with UK, Irish, U.S. and other international laws and associated regulations designed to combat money laundering and the financing of terrorist activities;- antitrust and competition regulations;- potentially adverse tax developments and consequences;- economic uncertainties relating to sovereign and other debt;- national or regional differences in macroeconomic growth rates;- different, uncertain, overlapping, or more stringent user protection, data protection, privacy and other laws and regulations; and - increased difficulties in collecting accounts receivable. Violations of the complex UK, Irish, U.S. and other international laws, rules and regulations that apply to our international operations may result in fines, criminal actions, or sanctions against us, our officers, or our employees; prohibitions on the conduct of our business; and damage to our reputation. Although we have implemented policies and procedures designed to promote compliance with these laws, there can be no assurance that our employees, contractors, or agents will not violate our policies. These risks are inherent in our international operations and expansion, may increase our costs of doing business internationally, and could harm our business.

As we operate across multiple jurisdictions and currencies, changes in currency exchange rates could lead to adverse impacts on our financial assets and liability, and in particular on our external debt and intercompany transactions. A deterioration in reported earnings as a result of currency exchange rate fluctuations could lead to a covenant breach and result in an event of default in our agreements relating to our outstanding indebtedness which, if not cured or waived, could result in our being required to repay these borrowings before their due date. If we are forced to refinance these borrowings on less favorable terms or are unable to refinance these borrowings, our results of operations and financial condition could be adversely affected.

We depend upon the continued services and performance of our directors and key senior management. Our directors and key senior management play a key role in maintaining our culture and in setting our strategic direction. The unexpected departure or loss of one or more of our directors or key senior management team members could harm our ability to maintain and grow our business, and there can be no assurance we will be able to attract or retain suitable replacements for such directors and/or key management in a timely manner, or at all. We also may incur significant additional costs in recruiting and retaining suitable replacements and avoiding disruption in integrating them into our business. In addition, our operations and the execution of our business plan depend on our ability to attract, train and retain suitably skilled or qualified personnel with relevant industry and operational experience and to ensure that we have a robust succession planning system in place. In order for us to expand our operations in the future we will need to recruit and retain further personnel with suitable experience, qualifications and skill sets capable of advancing our business. Additionally, we are in the process of incorporating more automation and re-engineering processes in our business, and uncertainty related to this transformation may affect our ability to retain our employees. Depending on the geographical area, there can be substantial competition for suitably skilled or qualified personnel with relevant industry and operational experience and there can be no assurance that we will be able to attract or retain our personnel on similar terms to those on which we currently engage our employees, or at all. We see this risk in particular in our Digital Wallet operations center in Sofia, Bulgaria, where we have found it can be more difficult to identify qualified local talent from which to staff our operations. If we are unable to attract or retain suitably skilled or qualified personnel then this could have a material adverse effect on our results of operations, financial condition and future prospects.

We rely on third parties in many aspects of our business, including the following: - payment processing services from various service providers in order to allow us to process payments for merchants and customers and to properly code such transactions;- payment networks;- connectivity, routing and payment orchestration providers;- banks;- payment processors;- payment gateways that link us to the payment card and bank clearing networks to process transactions;- third parties that provide certain outsourced customer support functions, which are critical to our operations;- third parties that provide KYC information and services (for example, through our embedded financing offering we offer an integrated digital wallet solution to third parties, which may result in certain KYC services being outsourced to third parties); and - third parties that provide IT-related services including data center facilities and cloud computing and compliance and risk functions. This reliance exposes us to increased operational risk. These third parties may be subject to financial, legal, regulatory and labor issues, cybersecurity incidents, privacy breaches, service terminations, disruptions or interruptions, or other problems, including reputational problems, which may impose additional costs or requirements on us or prevent these third parties from providing services to us or our customers on our behalf, or result in loss of funds to us or our customers, which could have a material adverse effect on our results of operations, financial condition and future prospects. The EU and the UK have requirements in relation to outsourcing arrangements that are applicable to certain aspects of our businesses. These requirements set out strict standards to follow when outsourcing critical or important functions that have a strong impact on a financial institution's risk profile or on its internal control framework. Such outsourcing arrangements require the prior approval of the relevant regulatory bodies. Furthermore, any changes to our existing critical and important outsourced functions may be subject to regulatory approvals which, if not satisfied or obtained, may prevent us from initiating the change. Although we have implemented processes to ensure compliance with the required standards, a failure to meet these requirements could lead to regulatory challenge and require remediation and/or fines or penalties if we are found to be in noncompliance with the relevant regulation. In addition, these third parties may breach their agreements with us, disagree with our interpretation of contract terms or applicable laws and regulations, refuse to continue or renew these agreements on commercially reasonable terms or at all, fail or refuse to process transactions or provide other services adequately, take actions that degrade the functionality of our services, impose additional costs or requirements on us or our customers, or give preferential treatment to competitive services. Some of these third party service providers are, or may become, owned by our competitors. There can be no assurance that third parties who provide services directly to us or our customers on our behalf will continue to do so on acceptable terms, or at all. If any third parties do not adequately or appropriately provide their services or perform their responsibilities to us or our customers on our behalf, we may be unable to procure alternatives from other third parties in a timely and efficient manner and on acceptable terms, or at all, and we may be subject to business disruptions, losses or costs to remediate any of the deficiencies, customer dissatisfaction, reputational damage, legal or regulatory proceedings, or other adverse consequences, any of which could have a material adverse effect on our results of operations, financial condition and future prospects.