Four Seasons Education (Cayman) (FEDU) Risk Analysis

We routinely collect, store and use personal information and other data during the ordinary course of our business. If we are unable to protect the personal information and other data we collect, store and use from unauthorized access, use, disclosure, disruption, modification, or destruction, such problems or security breaches could cause a loss, give rise to our liabilities to the owners or subject of the information, or subject us to fines and other penalties. In addition, complying with various laws and regulations could cause us to incur substantial costs or require us to change our business practices, including our data practices, in a manner adverse to our business. In general, we expect that data security and data protection compliance will receive greater attention and focus from regulators, both domestically and globally, as well as attract continued or greater public scrutiny and attention going forward, which could increase our compliance costs and subject us to heightened risks and challenges associated with data security and protection. If we are unable to manage these risks, we could become subject to penalties, including fines, suspension of business and revocation of required licenses, and our reputation and results of operations could be materially and adversely affected. The PRC regulatory and enforcement regime with regard to data security and data protection is evolving and may be subject to different interpretations or significant changes. Moreover, different PRC regulatory bodies, including the Standing Committee of the NPC, the Ministry of Industry and Information Technology, or the MIIT, the CAC, the MPS and the SAMR, have enforced data privacy and protections laws and regulations with varying standards and applications. We are subject to PRC laws and regulations governing the collection, storing, sharing, using, processing, disclosure and protection of personal information and other data on the internet and mobile platforms including, without limitation, the PRC Civil Code, the PRC Cybersecurity Law, the PRC Data Security Law and the PRC Personal Information Protection Law. The following are examples of certain recent PRC regulatory activities in this area: Data Security - In June 2021, the Standing Committee of the NPC promulgated the PRC Data Security Law, which took effect in September 2021. The PRC Data Security Law, among other things, provides for security review procedure for data-related activities that may affect national security. In January 2022, the CAC, together with other authorities, jointly promulgated the Cybersecurity Review Measures, which became effective on February 15, 2022 and replaces its predecessor regulation. Pursuant to the Cybersecurity Review Measures, critical information infrastructure operators that procure internet products and services and network platform operators engaging in data processing activities must be subject to the cybersecurity review if their activities affect or may affect national security. The Cybersecurity Review Measures further stipulates that network platform operators that hold personal information of over one million users shall apply with the Cybersecurity Review Office for a cybersecurity review before any public offering at a foreign stock exchange. In August 2021, the state council promulgated the Regulations on Critical Information Infrastructure Security Protection, which became effective on September 1, 2021. Pursuant to this regulation, critical information infrastructure means key network facilities or information systems of critical industries or sectors, such as public communication and information service, energy, transportation, water conservation, finance, public services, e-government affairs and national defense science, the damage, malfunction or data leakage of which may endanger national security, people's livelihoods and the public interest. Relevant governmental authorities of each critical industry and sector shall be responsible for formulating eligibility criteria and determining the scope of critical information infrastructure operator in the respective industry or sector and operators will be informed about the final determination as to whether they are categorized as critical information infrastructure operators. As of the date of this annual report, no detailed rules or implementation rules have been issued by any authority and we have not been informed that we are a critical information infrastructure operator by any government authorities. Furthermore, the exact scope of "critical information infrastructure operators" under the current regulatory regime remains unclear, and the PRC government authorities may have wide discretion in the interpretation and enforcement of the applicable laws. Therefore, it is uncertain whether we would be deemed to be a critical information infrastructure operator under PRC law. If we are deemed to be a critical information infrastructure operator under the PRC cybersecurity laws and regulations, we may be subject to obligations in addition to what we have fulfilled under the PRC cybersecurity laws and regulations - In November 2021, the CAC released the Administrative Regulations on Internet Data Security (Draft for Comments), or the Draft Data Security Regulations, which provides that data processors refer to individuals or organizations that, during their data processing activities such as data collection, storage, utilization, transmission, publication and deletion, have autonomy over the purpose and the manner of data processing. In accordance with the Draft Data Security Regulations, data processors shall apply for a cybersecurity review for certain activities, including, among other things, (i) the listing abroad of data processors that process the personal information of more than one million individuals and (ii) any data processing activity that affects or may affect national security. However, there have been no clarifications from the relevant authorities as of the date of this annual report as to the standards for determining whether an activity is one that "affects or may affect national security." In addition, the Draft Data Security Regulations requires that data processors that process "important data" or are listed overseas must conduct an annual data security assessment by itself or commission a data security service provider to do so, and submit the assessment report of the preceding year to the municipal cybersecurity department by the end of January each year. As of the date of this annual report, the Draft Data Security Regulations was released for public comment only, and their respective provisions and anticipated adoption or effective date may be subject to change with substantial uncertainty. - On July 7, 2022, the CAC issued the Measures for Security Assessment of Cross-border Data Transfer, or