Evertec (EVTC) Risk Analysis

We have devoted substantial resources to the development of our technology, business operations and business plans. In order to protect our trade secrets and proprietary information, we rely in significant part on confidentiality arrangements with our employees, licensees, independent contractors, advisors, suppliers, reseller partners, and customers. Despite these efforts, these arrangements may not be effective to prevent disclosure of confidential information, including trade secrets, and may not provide an adequate remedy in the event of unauthorized disclosure of confidential information. Unauthorized parties may also attempt to copy or reverse engineer certain aspects of our technologies that we consider proprietary. In addition, if others independently develop equivalent knowledge, methods, and know-how, we would not be able to assert trade secret rights against such parties. Monitoring unauthorized uses and disclosures is difficult, and we do not know whether the steps we have taken to protect our proprietary information will be effective.

Third parties have and may in the future assert claims of infringement, misappropriation or other violations of intellectual property rights against us. They may also assert such claims against our customers or reseller partners, whom we typically indemnify against claims that our products and services infringe, misappropriate, or otherwise violate the intellectual property rights of third parties. If we were found to be infringing a third party's rights and are unable to provide a sufficient workaround, we may need to negotiate with holders of those rights to obtain a license to those rights or otherwise settle any infringement claim as a party that makes a claim of infringement against us may obtain an injunction preventing us from shipping products containing the allegedly infringing technology. As the number of products and competitors in our market increase and overlaps occur, claims of infringement, misappropriation and other violations of intellectual property rights may increase. Any claim of infringement, misappropriation or other violation of intellectual property rights by a third party, even those without merit, could cause us to incur substantial costs defending against the claim and could distract our management from our business. Future assertions of patent rights by third parties, and any resulting litigation, may involve patent holding companies or other adverse patent owners who have no relevant product revenues and against whom our own patents may therefore provide little or no deterrence or protection. There can be no assurance that we will not be found to infringe or otherwise violate any third-party intellectual property rights or to have done so in the past. Any events of such nature could seriously harm our business, financial condition, and results of operations. Moreover, there could be public announcements of the results of hearings, motions or other interim proceedings or developments and if securities analysts or investors perceive these results to be negative, it could have a substantial adverse effect on the price of our ordinary shares. We expect that the occurrence of infringement claims is likely to grow as the market for our products and solutions grows. Accordingly, our exposure to damages resulting from infringement claims could increase and this could further exhaust our financial and management resources.

We currently use machine learning, artificial intelligence ("AI"), and automated decision-making technologies, including proprietary AI and machine learning algorithms throughout our business, and are making significant investments to continuously improve our use of such technologies. Our research and development of such technology remains ongoing, and AI presents numerous risks and challenges that could adversely affect our business. If we fail to keep pace with rapidly evolving AI technological developments, especially in the financial technology sector, our competitive position and business results may suffer. AI and machine-learning models require training on datasets prior to production use, and in some instances, AI algorithms or training methodologies may be flawed. Datasets may be overbroad, insufficient, or contain biased information. Training on incomplete, inadequate, inaccurate, biased or otherwise poor quality data may result in models failing to provide acceptable results. Content generated by AI systems also may be offensive, illegal, or otherwise harmful. Further, such content may appear correct but is factually inaccurate, misleading or otherwise flawed, or that results in unintended biases and discriminatory outcomes, which could negatively impact our users, harm our reputation and business, and expose us to liability. Ineffective or inadequate AI development or deployment practices by us or others could result in incidents that impair the acceptance of AI solutions or cause harm to individuals, users, or society, or result in our products and services not working as intended. Human review of certain outputs may be required. Our implementation of AI systems could result in legal liability, regulatory action, brand, reputational, or competitive harm, or other adverse impacts that could adversely affect our business, financial condition, cash flows and results of operations. In addition, certain AI and machine-learning models that we utilize may incorporate data and inputs from third-party sources. If third parties allege that our AI and machine learning models violate copyright law, or that our use of training data violates applicable law or the rights of a third party, we may be subject to legal liability or we may be forced to retrain our models or different datasets, which could result in unexpected costs, and adversely affect the availability of our offerings, their reliability, or otherwise make them less useful for their intended uses.

