AtlasClear Holdings (ATCH) Risk Factors

Due to shifting economic and political conditions in both the United States or elsewhere, tax policies, laws, or rates may be subject to significant changes in ways that impair our financial results. Various jurisdictions have enacted or are considering digital services taxes, which could lead to inconsistent and potentially overlapping tax regimes. In the United States, the rules dealing with federal, state and local income taxation are constantly under review by persons involved in the legislative process and by the Internal Revenue Service and the United States Treasury Department. Changes to tax laws (which changes may have retroactive application) could adversely affect us. In recent years, many such changes have been made and changes are likely to continue to occur in the future. It cannot be predicted whether, when, in what form, or with what effective dates, new tax laws may be enacted, or regulations and rulings may be promulgated or issued under existing or new tax laws, which could result in an increase in our tax liability or require changes in the manner in which we operates in order to minimize or mitigate any adverse effects of changes in tax law or in the interpretation thereof.

We are or may become subject to data privacy and securities laws and regulations that apply to the collection, transmission, storage, use, processing, destruction, retention and security of personal information. Our current privacy policies and practices are designed to comply with privacy and data protection laws in the United States. These policies and practices inform members how we handle their personal information and, as permitted by law, allow members to change or delete the personal information in their member accounts. The legislative and regulatory landscape for privacy and data protection continues to evolve in the United States, both federally and at the state level, as well as in other jurisdictions worldwide, and these laws and regulations may at times be conflicting. It is possible that these laws may be interpreted and applied in a manner that is inconsistent from one jurisdiction or is inconsistent with our practices, and our efforts to comply with the evolving data protection rules may be unsuccessful. We must devote significant resources to understanding and complying with this changing landscape. Failure to comply with federal, state, provincial and international laws regarding privacy and security of personal information could expose us to penalties under such laws, orders requiring that we change our practices, claims for damages or other liabilities, regulatory investigations and enforcement action (including fines and penalties), litigation, significant costs for remediation, and damage to our reputation and loss of goodwill, any of which could have a material adverse effect on our business, financial condition, results of operations and prospects. Although we endeavor to comply with our published privacy policies and related documentation, and all applicable privacy and security laws and regulations, we may at times fail to do so or may be perceived to have failed to do so. Even if we have not violated these laws and regulations, government investigations into these issues typically require the expenditure of significant resources and generate negative publicity, which could have a material adverse effect on our business, financial condition, results of operations and prospects. Additionally, if we are unable to properly protect the privacy and security of personal information, including sensitive personal information (e.g., financial information), we could be found to have breached our contracts with certain third parties. There are numerous U.S. and Canadian federal, state, and provincial laws and regulations related to the privacy and security of personal information. Determining whether protected information has been handled in compliance with applicable privacy standards and our contractual obligations can be complex and may be subject to changing interpretation. For example, in 2018, California enacted the California Consumer Privacy Act ("CCPA"), which, among other things, requires new disclosures to California consumers and affords such consumers new abilities to opt out of certain sales of information and may restrict the use of cookies and similar technologies for advertising purposes. The CCPA, which became effective on January 1, 2020, was amended on multiple occasions and is the subject of regulations issued by the California Attorney General regarding certain aspects of the law and its application. Moreover, California voters approved the California Privacy Rights Act (the "CPRA") in November 2020. The CPRA significantly modifies the CCPA, creating additional obligations relating to consumer data, with enforcement beginning July 1, 2023. Aspects of the CCPA and CPRA remain unclear, resulting in further uncertainty and potentially requiring us to modify our data practices and policies and to incur substantial additional costs and expenses in an effort to comply. Similar laws have been proposed, and likely will be proposed, in other states and at the federal level, and if passed, such laws may have potentially conflicting requirements that would make compliance challenging. Similar state laws have been passed in Virginia, Colorado, Utah, Connecticut, and New Jersey and other states are expected to follow. If we fail to comply with applicable privacy laws, we could face civil and criminal fines or penalties. Failing to take appropriate steps to keep consumers' personal information secure, or misrepresentations regarding our current privacy practices, can also constitute unfair acts or practices in or affecting commerce and be construed as a violation of Section 5(a) of the Federal Trade Commission Act (the "FTCA"), 15 U.S.C. § 45(a). The Federal Trade Commission ("FTC") expects a company's data security measures to be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of our business, and the cost of available tools to improve security and reduce vulnerabilities. The FTC may also bring an action against a company who collects or otherwise processes personal information for any statements it deems misleading or false contained in privacy disclosures to consumers. While we use best efforts to comply with our published privacy policies and related documents, we may at times fail to do so, or may be perceived to have failed to do so. In addition, we may be unsuccessful in achieving compliance if our personnel, partners, or service providers fail to comply with our published privacy policies and related documentation. Such failures can subject us to potential foreign, local, state and federal action if they are found to be deceptive, unfair, or misrepresentative of our actual practices. In addition, state attorneys general are authorized to bring civil actions seeking either injunctions or damages in response to violations that threaten the privacy of state residents. We cannot be sure how these regulations will be interpreted, enforced or applied to our operations. In addition to the risks associated with enforcement activities and potential contractual liabilities, our ongoing efforts to comply with evolving laws and regulations at the federal and state level may be costly and require ongoing modifications to our policies, procedures and systems. Overall, because of the complexity of these laws, the changing obligations and the risk associated with our collection and use of data, we cannot guarantee that we are, or will be, in compliance with all applicable U.S., Canadian, or other international regulations as they are enforced now or as they evolve.

