PSQ Holdings (PSQH) Risk Analysis

Credova operates in a highly competitive and dynamic industry with a low barrier to entry, which makes increased competition more likely. Credova's technology platform faces competition from a variety of existing businesses and new market entrants, including competitors with BNPL products and those who enable transactions and commerce via digital payments. New entrants may enter our market at any time, which may disrupt Credova's business and decrease Credova's market share. Credova expects competition to intensify in the future, both as emerging technologies continue to enter the marketplace and as large financial incumbents increasingly seek to innovate the services that they offer to compete with Credova's products. Technological advances and the continued growth of e-commerce activities have increased consumer access to products and services and led to the expansion of competition in digital payment options such as pay-over-time solutions. Credova faces competition in areas such as: flexibility on payment options; duration, simplicity, and transparency of payment terms; reliability and speed in processing applications; underwriting effectiveness; compliance and security; promotional offerings; fees; approval rates; ease-of-use; marketing expertise; service levels; products and services; technological capabilities and integration; customer service; brand and reputation; and consumer and merchant satisfaction. In addition, it may be become more difficult to distinguish Credova's platform, products and services, from those of its competitors. Some of Credova's competitors are substantially larger than Credova, which gives those competitors advantages Credova does not have, such as a more diversified product, a broader consumer and merchant base, the ability to reach more consumers, the ability to cross-sell their products, operational efficiencies, the ability to cross-subsidize their offerings through their other business lines, more versatile technology platforms, the ability to acquire competitors, broad-based local distribution capabilities, and lower-cost funding. Credova's competitors may also have longer operating histories, broader and more extensive consumer and merchant relationships, and greater brand recognition and brand loyalty than Credova. For example, more established companies that possess large, existing consumer and merchant bases, substantial financial resources, and established distribution channels could enter the market. Further, consumers' increased usage of BNPL platforms in recent years may encourage more of such competitors that may be in a better position, due to financial and other resources, to attract merchants and customers to their platforms. Increased competition, particularly for large, well-known merchants, has in the past resulted and likely will in the future result in the need for Credova to alter the pricing it offers to merchants. If Credova is unable to successfully compete, the demand for Credova's platform and products could stagnate or substantially decline, and Credova could fail to retain or grow the number of consumers or merchants using its platform, which would reduce the attractiveness of its platform to other consumers and merchants, and materially and adversely affect Credova's business, results of operations, financial condition, and prospects.

Fundraising volumes may vary significantly based on election cycles, political and social events, campaign timelines and donor behavior. As a result, transaction volume, revenue, and operating results related to PSQ Impact may fluctuate materially from period to period. This volatility can make it difficult to forecast and manage operating expenses and could adversely affect investor perception and the trading price of our securities.

Credova derives a significant portion of its revenue from its relationships with merchant partners and the transactions they process through its platform, and as more merchants are integrated into Credova's network, there are more reasons for consumers to shop with it. Credova's ability to retain and grow its relationships with its merchant partners depends on the willingness of merchants to partner with it. The attractiveness of Credova's platform to merchants depends upon, among other things: the size of Credova's consumer base; Credova's brand and reputation; the amount of merchant fees that Credova charges; Credova's ability to sustain its value proposition to merchants for customer acquisition by demonstrating higher conversion at checkout and increased average order value; the attractiveness to merchants of Credova's technology and data-driven platform; services and products offered by competitors; and Credova's ability to perform under, and maintain, Credova's merchant agreements. Furthermore, having a diversified mix of merchant partners is important to mitigate risk associated with changing consumer spending behavior, economic conditions and other factors that may affect a particular type of merchant or industry. Many of Credova's agreements with Credova's merchant partners are non-exclusive and lack any transaction volume commitments. Accordingly, these merchant partners may have, or may enter into in the future, similar agreements with Credova's competitors, which could adversely affect Credova's ability to drive the level of transaction volume and revenue growth that Credova seeks to achieve or to otherwise satisfy the high expectations of Credova's investors and financial analysts relating to those relationships. While some of Credova's agreements with its merchant partners have provided for a period of exclusivity, those periods may be limited in duration, and Credova may not be able to negotiate extensions of those exclusivity periods on reasonable terms, if at all. If an exclusivity period with a merchant partner lapses, Credova may experience a decrease in gross merchandise volume with the merchant partner, which may adversely impact Credova's results of operations. In addition, Credova's agreements with its merchant partners generally have terms that range from approximately 12 months to 36 months, and Credova's merchants can generally terminate these agreements without cause upon 30 to 90 days' prior written notice. Credova may, therefore, be compelled to renegotiate its agreements with merchant partners from time to time, possibly upon terms significantly less favorable to Credova than the terms included in its existing agreements with those merchant partners.