the Security Assessment Measures, which came into effect on September 1, 2022. Pursuant to the Security Assessment Measures, a data processor shall apply to competent authorities for security assessment prior to transferring any data abroad if the transfer involves (i) important data; (ii) personal information transferred overseas by a CIIO and a data processor that has processed personal information of more than one million individuals; (iii) personal information transferred overseas by a data processor who has already provided personal information of 100,000 persons or sensitive personal information of 100,000 persons overseas since January 1 of the previous year; or (iv) other circumstances as requested by the CAC. Furthermore, on August 31, 2022, the CAC promulgated the Guidelines for filing the Outbound Data Transfer Security Assessment (Version 1), which provides that acts of outbound data transfer include (i) overseas transmission and storage by data processors of data generated during PRC domestic operations; (ii) the access to, use, download or export of the data collected and generated by data processors and stored in the PRC by overseas institutions, organizations or individuals; and (iii) other acts as specified by the CAC The Anti-monopoly Guidelines for the Platform Economy Sector - The Anti-monopoly Guidelines for the Platform Economy Sector published by the Anti-monopoly Committee of the State Council, effective on February 7, 2021, prohibits collection of user information through coercive means by online platforms operators. - In August 2021, the Standing Committee of the NPC promulgated the PRC Personal Information Protection Law, which integrates the scattered rules with respect to personal information rights and privacy protection and took effect on November 1, 2021. We update our privacy policies from time to time to meet the latest regulatory requirements of PRC government authorities and adopt technical measures to protect data and ensure cybersecurity in a systematic way. Nonetheless, the Personal Information Protection Law elevates the protection requirements for personal information processing, and many specific requirements of this law remain to be clarified by the CAC, other regulatory authorities, and courts in practice. We may be required to make further adjustments to our business practices to comply with the personal information protection laws and regulations. - On August 1, 2022, the Standing Committee further amended the Anti-Monopoly Law, which, among others, (i) emphasized that business operators with a dominant market position shall not engage in any conduct of abusing a dominant market position by utilizing data and algorithm, technology, and platform rules, (ii) increased the fines on business operators for illegal concentration to "no more than ten percent of the preceding year's sales revenue of the business operators if the concentration of business operators has or may have an effect of excluding or limiting competition; or a fine of up to RMB5 million if the concentration of business operators does not have an effect of excluding or limiting competition," and (iii) increased the fines on business operators that reaching monopoly agreements to "no less than one percent but no more than ten percent of the preceding year's sales revenue of the business operators, or a fine of up to RMB5 million if no sales revenue in the preceding year; and if such monopoly agreements have not been implemented, a fine of up to RMB3 million." Many of the data-related legislations are relatively new and certain concepts thereunder remain subject to interpretation by the regulators. If any data that we possess belongs to data categories that are subject to heightened scrutiny, we may be required to adopt stricter measures for protection and management of such data. The Cybersecurity Review Measures and the Draft Data Security Regulations remain unclear on whether the relevant requirements will be applicable to companies that are already listed in the United States, such as us. We cannot predict the impact of the Cybersecurity Review Measures and the Draft Data Security Regulations, if any, at this stage, and we will closely monitor and assess any development in the rule-making process. If the Cybersecurity Review Measures and the enacted version of the Draft Data Security Regulations mandate clearance of cybersecurity review and other specific actions to be taken by issuers like us, we face uncertainties as to whether these additional procedures can be completed by us timely, or at all, which may subject us to government enforcement actions and investigations, fines, penalties, suspension of our non-compliant operations, or removal of our app from the relevant application stores, and materially and adversely affect our business and results of operations. As of the date of this annual report, we have not been involved in any formal investigations on cybersecurity review made by the CAC on such basis. In general, compliance with the existing PRC laws and regulations, as well as additional laws and regulations that PRC regulatory bodies may enact in the future, related to data security and personal information protection, may be costly and result in additional expenses to us, and subject us to negative publicity, which could harm our reputation and business operations. As advised by our PRC counsel, there are also uncertainties with respect to how such laws and regulations will be implemented and interpreted in practice as they are relatively new. We may need to adjust our business to comply with the data security and cybersecurity requirements from time to time and we have taken measures to comply with applicable data-related laws and regulations. In addition, regulatory authorities around the world have adopted or are considering a number of legislative and regulatory proposals concerning data protection. These legislative and regulatory proposals, if adopted, and the uncertain interpretations and application thereof could, in addition to the possibility of fines, result in an order requiring that we change our data practices and policies, which could have an adverse effect on our business and results of operations. The European Union General Data Protection Regulation ("GDPR"), which came into effect on May 25, 2018, includes operational requirements for companies that receive or process personal data of residents of the European Economic Area. The GDPR establishes new requirements applicable to the processing of personal data, affords new data protection rights to individuals and imposes penalties for serious data breaches. Individuals also have a right to compensation under the GDPR for financial or non-financial losses. In the event that residents of the European Economic Area access our website or our mobile apps and input protected information, we may become subject to provisions of the GDPR.

