Deluxe (DLX) Risk Analysis

In the payments industry, competition is intense. We compete against numerous financial technology companies, including independent payment processors, credit card processing firms, and treasury management service providers, as well as the in-house capabilities of financial institutions. Remaining cost-competitive requires high transaction volumes, and offering a broad range of services is essential to remaining relevant to customers. Although we are a leading check printer in the U.S., we face significant competition in the check printing portion of the payments industry from another large printer in our traditional financial institution sales channel, direct mail and internet-based sellers of personal and business checks, check printing software vendors, and certain major retailers. Pricing remains competitive in our financial institution sales channel, as these institutions strive to maintain profitability levels despite the decline in check usage. In our Data Solutions segment, our data-driven marketing services compete with a wide array of companies in the data solutions space, including advertising agencies, marketing technology firms, marketing fulfillment providers, data aggregators and brokers, and source data providers. Adapting to new technology is a significant challenge in this business, along with hiring and retaining the right talent. The markets for business forms and promotional products are highly competitive and fragmented. Our current and potential competitors include traditional storefront printing companies, office superstores, wholesale printers, online printing companies, small business product resellers, and providers of custom apparel and gifts. The competitive landscape for online suppliers remains challenging as new businesses continue to enter the market. We cannot guarantee that we will be able to compete effectively against current and future competitors. Our competitors may develop superior products or technologies and may be able to adapt more quickly to new or emerging technologies and changes in customer requirements. Ongoing competition could lead to price reductions, reduced profit margins, and/or loss of customers, all of which would adversely affect our results of operations and cash flows.

We have cultivated a strong and trusted brand that has contributed significantly to our business success. Maintaining and promoting our brand in a cost-effective manner is crucial for achieving widespread acceptance of our products and services, expanding our customer base, and attracting and retaining top talent. Brand recognition and trust are particularly important for the success of our various service offerings due to the high level of competition in these markets. Customer awareness and the perceived value of our brand largely depend on the success of our marketing efforts, our ability to consistently provide useful, reliable, secure, and innovative products and services, and our ability to maintain trust and be seen as a technology leader. If we fail to successfully promote and maintain our brand or if we incur excessive expenses in this effort, our business could be materially and adversely affected. Additionally, adverse publicity, whether justified or not, could harm our business. If our business partners or key employees are the subject of negative news reports or publicity, our reputation may suffer, and our results of operations could be adversely affected. A key component of our brand promotion strategy is building on our relationship of trust with our customers, which we believe can be achieved by providing a high-quality customer experience. We have invested, and will continue to invest, in website development, design and technology, and customer service and production operations. Our ability to provide a high-quality customer experience also depends on external factors, including the reliability and performance of our suppliers, telecommunications providers, and third-party carriers. Our brand value also hinges on our ability to protect and use our customers' data in a manner that meets their expectations. If our brand promotion activities do not achieve the desired outcome or if we fail to provide a high-quality customer experience for any reason, our ability to attract new customers and maintain customer relationships could be adversely affected, which would harm our business and results of operations.

The markets for our products and services are subject to rapid, significant, and disruptive technological changes. These include advancements in payment and internet browser technologies, the use of artificial intelligence and machine learning, and developments in technologies supporting our regulatory and compliance obligations, as well as in-store, digital, mobile, and social commerce. The introduction of competing products and services using new technologies, the evolution of industry standards, or the emergence of more attractive products or services, including the continued digitization of payments, could render some of our products and services less desirable or even obsolete. Our future success depends on our ability to enhance our current products and services and to develop and introduce innovative offerings. The impact of technological changes is magnified by the intense competition we face. To succeed, our technology-based products and services must keep pace with technological advancements and evolving industry standards, address the ever-changing and increasingly sophisticated needs of our customers, and achieve market acceptance. Additionally, we must differentiate our product and service offerings from those of our competitors and from the in-house capabilities of our clients. Failure to develop products and services that adapt to changing demands in a timely manner may lead to the loss of existing customers and hinder our ability to attract new ones. Moreover, we must continue to develop our skills, tools, and capabilities to capitalize on existing and emerging technologies. This requires significant investment, takes considerable time, and ultimately, may not be successful. Any of these risks could harm our business, results of operations, and growth prospects.