The broker-dealer and clearing firm industries are dominated by a small number of very large broker-dealers and clearing firms and a number of smaller self-clearing firms and clearing firms that clear for small introducing brokers clearing microcap securities transactions. Wilson-Davis continues to compete with larger firms that have greater financial resources, vast customer networks, diverse business lines, household name recognition, large-scale marketing campaigns, and established relationships with regulatory and legislative institutions. Further, the firm's competitors are comparatively less impacted by adverse regulatory actions and rulemaking than Wilson-Davis as a smaller firm, including impacts of net capital and margin calls imposed by NSCC. If Wilson-Davis does provide new products and services, doing so may require substantial expenditures and take considerable time. If Wilson-Davis fails to innovate and deliver products and services quickly enough as compared to its competitors, it might fail to attract and retain customers.

During the six months ended December 31, 2023 and 2022, Wilson-Davis received 10.3% and 15.8% of its revenue, respectively, from securities liquidations of Canadian traded securities for customers of Canaccord Genuity. The termination or material reduction in the securities liquidation for customers of Canaccord Genuity would have a material adverse effect on the revenues and results of operation of Wilson-Davis.

Wilson-Davis' reputation is critical to its ability to attract and retain customers that use Wilson-Davis' brokerage services and current and prospective introducing brokers that use or may use Wilson-Davis' clearing services. The perceived inability of Wilson-Davis or its supervised persons to operate the firm's business efficiently, securely, and in compliance with applicable law may adversely harm its business.

The occurrence of one or more natural disasters, including and not limited to tornadoes, hurricanes, fires, floods and earthquakes, unusual weather conditions, pandemics and endemic outbreaks, terrorist attacks or disruptive political events in certain regions where our facilities are located, or where our third-party contractors' and suppliers' facilities are located, could adversely affect our business. Natural disasters including tornados, hurricanes, floods and earthquakes may damage our facilities and terrorist attacks, actual or threatened acts of war or the escalation of current hostilities, or any other military or trade disruptions could have a material adverse effect on our business, financial condition and results of operations. These events also could cause or act to prolong an economic recession in the United States or abroad.

