KE Holdings Inc. Sponsored ADR Class A (BEKE) Risk Factors

Our business generates and processes a large quantity of data. We face risks inherent in handling and protecting a large amount of data that our business generates and processes from the significant number of housing transactions our platform facilitates. In particular, we face a number of challenges relating to data from transactions and other activities on our platform, including: - protecting the data in and hosted on our system, including against attacks on our system by outside parties or fraudulent behavior or improper use by our employees;- addressing concerns related to privacy and sharing, safety, security and other factors; and - complying with applicable laws, rules and regulations relating to the collection, use, storage, transfer, disclosure and security of personal information, including any requests from regulatory and government authorities relating to these data. In general, we expect that data security and data protection compliance will receive greater attention and focus from regulators, both domestically and globally, as well as attract continued or greater public scrutiny and attention going forward, which could increase our compliance costs and subject us to heightened risks and challenges associated with data security and protection. If we are unable to manage these risks, we could become subject to penalties, including fines, suspension of business and revocation of required licenses, and our reputation and results of operations could be materially and adversely affected. We are subject to various cybersecurity and data privacy laws and regulations in China, including without limitation, the PRC Civil Code and the PRC Cybersecurity Law. See "Item 4. Information on the Company-B. Business Overview-Regulation-Regulations Related to Internet Security and Privacy Protection." Moreover, different regulatory bodies in China, including the Ministry of Industry and Information Technology of the PRC, or the MIIT, the CAC, the Ministry of Public Security, the SAMR, and the MOHURD, have enforced data privacy and protections laws and regulations with various standards and applications. The various standards in enforcement of data privacy and protection laws have caused us difficulties in ensuring full compliance and increase our operating cost, as we need to spend time and resources to deal with various inspections for compliance. While we have adopted a rigorous and comprehensive policy for the collection, processing, sharing, disclosure authorization and other aspects of data use and privacy and taken necessary measures to comply with all applicable data privacy and protection laws and regulations, we cannot guarantee the effectiveness of these policies and measures undertaken by us, or by the agents, brokerage brands and stores or other business partners on our platform. Any failure or perceived failure to comply with all applicable data privacy and protection laws and regulations, or any failure or perceived failure of our business partners to do so, or any failure or perceived failure of our employees to comply with our internal control measures, may result in negative publicity and legal proceedings or regulatory actions against us, and could result in fines, revocation of licenses, suspension of relevant operations or other legal or administrative penalties, which may in turn damage our reputation, discourage current and potential agents, housing customers and subject us to fines and damages, which could have a material adverse effect on our business and results of operations. Furthermore, the PRC regulatory and enforcement regime with regard to cybersecurity and data protection is still evolving. PRC regulators have been increasingly focused on regulation in the areas of cybersecurity and data protection. The following are examples of certain recent PRC regulatory activities in this area. Personal Information and Data Privacy On August 20, 2021, the State Council of the PRC promulgated the PRC Personal Information Protection Law, effective from November 1, 2021. The Personal Information Protection Law requires, among others, that (i) the processing of personal information should have a clear and reasonable purpose which should be directly related to the processing purpose, in a method that has the least impact on personal rights and interests, and (ii) the collection of personal information should be limited to the minimum scope necessary to achieve the processing purpose to avoid the excessive collection of personal information. Entities handling personal information shall bear responsibilities for their personal information handling activities, and adopt necessary measures to safeguard the security of the personal information they handle. Otherwise, the entities handling personal information could be ordered to rectify, or suspend or terminate the provision of services, and face confiscation of illegal income, fines or other penalties. See "Item 4. Information on the Company-B. Business Overview-Regulation-Regulations Related to Privacy Protection." The Anti-monopoly Guidelines for the Platform Economy Sector also published by the Anti-monopoly Committee of the State Council of the PRC also prohibits collection of user information through coercive means by online platform operators. Data Security On June 10, 2021, the Standing Committee of the National People's Congress promulgated the PRC Data Security Law, which took effect in September 2021. The Data Security Law, among other things, provides for a security review procedure for the data activities that may affect national security. In addition, on December 28, 2021, the CAC, the NDRC, the MIIT, and several other PRC governmental authorities jointly issued the Cybersecurity Review Measures, which further restate and expand the applicable scope of the cybersecurity review. Pursuant to the Cybersecurity Review Measures, critical information infrastructure operators that procure internet products and services, and network platform operators engaging in data processing activities, must be subject to the cybersecurity review if their activities affect or may affect national security. The Cybersecurity Review Measures further stipulate that network platform operators holding over one million users' personal information shall apply with the Cybersecurity Review Office for a cybersecurity review before listing on a foreign stock exchange. However, given the Cybersecurity Review Measures were recently promulgated, there are substantial uncertainties as to the interpretation, application and enforcement of the Cybersecurity Review Measures. The PRC government authorities have wide discretion in interpretation