Our strategy to safeguard our trademarks, software, and other intellectual property involves a combination of trademark and copyright laws, trade secret and patent protections, as well as confidentiality and license agreements. However, these measures provide only limited protection. Despite our efforts, third parties may still infringe upon or misappropriate our intellectual property, or independently develop products or services that are substantially similar and do not violate our intellectual property rights. Enforcing our intellectual property rights and preventing unauthorized use is both complex and resource-intensive. We may need to dedicate substantial resources to protect our trade secrets and to monitor and enforce our intellectual property rights. If we fail to maintain intellectual property protection or cannot effectively secure or enforce it, we risk losing market share, experiencing reduced revenue, and seeing a decline in brand value. Such outcomes would ultimately harm our business and our ability to compete in the marketplace. FINANCIAL RISKS

In recent years, information security risks have escalated due to several factors, including the proliferation of new technologies, particularly emerging artificial intelligence systems, an increase in remote work arrangements, and the growing sophistication and activities of hackers, terrorists, and activists. We utilize internet-based channels that collect, manage, transmit, and process a wide array of sensitive information. This includes customers' financial account and payment details, proprietary business information, and personally identifiable information of consumers, employees, contractors, suppliers, and other business partners. Additionally, we provide essential services such as merchant services and remittance processing, which are integral to supporting our customers and their business operations. Cybersecurity is a top risk identified by our Enterprise Risk Management (ERM) Committee, as technology-based organizations like ours are particularly vulnerable to targeted attacks aimed at exploiting network and system weaknesses. Further information regarding our ERM Committee can be found in Part I, Item 1C of this report. The secure and uninterrupted operation of our networks and systems, as well as the processing, maintenance, and confidentiality of the sensitive information they contain, is critical to our business operations and strategy. We have implemented a risk-based information/cybersecurity program dedicated to protecting our data and solutions. Our defense-in-depth strategy employs multiple security layers and adheres to the CIA (confidential, integrity, and availability) triad model. Despite these measures, computer systems and networks are inherently vulnerable to unauthorized access. A security breach, whether accidental or intentional, could result in unauthorized access and/or misuse of our information, including personally identifiable information or, in some cases, protected health information. Our security measures could be compromised by third-party actions, computer viruses, accidents, employee or contractor error, or malicious actions by rogue employees. Individuals or third parties may circumvent controls and exploit vulnerabilities, leading to the disclosure or misuse of sensitive business and personal information. We rely on numerous third parties, including vendors, developers, and partners, who are critical to our business and may have access to our customer or employee data. We have established a vendor security program to assess the risk of these partners, and certain third-party relationships are subject to security requirements specified in written contracts. However, we cannot control the actions of our third-party providers, and any cyberattacks or security breaches they experience could adversely affect our ability to service our customers or conduct our business. Techniques used to gain unauthorized access, disable or degrade service, or sabotage computer systems are constantly evolving, often difficult to detect immediately, and are generally not recognized until they are launched against a target. As a result, we may be unable to implement adequate preventive measures. Unauthorized parties may attempt to access our systems or facilities through various means, including hacking, fraud, trickery, or other deceptive methods targeting employees and contractors. Additionally, our customers and employees have been and will continue to be targeted by threat actors using social engineering techniques to obtain confidential information or introduce malware through fraudulent "phishing" emails. To-date, these threats and incidents have not materially impacted our customers, business, or financial results. However, given the increasing threat landscape for all technology businesses, our technologies, systems, and networks are likely to be targeted in future attacks, and we cannot guarantee that future incidents will not be material. Despite our robust cybersecurity systems and processes, there remains a risk that an unauthorized party could bypass our security measures. Such a breach could result in the misappropriation of personal or proprietary information belonging to us, our customers, or our partners. Additionally, it could lead to disruptions in our operations, damage to our computer systems or those of our users, and potentially harm our reputation. Such events could deter clients and consumers from purchasing our products and services and result in the termination of client contracts. Additionally, vulnerabilities affecting large segments of mobile, computer, or server architecture could have widespread impacts. Any of these events would negatively affect our business, financial condition, and results of operations. In the event of a material information security breach, we may need to expend significant management time and financial resources to remedy, protect against, or mitigate the effects of the breach. We may not be able to resolve the situation promptly, or at all. Furthermore, under payment card association rules and our contracts with debit and credit card processors, a breach of payment card information stored by us or our third-party partners could make us liable to the payment card issuing banks for the cost of issuing new cards and other related expenses. We could also lose our ability to accept and process credit and debit card payments, leading to the loss of customers and difficulty attracting new customers. Moreover, we could face time-consuming and costly litigation, government inquiries, and enforcement actions. If we are unsuccessful in defending a claim regarding information security breaches, we may be forced to pay damages, penalties, and fines, and our insurance coverage may not fully compensate us for any losses incurred. Contractual provisions with third parties, including cloud service providers, may limit our ability to recover losses resulting from a security breach by a business partner. Additionally, some of our data, including consumer credit profiles, is highly regulated, which adds another layer of complexity and potential liability in the event of a data breach. International, federal, and state laws and regulations require companies to notify individuals of information security breaches involving their personal data, which would negatively impact our financial results. Mandatory disclosure of an information security breach often leads to widespread negative publicity. Such disclosure could cause our clients and customers to lose confidence in our information security measures. Additionally, general publicity about information security breaches at other companies could create a perception that e-commerce is not secure, reducing traffic to our websites, negatively affecting our financial results, and limiting future business opportunities.