Our business is subject to the laws, rules, regulations, and policies in the jurisdictions in which we operate, as well as the legal interpretation of such regulations by administrative bodies and the judiciary of those jurisdictions. The expansion of our business may also result in increased regulatory oversight and enforcement, as well as any claims by regulatory agencies and courts that we are required to obtain licenses to engage in certain business activity. Enforcement of, failure, or perceived failure to comply with laws, rules, regulations, policies, or licensing requirements could result in criminal or civil lawsuits, penalties, fines, regulatory investigations, forfeiture of significant assets, an outright or partial restriction on our operations, enforcement in one or more jurisdictions, additional compliance and licensure requirements, reputational damage and force us to change the way we or our users do business. Any changes in our or our users' business methods could increase cost or reduce revenue. The laws, rules, regulations, and policies in the markets in which we operate include, but are not limited to, privacy and user data protection, banking, money transmission, antitrust, anti-money laundering and the export, re-export, and re-transfer abroad of covered items. In addition, our operations in most of the countries where we operate are subject to risks related to compliance with the U.S. Foreign Corrupt Practices Act and other applicable U.S. and other local laws prohibiting corrupt payments to government officials and other third parties. Privacy and Data Protection Our business relies on the processing of data in multiple jurisdictions and the movement of data across national borders. Legal requirements relating to the collection, storage, handling, use, disclosure, transfer, and security of personal data continues to evolve, and regulatory scrutiny in this area is increasing around the world. Significant uncertainty exists as privacy and data protection laws may differ from country to country and may create inconsistent or conflicting requirements. Our ongoing efforts to comply with privacy, cybersecurity, and data protection laws may entail expenses, may divert resources from other initiatives and projects, and could limit the service we are able to offer. Enforcement actions and investigations by regulatory authorities related to data security incidents and privacy actions or investigations could damage our reputation and impact us through increased costs or restrictions on our business, and noncompliance could result in regulatory penalties and significant legal liability. Although we make reasonable efforts to comply with all applicable data protection laws and regulations, our interpretations and efforts may have been or may prove to be insufficient or incorrect. We also make public statements about our use and disclosure of personal information through our privacy policy, information provided on our website and other public statements. Although we endeavor to ensure that our public statements are complete, accurate and fully implemented, we may at times fail to do so or be alleged to have failed to do so. We may be subject to potential regulatory or other legal action if such policies or statements are found to be deceptive, unfair or misrepresentative of our actual practices. In addition, from time to time, concerns may be expressed about whether our products and services compromise the privacy of our customers and others. Any concerns about our data privacy and security practices (even if unfounded), or any failure, real or perceived, by us to comply with our posted privacy policies or with any legal or regulatory requirements, standards, certifications or orders or other privacy or consumer protection-related laws and regulations applicable to us, could cause our customers, riders and users to reduce their use of our products and services. Banking In general, financial institution regulators require their supervised institutions to cause their service providers to agree to certain terms and to agree to supervision and oversight by applicable financial regulators, primarily to protect the safety and soundness of the financial institution. We have agreed to such terms and provisions in many of our service agreements with financial institutions. We and our customers are also generally subject to U.S. federal, Puerto Rico and other countries' laws, rules and regulations that affect the electronic payments industry, including with respect to activities in the countries where we operate and due to our relationship with customers that are subject to banking and financial regulation, including Popular. Regulation of the electronic payment card industry has increased significantly in recent years. There is also continued scrutiny by the U.S. Congress of the manner in which payment card networks and card issuers set various fees. Banking regulators have been strengthening their examination guidelines with respect to relationships between banks and their third-party service providers, such as us. Any such heightened supervision of our relationship with our banking and financial services customers, including Popular, could have an effect on our contractual relationship with our customers as well as on the standards applied in the evaluation of our services. See "Part I, Item 1. Business- Government Regulation and Payment Network Rules- Regulatory Reform and Other Legislative Initiatives." Export We are also subject to the Export Administration Regulations ("EAR"), which regulates the export, re-export and re-transfer abroad of covered items made or originating in the United States as well as the transfer of covered U.S.