and implementation of the Cybersecurity Review Measures, including cybersecurity review on certain activities of critical information infrastructure operators and other circumstances that affect or may affect national security. The exact scope of "critical information infrastructure operators" under the current regulatory regime remains unclear and the identification of critical information infrastructure operators is subject to specific identification rules stipulated by relevant industry regulators and the notice from the relevant regulators pursuant to the Regulations on Protection of Critical Information Infrastructure. See "Item 4. Information on the Company-B. Business Overview-Regulation-Regulations Related to Internet Security and Privacy Protection." As of the date of this annual report, no detailed rules or implementation of the Cybersecurity Review Measures or the Regulations on Protection of Critical Information Infrastructure has been issued by any government authorities and we have not been informed as a critical information infrastructure operator by any government authorities. Therefore, it is uncertain whether we would be deemed as a critical information infrastructure operator under PRC law, or be subject to the cybersecurity review. The PRC government authorities may have wide discretion in the interpretation and enforcement of these laws, rules and regulations. We cannot assure you that relevant regulators will not interpret or implement the laws or regulations in ways that negatively affect us. Our different lines of business are subject to evolving data security and protection laws and regulations regulating different businesses, such as the financial services business and internet-related business, which may lead to inconsistency and cause difficulties in compliance. In addition, it is possible that we may become subject to additional or new laws and regulations in this regard, particularly to cybersecurity and protection laws in other jurisdiction if we extend our business outside of the PRC in the future, which may result in additional expenses to us and subject us to potential liability and negative publicity. Furthermore, on November 14, 2021, the CAC published the Administration Regulations on Cyber Data Security (Draft for Comments), which reiterate the circumstances under which data processors shall apply for cybersecurity review. The Administration Regulations on Cyber Data Security (Draft for Comments) also provides that data processors processing important data or going public overseas shall conduct an annual data security assessment by themselves or through a third-party data security service provider and submit assessment report to local agency of the CAC before January 31 of each year. However, it provides no further explanation or interpretation as to how to determine what constitutes "affecting national security", and there remain uncertainties whether we would be subject to the cybersecurity review pursuant to such measures. As of the date of this annual report, there is no schedule as to when it will be enacted. Substantial uncertainties exist with respect to its enactment timetable, final content, interpretation and implementation. It also remains uncertain whether the Cybersecurity Review Measures, the Administration Regulations on Cyber Data Security (Draft for Comments), or any future regulatory changes would impose additional restrictions on companies like us. We cannot predict the impact of the Cybersecurity Review Measures or the draft measures, including the Administration Regulations on Cyber Data Security (Draft for Comments), at this stage, and we will closely monitor and assess any development in the rule-making process. If the the Cybersecurity Review Measures or the enacted versions of the draft measures mandate clearance of cybersecurity review and other specific actions to be completed by China-based companies listed on a U.S. stock exchange, such as us, we face uncertainties as to whether such clearance can be timely obtained, or at all. As of the date of this annual report, there has been no material incident of data or personal information leakage, infringement of data protection and privacy laws and regulations or investigation or other legal proceeding, pending or threatened against us initiated by competent government authorities or third parties, that will materially and adversely affect the business of us. As of the date of this annual report, we have not been involved in any formal investigations on cybersecurity review made by the CAC on such basis. However, if we are not able to comply with the cybersecurity and data privacy requirements in a timely manner, or at all, we may be subject to government enforcement actions and investigations, fines, penalties, suspension of our non-compliant operations, or removal of our app from the relevant application stores, among other sanctions, which could materially and adversely affect our business and results of operations. In general, compliance with the existing PRC laws and regulations, as well as additional laws and regulations that PRC regulatory bodies may enact in the future, related to data security and personal information protection, may be costly and result in additional expenses to us, and subject us to negative publicity, which could harm our reputation and business operations. There are also uncertainties with respect to how such laws and regulations will be implemented and interpreted in practice. In addition, regulatory authorities around the world have adopted or are considering a number of legislative and regulatory proposals concerning data protection. These legislative and regulatory proposals, if adopted, and the uncertain interpretations and application thereof could, in addition to the possibility of fines, result in an order requiring that we change our data practices and policies, which could have an adverse effect on our business and results of operations. The European Union General Data Protection Regulation, or the GDPR, which came into effect on May 25, 2018, includes operational requirements for companies that receive or process personal data of residents of the European Economic Area. The GDPR establishes new requirements applicable to the processing of personal data, affords new data protection rights to individuals and imposes penalties for serious data breaches. Individuals also have a right to compensation under the GDPR for financial or non-financial losses. Although we do not conduct any business in the European Economic Area, in the event that residents of the European Economic Area access our platform and input protected information, we may become subject to provisions of the GDPR.