The performance, reliability, and availability of our information technology systems, as well as those of our third-party service providers, is crucial to our reputation and our ability to attract and retain customers. We may face temporary interruptions in our websites, transaction and payment processing systems, network infrastructure, service technologies, printing production facilities, or customer service operations due to various factors such as human error, software issues, security breaches, power outages, telecommunications failures, equipment malfunctions, electrical disruptions, vandalism, natural disasters, terrorism, and other uncontrollable events. Additionally, some of the services we provide to the payments technology market are designed to handle complex transactions and deliver reports at high volumes and speeds. Any failure to provide a secure and effective product, or any performance issue with new products or services or as a result of software or process updates, could lead to significant processing or reporting errors or other losses. We have invested, and will continue to invest, substantial resources to building, maintaining, and improving our technology platforms. Any disruptions, delays, or deficiencies in the design, implementation, or operation of our systems, especially those affecting our operations, could hinder our ability to manage our business effectively. Frequent or persistent interruptions could lead customers to perceive our products and services as unreliable, prompting them to switch to competitors or avoid our offerings. A significant portion of our applications are hosted in a cloud-based environment. Although we maintain redundant systems and backup databases and applications to ensure continuous access to cloud services, interruptions are still possible, and our disaster recovery plans may not cover all scenarios. System failures could disrupt the delivery of products and services, impede our customers' business operations, and result in the loss or corruption of critical data. Besides potentially losing customers, we might incur additional development costs, divert technical and other resources, and face negative publicity and liability claims. If any of our major information technology systems suffer severe damage, disruption, or shutdown, and our disaster recovery and business continuity plans fail to resolve the issue promptly, our results of operations would be adversely affected. Our business interruption insurance may not fully compensate us for any losses incurred. Furthermore, if a system failure or similar event causes damage to our customers or contractual partners, they could seek compensation from us for their losses. Even if such claims are unsuccessful, they would likely be time-consuming and costly to address.

We operate in a rapidly changing technological landscape that demands a diverse set of skills and intellectual capital. To remain competitive and achieve growth, we must recruit, develop, motivate, and retain individuals who possess the necessary expertise across our organization. Additionally, we must cultivate our personnel to support succession plans that ensure continuity despite the inherent unpredictability of human capital. Competition for employees is intense. We have introduced various human capital initiatives, such as employee wellness programs, employee resource groups, and an updated performance management process, to make our company an attractive workplace. However, with the increasing acceptance of remote work, maintaining and enhancing our corporate culture has become more challenging, as has managing the flexible working arrangements employees may seek. Our work environment might not meet the needs or expectations of our employees or could be perceived as less favorable compared to other companies' policies, which could hinder our ability to hire and retain qualified personnel. We cannot guarantee that key personnel, including our executive officers, will remain with the company, or that replacing key employees will not lead to increased labor costs. The inability to retain or attract key personnel could have a significant adverse impact on our business, financial condition, and results of operations.