Our business is sensitive to public perception and trust. Negative publicity or reputational harm could arise from many sources, including actual or perceived service outages, fraud events, data security incidents, regulatory actions, litigation, merchant or consumer disputes, or public attention regarding the categories of merchants and organizations we serve. Reputational harm could result in reduced transaction volume, loss of customers, increased scrutiny from regulators and partners, and difficult attracting employees and commercial partners. Any of these effects could materially adversely affect our business, financial condition and results of operations.

The FinTech and payments industries evolve rapidly, including changes in consumer preferences, payment methods, network rules, fraud patterns, security standards and regulatory requirements. We must continue to develop and enhance our products to remain competitive and to meet changing requirements. If we fail to anticipate or respond effectively to these changes, if product development efforts are delayed or unsuccessful, or if new features do not achieve adoption, our business and results of operations could be materially adversely affected.

We may become subject to legal claims alleging that we have infringed the IP rights of others. To date, we have not fully evaluated the extent to which other parties may bring claims that our technology, including our use of open source software, infringes on the IP rights of others. The availability of damages and royalties and the potential for injunctive relief have increased the costs associated with litigating and settling patent infringement claims. Any claims, whether or not meritorious, could require us to spend significant time, money, and other resources in litigation, pay damages and royalties, develop new IP, modify, design around, or discontinue existing products, services, or features, or acquire licenses to the IP that is the subject of the infringement claims. These licenses, if required, may not be available at all or have acceptable terms. As a result, IP claims against us could have a material adverse effect on our business, prospects, financial condition, operating results and cash flows.

Payments processing requires compliance with security standards and the protection of sensitive cardholder and bank account data. Failure to maintain PCI-DSS compliance or other security requirements can result in assessments, fines, mandated remediation, increased monitoring or loss of processing access. If our security controls, including any tokenization and vaulting functionality, are compromised or perceived to be inadequate, we could face significant costs, contractual liability, regulatory scrutiny and reputational harm.

Products and services sold through the Platform depend on the ability of consumers to access the Platform and the services available on the Platform via the internet. Currently, we rely on services from third-party telecommunications providers in order to provide services to our business owners and their customers. In addition, we depend on ISPs to provide uninterrupted and error-free service through their networks. We exercise little control over these third-party providers, which increases our vulnerability to problems with the services they provide. Furthermore, telecommunications and ISPs have significant market power in the broadband and internet access marketplace, including incumbent telephone companies, cable companies, mobile communications companies and government-owned service providers. Moreover, when internet problems occur, it may be difficult to identify the source of the problem and confirm whether it is due to the acts and omissions of our service providers or another cause. Service disruption or outages, whether caused by our service, the products or services of our third-party service providers, or our business owners or their customers' equipment and systems, may result in loss of market acceptance of the Platform and any necessary repairs or other remedial actions may force us to incur significant costs and expenses. Additionally, laws or regulations that adversely affect the growth, popularity or use of the internet, including changes to laws or regulations impacting internet neutrality, could decrease the demand for our products or offerings, increase our operating costs, require us to alter the manner in which we conduct our business and/or otherwise adversely affect our business. We could experience discriminatory or anti-competitive practices that could impede our growth, cause us to incur additional expense or otherwise negatively affect our business. For example, paid prioritization could enable ISPs to impose higher fees and otherwise adversely impact our business. Internationally, government regulation concerning the internet, and in particular, network neutrality, may be developing or may not exist at all. Within such an environment, without network neutrality regulations, we could experience discriminatory or anti-competitive practices that could impede both our and our business owners' domestic and international growth, increase our costs or adversely affect our business.