-origin technology abroad. There can be no assurance that we have not violated the EAR in past transactions or that our new policies and procedures will prevent us from violating the EAR in every transaction in which we engage. Any such violations of the EAR could result in fines, penalties or other sanctions being imposed on us, which could negatively affect our business, results of operations and financial condition. Some financial institutions refuse, even in the absence of a regulatory requirement, to provide services to companies operating in certain countries or engaging in certain practices because of concerns that the compliance efforts perceived to be necessary may outweigh the usefulness of the service relationship. Our operations outside the United States make it more likely that financial institutions may refuse to conduct business with us for this type of reason. Any such refusal could negatively affect our business, results of operations and financial condition. We and our subsidiaries conduct business with financial institutions and/or card payment networks operating in countries whose nationals, including some of our customers, engage in transactions in countries that are the target of U.S. economic sanctions and embargoes, including Cuba. As a U.S.-based entity, we and our subsidiaries are obligated to comply with the economic sanctions regulations administered by OFAC. These regulations prohibit U.S.-based entities from entering into or facilitating unlicensed transactions with, for the benefit of, or in some cases involving the property and property interests of, persons, governments, or countries designated by the U.S. government under one or more sanctions regimes. Various state and municipal governments, universities and other investors maintain prohibitions or restrictions on investments in companies that do business involving sanctioned countries or entities. Because we process transactions on behalf of financial institutions through the payment networks, we have processed a limited number of transactions potentially involving sanctioned countries and there can be no assurances that, in the future, we will not inadvertently process such transactions. Due to a variety of factors, including technical failures and limitations of our transaction screening process, conflicts between U.S. and local laws, political or other concerns in certain countries in which we and our subsidiaries operate, and/or failures in our ability to effectively control employees operating in certain non-U.S. subsidiaries, we have not rejected every transaction originating from or otherwise involving sanctioned countries, or persons and there can be no assurances that, in the future, we will not inadvertently fail to reject such transactions. Antitrust Due to our ownership of the ATH network and our merchant acquiring and payment services business in Puerto Rico, we are involved in a significant percentage of the debit and credit card transactions conducted in Puerto Rico each day. We have in the past been subject to regulatory investigations and any future regulatory scrutiny of, or regulatory enforcement action in connection with, compliance with U.S. state and federal antitrust requirements could potentially have a material adverse effect on our reputation and business. In addition, we are subject to applicable antitrust requirements in each of the countries in which we operate. All of these laws and requirements may affect potential acquisitions in the relevant jurisdictions. ESG Regulatory Developments The recent emphasis on environmental, social and other sustainability matters has resulted and may continue to result in the adoption of new laws and regulations, including new reporting requirements. For example, various policymakers have adopted (or are considering adopting) requirements for the disclosure of certain climate-related information or other environmental, social and governance ("ESG") disclosures. Compliance with environmental, social and other sustainability laws, regulations, expectations or reporting requirements may result in increased compliance costs, as well as additional scrutiny. It is possible that other types of environmental and social regulations, for example regulations regarding the use of energy or water or regulations regarding human capital management matters, may also result in increased costs. Moreover, such requirements are not uniform across jurisdictions, and may be inconsistently applied or enforced in any given jurisdiction, which can increase the complexity and cost of compliance, and increase the risk of enforcement or litigation relating to our ESG disclosures and initiatives. If we fail to comply with new laws, regulations, expectations or reporting requirements, or if we are perceived as failing, our reputation and business could be adversely impacted. Any reputational damage associated with ESG factors may also adversely impact our ability to recruit and retain employees and customers.