We have established agreements with third-party providers for information technology services such as telecommunications, network servers, cloud computing, and transaction processing. Additionally, we rely on third parties for services related to our online payment solutions, including financial institutions that provide clearing services for our merchant services settlement activities. We have also outsourced certain functions, including parts of our finance, marketing print fulfillment, and procurement operations. The ability of these service providers to deliver their services could be compromised by numerous factors, including human error, software issues, security breaches, power outages, telecommunications failures, equipment malfunctions, electrical disruptions, vandalism, natural disasters, terrorism, and other uncontrollable events. If one or more of our service providers fails to deliver adequate or timely services, our capacity to provide products and services to our customers could be negatively impacted. While we believe we have taken reasonable measures to safeguard our business through contractual arrangements with our service providers, we cannot entirely eliminate the risk of service disruptions. Any significant interruption could harm our business, damage our brand, and result in the loss of customers. Although we believe that most of these services can be sourced from multiple providers, a failure by one or more of our service providers could cause a substantial disruption in our business while we seek alternative providers. Transitioning to substitute third-party providers could also lead to increased costs. Furthermore, we require that our partners comply with all relevant laws and regulations, including those encompassing anti-corruption, labor conditions, employment practices, safety and health standards, and environmental compliance. Although we have established policies and procedures to oversee these partnerships, the nature of these relationships inherently limits our direct control over their business operations. This limitation can potentially elevate our exposure to financial, legal, reputational, and operational risks.

At times, we face claims, litigation, and other proceedings related to our business activities, including purported class action lawsuits. These legal proceedings may involve various issues such as employment practices, alleged breaches of contractual obligations, assertions of deceptive, unfair, or illegal business practices, violations of consumer protection laws, legacy distributor account protection rights, or environmental matters. Additionally, third parties may bring patent and other intellectual property infringement claims against us and/or our clients, which could include aggressive enforcement of patents by non-practicing entities. Such claims could lead to litigation against us and may also result in proceedings initiated by various federal and state regulatory agencies overseeing our business operations. As our business has grown and diversified, the number and significance of these claims and proceedings has increased. These claims, regardless of their merit, could divert management's attention and result in costly and time-consuming litigation. We establish accruals for identified claims or lawsuits based on our best estimate of the probable liability. However, due to the inherent uncertainties of litigation and other dispute resolution processes, we cannot accurately predict the ultimate outcomes. An unfavorable resolution of a material claim or litigation could necessitate the payment of monetary damages, fines, or attorneys' fees, or force us to make costly and undesirable changes to our products, features, or business practices. Such outcomes would adversely affect our business, financial condition, and results of operations.

Our results of operations and financial position are closely tied to prevailing economic conditions. Factors such as inflation, business and consumer spending levels, business and consumer confidence, unemployment rates, and the availability of credit, as well as uncertainty or volatility in our customers' businesses, can adversely affect our business and results of operations. In a challenging economic environment, existing and potential customers may delay or forgo purchasing our products and services. Persistent inflationary pressure could diminish our customers' purchasing power, thereby negatively impacting our revenue and results of operations. A substantial portion of our business depends on spending by small businesses, which we believe are more vulnerable to economic fluctuations than larger, more established companies. During economic downturns, small businesses may find it harder to secure credit and may prioritize other expenditures over our products and services. Consequently, factors such as small business confidence, the rate of small business formations and closures, and the availability of credit to small businesses are critical to our business performance. Additionally, our business relies on the health of the financial services industry. Past global economic conditions have led to financial institutions seeking additional capital, merging with other institutions, or, in some cases, failing. The failure of one or more of our major financial institution clients, or a significant portion of our customer base, could adversely affect our operating results. Beyond the potential loss of a major client, the inability to recover prepaid product discount payments, collect accounts receivable, or secure contractually required termination payments from these clients could negatively impact our financial performance. Other factors affecting the financial services industry may also lead to an increase in mergers and acquisitions among financial institutions. Such consolidation could adversely affect our operating results, as newly combined entities often seek to reduce costs by leveraging economies of scale in purchasing, including check supply and business services contracts. This competitive pressure may force providers to compete intensely on price to retain their existing business and gain additional business from the merged entity. Despite our efforts to offer competitively priced, high-quality products and services, there is no guarantee that we will retain financial institution clients or offset the loss of a major client through new client acquisitions or expanded sales to existing clients. Global events, such as illness outbreaks and pandemics like COVID-19, along with political and economic instability, including uncertainties surrounding trade policies, treaties, and tariffs, as well as war or other hostilities, significantly increase economic uncertainty. Given the ongoing and dynamic nature of these events, we cannot predict their impact on our business, financial position, or results of operations. Even after such impacts subside, the U.S. economy may experience a recession, which could further adversely affect our business.