Card networks and the ACH network impose extensive rules and standards that govern merchant onboarding, transaction processing, data security, dispute management and prohibited activities. These rules can change, may be interpreted differently over time, and can be enforced through fines, penalties, increased monitoring, or termination of access. If we or our merchants fail to comply with these rules, or if the rules change in ways that increase our costs or limit our ability to serve certain customers, our business, financial condition and results of operations could be materially adversely affected.

From time to time, we may be party to various claims and litigation proceedings. Even when not merited lawsuits and other legal proceedings may divert management's attention, and we may incur significant expenses in pursuing or defending these lawsuits or other legal proceedings. The results of litigation and other legal proceedings are inherently uncertain, and adverse judgments or settlements in some of these legal disputes may result in adverse monetary damages, penalties or injunctive relief against us, which could negatively impact our financial position, cash flows or results of operations. Any claims or litigation, even if fully indemnified or insured, could damage our reputation and make it more difficult to compete effectively or to obtain adequate insurance in the future. Furthermore, while we maintain insurance for certain potential liabilities, our insurance does not cover all types and amounts of potential liabilities and is subject to various exclusions as well as caps on amounts recoverable. Even if we believe a claim is covered by insurance, insurers may dispute our entitlement to recovery for a variety of potential reasons, which may affect the timing and, if the insurers prevail, the amount of our recovery.

We are or may become subject to data privacy and securities laws and regulations that apply to the collection, transmission, storage, use, processing, destruction, retention and security of personal information. The legislative and regulatory landscape for privacy and data protection continues to evolve in the United States, both federally and at the state level, as well as in other jurisdictions worldwide, and these laws and regulations may at times be conflicting. It is possible that these laws may be interpreted and applied in a manner that is inconsistent from one jurisdiction or is inconsistent with our practices, and our efforts to comply with the evolving data protection rules may be unsuccessful. We must devote significant resources to understanding and complying with this changing landscape. Failure to comply with federal, state, provincial and international laws regarding privacy and security of personal information could expose us to penalties under such laws, orders requiring that we change our practices, claims for damages or other liabilities, regulatory investigations and enforcement actions (including fines and penalties), litigation, significant costs for remediation, and damage to our reputation and loss of goodwill, any of which could have a material adverse effect on our business, financial condition, results of operations and prospects. We may at times fail to comply with our published privacy policies and related documentation and applicable privacy and security laws and regulations or may be perceived to have failed to do so. Even if we have not violated these laws and regulations, government investigations into these issues typically require the expenditure of significant resources and generate negative publicity, which could have a material adverse effect on our business, financial condition, results of operations and prospects. Additionally, if we are unable to properly protect the privacy and security of personal information, including sensitive personal information (e.g., financial information), we could be found to have breached our contracts with certain third parties. There are numerous U.S. federal, state, and provincial laws and regulations related to the privacy and security of personal information. Determining whether protected information has been handled in compliance with applicable privacy standards and our contractual obligations can be complex and may be subject to changing interpretation. For example, in 2018, California enacted the CCPA, which, among other things, requires new disclosures to California consumers and affords such consumers new abilities to opt out of certain sales of information and may restrict the use of cookies and similar technologies for advertising purposes. The CCPA, which became effective on January 1, 2020, was amended on multiple occasions and is the subject of regulations issued by the California Attorney General regarding certain aspects of the law and its application. Moreover, California voters approved the CPRA in November 2020. The CPRA significantly modifies the CCPA, creating additional obligations relating to consumer data, with enforcement beginning July 1, 2023. Aspects of the CCPA and CPRA remain unclear, resulting in further uncertainty and potentially requiring us to modify our data practices and policies and to incur substantial additional costs and expenses in an effort to comply. Similar laws have been passed, proposed, and likely will be proposed, in other states and at the federal level, and such laws may have potentially conflicting requirements that would make compliance challenging. If we fail to comply with applicable privacy laws, we could face civil and criminal fines or penalties. Failing to take appropriate steps to keep consumers' personal information secure, or misrepresentations regarding our current privacy practices, can also constitute unfair acts or practices in or affecting commerce and be construed as a violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a). The "FTC expects a company's data security measures to be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of our business, and the cost of available tools to improve security and reduce vulnerabilities. The FTC may also bring an action against a company who collects or otherwise processes personal information for any statements it deems misleading or false contained in privacy disclosures to consumers. We may at times fail to comply with our published privacy policies and related documents, or may be perceived to have failed to do so. In addition, we may be unsuccessful in achieving compliance if our personnel, partners, or service providers fail to comply with our published privacy policies and related documentation. Such failures can subject us to potential foreign, local, state and federal action if they are found to be deceptive, unfair, or misrepresentative of our actual practices. In addition, state attorneys general are authorized to bring civil actions seeking either injunctions or damages in response to violations that threaten the privacy of state residents. We cannot be sure how these regulations will be interpreted, enforced or applied to our operations. In addition to the risks associated with enforcement activities and potential contractual liabilities, our ongoing efforts to comply with evolving laws and regulations at the federal and state level may be costly and require ongoing modifications to our policies, procedures and systems. As our business grows, we may also become subject to international privacy laws regulating the collection, transmission, storage, use, processing, destruction, retention and security of personal information. For example, in the European Union, the collection, transmission, storage, use, processing, destruction, retention and security of personal data is governed by the provisions of the General Data Protection Regulation (the "GDPR") in addition to other applicable laws and regulations. The GDPR came into effect in May 2018, repealing and replacing the European Union Data Protection Directive, and imposing revised data privacy and security requirements on companies in relation to the processing of personal data of European Union data subjects. The GDPR, together with national legislation, regulations and guidelines of the European Union Member States governing the collection, transmission, storage, use, processing, destruction, retention and security of personal data, impose strict obligations with respect to, and restrictions on, the collection, use, retention, protection, disclosure, transfer and processing of personal data. The GDPR also imposes strict rules on the transfer of personal data to countries outside the European Union that are not deemed to have protections for personal information, including the United States. The GDPR authorizes fines for certain violations of up to 4% of the total global annual turnover of the preceding financial year or €20 million, whichever is greater. Such fines are in addition to any civil litigation claims by data subjects. Separately, Brexit has led and could in the future lead to legislative and regulatory changes and may increase our compliance costs. Data processing in the United Kingdom is governed by a United Kingdom version of the GDPR (combining the GDPR and the Data Protection Act 2018), exposing us to two parallel regimes, each of which authorizes similar fines and other potentially divergent enforcement actions for certain violations. On June 28, 2021, the European Commission adopted an adequacy decision for the United Kingdom, allowing for the relatively free exchange of personal information between the European Union and the United Kingdom. Other jurisdictions outside the European Union are similarly introducing or enhancing privacy and data security laws, rules and regulations, which could increase our compliance costs and the risks associated with noncompliance. Overall, because of the complexity of these laws, the changing obligations and the risk associated with our collection and use of data, we cannot guarantee that we are, or will be, in compliance with all applicable U.S. or international regulations as they are enforced now or as they evolve.