The housing transactions and services industry in China is rapidly evolving and increasingly competitive. Although we believe no other industry player in China operates under the integrated platform business model similar to ours, we face competition from players in different segments of the housing transactions and services industry. We face competition with other online platform for housing transactions, property listings or traffic. As PRC authorities have proposed and led an initiative of developing a comprehensive nation-wide property database, our housing database might be exposed to fierce competition. We may also face intense competition from other housing transaction companies for their agent networks. For our new home sales business, we also compete with other new home sales channels. In addition to these platforms and companies at the national level, we compete with traditional real estate brokerage stores and brands for real estate agents and housing customers locally. We also compete with companies for other housing related services, such as other providers of home renovation and furnishing services. Increasing competition in the housing transactions and services industry would lead to declining market share and commission rate, make it more difficult for us to retain and attract real estate brokerage brands and agents, business partners and housing customers, or force us to increase irrational sales and marketing expenses, any of which could harm our financial condition and results of operations. We cannot assure you that we will be able to compete successfully against current or future competitors, and competitive pressures may have a material and adverse effect on our business, financial condition and results of operations.

We believe that the recognition and reputation of our brands among real estate agents, customers, real estate developers and the industry in general have significantly contributed to the success of our business. Our ability to maintain, protect and strengthen our brands is critical to our market position. Maintaining and strengthening our brands will likely depend significantly on, among others, our ability to provide high-quality housing transaction services on our platform. We market our brands through efforts such as word-of-mouth marketing, sponsoring events, advertising and marketing through a variety of media. These efforts may not always achieve the desired results. If we fail to maintain a strong brand, our business, results of operations and prospects will be materially and adversely affected. Our reputation and brands may be impacted by various factors, some of which are difficult or impossible to predict, control and costly or impossible to remediate. Negative publicity about us, such as alleged misconduct by our employees, connected agents or other business partners on our platform, inauthentic property listings on our platform, unethical business practices, rumors relating to our business, management, employees, real estate agents on our platform, our shareholders and affiliates, our business partners or our competitors and peers, or negative publicity about other companies that use similar brand names as ours, can harm our reputation, business and results of operations. These allegations, even if factually incorrect or based on isolated incidents, may lead to inquiries, regulatory investigations or legal actions against us. Such actions could substantially damage our reputation and cause us to incur significant costs to defend ourselves. Any negative public perception or publicity regarding our business partners that we cooperate with, or any regulatory inquiries or investigations and lawsuits initiated against them, may also have an adverse impact on our brand and reputation. Moreover, any negative media publicity about the housing transactions and services industry, service quality problems of other players in our industry, including our competitors, or even negative sentiments against China-based listed companies as a group due to fraud or misbehavior of certain bad actors, may also negatively impact our reputation and undermine the trust and credibility of our platform. If we fail to maintain positive reputation, our ability to attract and retain housing customers, real estate agents, business partners and key employees could be harmed.