We rely on sophisticated information technology ("IT") systems and infrastructure to support our business. At the same time, cybersecurity incidents, including deliberate attacks, malware, viruses, ransomware attacks, denial of service attacks, phishing schemes, and other attempts to harm IT systems are prevalent and have increased. Our technologies, systems and networks and those of our vendors, suppliers and other business partners may become the target of cyberattacks or information security breaches that could result in the unauthorized release, gathering, monitoring, misuse, loss or destruction of proprietary and other information, or other disruption of business operations. In addition, certain cyber incidents, such as surveillance or vulnerabilities in widely used open source software, may remain undetected for an extended period. Our systems for protecting against cybersecurity risks may not be sufficient. As the sophistication of cyber incidents continues to evolve, we have been and will likely continue to be required to expend additional resources to continue to modify or enhance our protective measures or to investigate and remediate any vulnerability to cyber incidents. Additionally, any of these systems may be susceptible to outages due to fire, floods, power loss, telecommunications failures, usage errors by employees, computer viruses, cyber-attacks or other security breaches or similar events. The failure of any of our IT systems may cause disruptions in our operations, which could adversely affect our revenues and profitability, and lead to claims related to the disruption of our services from members of the AtlasClear Platform and advertisers. Hackers and data thieves are increasingly sophisticated and operate large-scale and complex automated attacks, which may remain undetected until after they occur. Despite our efforts to protect our information technology networks and systems, payment processing, and information, we may not be able to anticipate or to implement effective preventive and remedial measures against all data security and privacy threats. Our security measures may not be adequate to prevent or detect service interruption, system failure, data loss or theft, or other material adverse consequences. No security solution, strategy, or measures can address all possible security threats. Our applications, systems, networks, software, and physical facilities could have material vulnerabilities, be breached, or personal or confidential information could be otherwise compromised due to employee error or malfeasance, if, for example, third parties attempt to fraudulently induce our personnel or our business members to disclose information or usernames and/or passwords, or otherwise compromise the security of our networks, systems and/or physical facilities. We cannot be certain that we will be able to address any such vulnerabilities, in whole or part, and there may be delays in developing and deploying patches and other remedial measures to adequately address vulnerabilities, and taking such remedial steps could adversely impact or disrupt our operations. We expect similar issues to arise in the future as products and services sold through the AtlasClear Platform are more widely adopted, and as we continue to introduce future products and services. An actual or perceived breach of our security systems or those of our third party service providers may require notification under applicable data privacy regulations or for customer relations or publicity purposes, which could result in reputational harm, costly litigation (including class action litigation), material contract breaches, liability, settlement costs, loss of sales, regulatory scrutiny, actions or investigations, a loss of confidence in our business, systems and payment processing, a diversion of management's time and attention, and significant fines, penalties, assessments, fees, and expenses. Moreover, pursuant to SEC rules, public companies must disclose material cybersecurity incidents on Form 8-K within four business days (subject to a delayed compliance date for smaller reporting companies, of which we are one). In addition, companies must provide cybersecurity risk management disclosures in their annual reports. The costs to respond to a security breach or to mitigate any security vulnerabilities that may be identified could be significant, and our efforts to address these problems may not be successful. These costs include, but are not limited to: retaining the services of cybersecurity providers; complying with requirements of existing and future cybersecurity, data protection and privacy laws and regulations, including the costs of notifying regulatory agencies and impacted individuals; and maintaining redundant networks, data backups, and other damage-mitigation measures. We could be required to fundamentally change our business activities and practices in response to a security breach or related regulatory actions or litigation, which could have an adverse effect on our business. Additionally, most jurisdictions have enacted laws requiring companies to notify individuals, regulatory authorities, and others of security breaches involving certain types of data. Such mandatory disclosures are costly, could lead to negative publicity, may cause our customers to lose confidence in the effectiveness of our security measures, and require us to expend significant capital and other resources to respond to or alleviate problems caused by the actual or perceived security breach. We may not have adequate insurance coverage for handling cyber security incidents or breaches, including fines, judgments, settlements, penalties, costs, attorney fees, and other impacts that arise out of incidents or breaches. If the impacts of a security incident or breach, or the successful assertion of one or more large claims against us that exceeds our available insurance coverage, or results in changes to our insurance policies (including premium increases or the imposition of large deductible or co-insurance requirements), it could harm our business. In addition, we cannot be sure that our existing insurance coverage will continue to be available on acceptable terms or that our insurers will not deny coverage as to all or part of any future claim or loss. Moreover, our privacy risks are likely to increase as we continue to expand, grow our consumer and business member base, and process, store, and transmit increasingly large amounts of personal or sensitive data.