The performance and reliability of our websites and computer systems are critical to our reputation and ability to retain learners and customers and increase enrollment. Any system error or failure, sudden and significant increases in online traffic or hacking of our systems, could disrupt or slow access to our websites. We cannot assure you that we will be able to expand our online infrastructure in a timely and cost-effective manner to meet the increasing demands of our learners and customers. In addition, our computer systems store and process important information including class schedules, registration information and learner data and could be vulnerable to interruptions or malfunctions due to events beyond our control, such as natural disasters and technology failures. We may suffer disruption to our operations if there is a failure of the database system or the backup system. Any disruption to our computer systems could therefore have a material adverse effect on our operations and ability to retain learners and customers and increase enrollment.

In the event of accidents or injuries or other harm to learners and customers or other people on our premises, including those caused by or otherwise arising from the actions or negligence of our employees or contractors on our premises, our facilities may be perceived to be unsafe, which may result in decreased learners enrollment. We could also face claims alleging that we are negligent and provide inadequate supervision to our employees or contractors, and therefore be liable for harm caused by them or are otherwise liable for injuries suffered by our learners and customers or other people on our premises. Our insurance coverage may not be adequate to fully protect us from claims of all kinds and we cannot guarantee that we will be able to obtain sufficient liability insurance in the future on commercially reasonable terms or at all. A liability claim against us or any of our employees or independent contractors could adversely affect our reputation and ability to attract and retain learners and customers. Even if unsuccessful, such a claim could create unfavorable publicity, cause us to incur substantial expenses and divert the time and attention of our management.

We are exposed to various risks associated with our business and operations, and we have limited insurance coverage. See "Item 4. Information on the company - B. Business Overview - Insurance" for more information. We are exposed to risks including, among other things, accidents or injuries in our schools, loss of key management and personnel, business interruption, natural disasters, terrorist attacks and social instability or any other events beyond our control. The insurance industry in the PRC is still at an early stage of development, and as a result insurance companies in the PRC offer limited business related insurance products. We do not have any business disruption insurance, product liability insurance or key-man life insurance. Any business disruption, legal proceeding or natural disaster or other events beyond our control could result in substantial costs and diversion of our resources, which may materially and adversely affect our business, financial condition and results of operations.

The non-academic tutoring, study camp and learning trip and learning technology and content solutions market in the PRC is rapidly evolving, highly fragmented and competitive, and we expect competition to persist and potentially intensify. We face competition in each type of service or products we offer and in each geographic market in which we operate. Our competitors include providers of learning and travel services, learning technology and content solutions. Our learner enrollment and sales of products or solutions may decrease due to this competition. Some of our competitors may have more resources than we do, and may be able to devote greater resources than we can to the development, promotion and sale of their solutions, programs, services and products and respond more quickly than we can to changes in learner needs, market trends or new technologies. We will also face increased competition as we expand our operations. We cannot assure you that we will be able to compete successfully against current or future competitors. If we are unable to maintain our competitive position or otherwise respond to competitive pressure effectively, we may lose our market share and our profitability may be adversely affected.