Short selling is the practice of selling securities that a seller does not own but rather has borrowed from a third party with the intention of buying identical securities back at a later date to return to the lender. The short seller hopes to profit from a decline in the value of the securities between the sale of the borrowed securities and the purchase of the replacement shares, as the short seller expects to pay less in that purchase than it received in the sale. As it is in the short seller's interest for the price of the security to decline, many short sellers publish, or arrange for the publication of, negative opinions regarding relevant issuers and their business prospects in order to create negative market momentum and generate profits for themselves after selling securities short. Public companies listed in the United States that have substantially all of their operations in China have been the subject of short selling. Much of the scrutiny and negative publicity has centered on allegations of a lack of effective internal control over financial reporting resulting in financial and accounting irregularities and mistakes, inadequate corporate governance policies or a lack of adherence thereto and, in many cases, allegations of fraud. As a result, many of these companies are now conducting internal and external investigations into the allegations and, in the interim, are subject to shareholder lawsuits or SEC enforcement actions. On December 16, 2021, Muddy Waters Capital LLC issued a short seller report with allegations against us, or the Muddy Waters Report. On December 17, 2021, we announced that the audit committee of our board of directors commenced an internal review into the key allegations raised in the Muddy Waters Report, or the Internal Review, with the assistance of third-party professional advisors including an international law firm and forensic accounting experts from a Big-Four accounting firm that is not our auditor. On January 28, 2022, we announced that the Internal Review was substantially complete and that based on such Internal Review, the audit committee has concluded that the allegations in the Muddy Waters Report were not substantiated. Based on public records, our company and certain of our directors and officers were named as defendants in a putative securities class action filed in the United States. See "Item 8. Financial Information-A. Consolidated Statements and Other Financial Information-Legal Proceedings" for more information. Any such allegations may be followed by periods of instability in the market price of our ADSs and the corresponding negative publicity. If and when become the subject of any unfavorable allegations, whether such allegations are proven to be true or untrue, we could be forced to expend a significant amount of resources to investigate such allegations or defend ourselves. While we would strongly defend against any such short seller attacks, we may be constrained in the manner in which we can proceed against the relevant short seller by principles of freedom of speech, applicable state law, or issues of commercial confidentiality. Such a situation could be costly and time-consuming and could distract our management from growing our business. Even if such allegations are ultimately proven to be groundless, allegations against us could severely impact our business operations and shareholders' equity, and any investment in our ADSs could be greatly reduced or rendered worthless. With respect to the class action in relation to the allegations in the short seller report, we cannot predict the timing, outcome or consequences of such class action, and there is no basis to conclude at this point whether our defenses will be successful or whether we will be subject to any damages, let alone how much. In the event we do not prevail or we enter into settlement arrangements in the proceeding, we may incur significant expenses, which may materially and adversely affect our financial condition and results of operations.

The PRC government imposes controls on the convertibility of Renminbi into foreign currencies and, in certain cases, the remittance of currency out of China. We receive our revenues primarily in Renminbi. Under our current corporate structure, our Cayman Islands holding company primarily relies on dividend payments from our PRC subsidiaries to fund any cash and financing requirements we may have. Under existing PRC foreign exchange regulations, payments of current account items, including profit distributions, interest payments and trade and service-related foreign exchange transactions, can be made in foreign currencies without prior approval of SAFE by complying with certain procedural requirements. Specifically, under the existing foreign exchange restrictions, without prior approval of SAFE, cash generated from the operations of our PRC subsidiaries in China may be used to pay dividends to our company. However, approval from or registration with appropriate government authorities is required where Renminbi is to be converted into foreign currency and remitted out of China to pay capital expenses such as the repayment of loans denominated in foreign currencies. As a result, we need to obtain SAFE approval to use cash generated from the operations of our PRC subsidiaries and VIEs to pay off their respective debt in a currency other than Renminbi owed to entities outside China, or to make other capital expenditure payments outside China in a currency other than Renminbi. The PRC government may at its discretion restrict access to foreign currencies for current account transactions in the future. If the foreign exchange control system prevents us from obtaining sufficient foreign currencies to satisfy our foreign currency demands, we may not be able to pay dividends in foreign currencies to our shareholders, including holders of our ADSs. Very limited hedging options are available in China to reduce our exposure to exchange rate fluctuations. We selectively use financial instruments to manage the market risks associated with exposure to fluctuations in interest rates and foreign currency rates. While we may decide to enter into further hedging transactions in the future, the availability and effectiveness of these hedges may be limited and we may not be able to adequately hedge our exposure or at all. In addition, our currency exchange losses may be magnified by PRC exchange control regulations that restrict our ability to convert Renminbi into foreign currency. As a result, fluctuations in exchange rates may have a material adverse effect on your investment.