Growth in our merchant acquiring business is derived primarily from acquiring new merchant relationships, new and enhanced product and service offerings, cross selling products and services into existing relationships, the shift of consumer spending to increased usage of electronic forms of payment, and the strength of our existing commercial relationship with Banco Popular. A substantial portion of our business is generated from our Amended and Restated Independent Sales Organization Sponsorship and Services Agreement (the "A&R ISO Agreement") with Banco Popular, which was amended and restated in July 2022, among other things, to extend its term to end in 2035. Banco Popular acts as a merchant referral source and provides sponsorship into the ATH, Visa, Discover and MasterCard networks for merchants, as well as card association sponsorship, clearing and settlement services. We provide transaction-processing and related functions. Both we and Popular, as alliance partners, may provide management, sales, marketing, and other administrative services to merchants. Although Banco Popular is not our sole distribution channel, it is the most significant. We rely on the continuing growth of our merchant relationships, which in turn is dependent upon our alliance with Banco Popular and other distribution channels. There can be no guarantee that this growth will continue and the loss or deterioration of these relationships, whether due to the termination of the A&R ISO Agreement or otherwise, could negatively impact our business and result in a material reduction of our revenue and income.

Our contracts with private clients generally run for a period of one to six years, and usually contain automatic renewal periods. Our government contracts typically run for one year and do not include automatic renewal periods due to government procurement rules and related fiscal funding requirements. Our standard merchant contract has an initial term of up to three years, with automatic one-year renewal periods. At the end of the relevant contract term, clients can renew or renegotiate their contracts with us, but may also decide to engage one of our competitors to provide products and services. If we are not successful in achieving high renewal rates and/or contract terms that are favorable to us, our results of operations and financial condition may be adversely affected. We also depend on our payment processing clients to comply with their contractual obligations, applicable laws, regulatory requirements and payment card networks rules or standards. A client's failure to comply with any such laws or requirements could force us to declare a breach of contract and terminate the client relationship. The termination of such contracts or relationships, as well as any inability to collect any damages caused, could have a material adverse effect on our business, financial condition, and results of operations. Additionally, any such failure by clients to comply could also result in fines, penalties or obligations imputed to EVERTEC, which could also have a material adverse effect on our business.

From time to time, payment card networks change interchange, processing, and other fees, which could impact our merchant acquiring and payment services businesses. Competitive pressures could result in our merchant acquiring and payment services businesses absorbing a portion of such increases in the future, which would increase our operating costs, reduce our profit margin, and adversely affect our business, results of operations and financial condition. There is currently proposed federal (and state) legislation that, if implemented, may impact credit card interchange and, as a result, impact our business.

Under certain circumstances, we may be liable for certain fraudulent transactions and/or credits initiated by merchants or others. For instance, if we were to process payments for a merchant that engaged in unfair or deceptive trade practices, we may be subject to certain fines or penalties. Examples of merchant fraud include merchants or other parties knowingly using a stolen or counterfeit credit, debit or prepaid card, card number, or other credentials to record a false sales or credit transaction, processing an invalid card, selling goods or services that are considered forbidden by the payment card networks, or intentionally failing to deliver the merchandise or services sold in an otherwise valid transaction. Criminals and other misfeasors are using increasingly sophisticated methods to engage in forbidden and/or illegal activities such as counterfeiting and fraud. A single significant incident of fraud, or increases in the overall level of fraud, involving our services, could result in reputational damage to us, which could reduce the use and acceptance of our solutions and services or lead to greater regulation that would increase our compliance costs. Failure to effectively manage risk and prevent fraud could increase our chargeback liability or cause us to incur other liabilities, and our insurance coverage may be insufficient or inadequate to compensate us. It is possible that incidents of fraud could increase in the future. Increases in chargebacks or other liabilities could adversely affect our business, financial condition or results of operations.

There have been a number of mergers and consolidations in the banking and financial services industry. Mergers and consolidations of financial institutions reduce our number of clients and potential clients, which could adversely affect our revenues. Further, if our clients fail or merge with or are acquired by other entities that are not our clients, or that use fewer of our services, they may discontinue or reduce their use of our services. It is also possible that the larger banks or financial institutions resulting from mergers or consolidations would have greater leverage to negotiate terms less favorable to us or could decide to perform in-house some or all of the services which we currently provide or could provide. Any of these developments could have a material adverse effect on our business, financial condition, and results of operations.

The markets in which we operate have experienced historically high levels of inflation. Though inflation rates have declined compared to prior years, if they were to increase again, it may affect our expenses, including, but not limited to, increased employee compensation expenses and benefits as well as increased general administrative costs as was the case in prior high inflationary periods. In addition, inflation has driven in the past and may in the future drive a rising interest rate environment, which has had and may in the future have an adverse effect on our cost of funding, as well as led and may in the future lead to enhanced volatility on foreign currency exchange rates. In the event inflation increases again, we may seek to increase the sales prices of our products and services in order to maintain satisfactory margins. Any attempts to offset cost increases with price increases may result in reduced sales, increase customer dissatisfaction or otherwise harm our reputation. Moreover, to the extent inflation has other adverse effects on the market, it may adversely affect our business, financial condition and results of operations.