Our ability to execute our strategy depends on the contributions of key executives and other highly skilled personnel in engineering, product, risk, finance, compliance, operations, and sales. Competition for such personnel is intense, and we may not be able to attract, integrate or retain qualified employees. Changes in leadership or loss of key personnel could disrupt operations, delay product development, weaken relationships with partners and customers, and impair our ability to execute our strategy, any of which could materially adversely affect our business. In June 2025, James Rinn succeeded Brad Searle as Chief Financial Officer. In January 2026, Michael Seifert resigned from his positions of President and Chief Executive Officer and as a member of the board of directors, and Dusty Wunderlich was appointed to the role of Chief Executive Officer and replaced Michael Seifert as Chairman of the board of directors. Also in January 2026, Michael Perkins succeeded Michael Hebert as Chief Operating Officer. If our senior management team fails to work together effectively and to execute our plans and strategies, including as a result of these recent executive transitions, our business, financial condition, and results of operations could be adversely affected.

We are responsible for onboarding and monitoring merchants in accordance with partner and network requirements. If our underwriting, monitoring, or risk controls fail to identify high-risk or non-compliant merchants, we could experience increased chargebacks, fraud, fines and reputational harm. Merchant risk can change over time, including due to changes in business practices, product mix, or financial condition. If we do not effectively monitor these changes, our losses and compliance exposure could increase.