Our business is subject to seasonal fluctuations as our costs and expenses vary significantly during the fiscal year and do not necessarily correspond with the timing of recognition of our revenue. Our learners and customers typically pay prior to the commencement of a term, and we recognize revenue from the delivery of services on a straight-line basis over the term. Overall, although the historical seasonality of our business has been relatively mild, we expect to continue to experience seasonal fluctuations in our results of operations. These fluctuations may result in volatility in and adversely affect the price of our ADSs.

We believe that market awareness of our "Four Seasons Education" brand and our solid reputation in the industry have contributed significantly to the success of our business, and that maintaining and enhancing our brand are critical to maintaining our competitive advantage. Our brand and reputation could be adversely affected under many circumstances, including the following: - our learners and customers are not satisfied with our programs and related services;- we fail to properly manage accidents or other events that injure our learners and customers;- our faculty or staff behave or are perceived to behave inappropriately or illegally;- our faculty or staff fail to appropriately supervise learners and customers under their care;- we fail to conduct proper background checks on our faculty or staff;- we lose a license, permit or other authorization to operate a learning center or study camp;- we do not maintain consistent learning service and product quality;- our facilities do not meet the standards expected by learners and customers; and - learning center or study camp operators with lower quality abuse our brand name or those with brand names similar to ours by conducting fraudulent activities and creating confusion among learners and customers. The likelihood that any of the foregoing may occur increases as we continue our business development. These events could influence the perception of our offerings not only by our learners and customers, but also by other constituencies in the industry and the general public. Moreover, an event that directly damages the reputation of one of our learning centers or study camps could adversely affect the reputation and operations of our other facilities. As we mainly rely on word-of-mouth referrals to attract prospective learners and customers, if our brand name or reputation deteriorates, our overall business, prospects, results of operations and financial condition could be materially and adversely affected.

Substantially all of our business operations are conducted in China. Accordingly, our business, financial condition, results of operations and prospects are influenced by economic, political and legal developments in China. The economy in China differs from the economies of most developed countries in many respects, including the degree of government involvement, level of development, growth rate, control of foreign exchange and currency conversion, access to financing and allocation of resources. The Chinese government continues to play a significant role in regulating industry development by imposing industrial policies. The Chinese government also exercises significant control over China's economic growth through allocating resources, controlling payment obligations denominated in foreign currencies, setting monetary policy and providing preferential treatment to particular industries or companies. While the Chinese economy has experienced significant growth over the past decades, growth has been uneven, both geographically and among various sectors of the economy. Any adverse changes in economic conditions or policies in China may have a material adverse effect on the overall economic growth of China. The PRC government has implemented various measures to encourage economic development and guide the allocation of resources. While some of these measures benefit the overall PRC economy, they may also have a negative effect on us. For example, our financial condition and results of operations may be adversely affected by government control over capital investments, conversion of foreign exchange into Renminbi or changes in tax regulations and practices that are applicable to us. Continued policies regarding strengthening the management and supervision of the control of foreign currency could adversely affect our business development. The global macroeconomic environment is facing challenges, especially the challenges due to the COVID-19 pandemic. See also "Item 3. Key Information - D. Risk Factors - Risks Related to Our Business - The global COVID-19 outbreak has had a significant impact on our business, which may materially and adversely affect our operating results and financial condition." The PRC economy has shown slower growth compared to the previous decade since 2012 and whether this slowdown will continue is still unknown. In addition, there is considerable uncertainty over the long-term effects of the expansionary monetary and fiscal policies adopted by the central banks and financial authorities of some of the world's leading economies, including the United States and China. Unrest, terrorist threats and potential for war in the Middle East and elsewhere may increase market volatility across the globe. Recently, the Russia-Ukraine conflict has caused, and continues to intensify, significant geopolitical tensions in Europe and across the global. The resulting sanctions are expected to have significant impacts on the economic conditions of the targeted countries and markets. There is significant uncertainty about the future relationship between the United States and China with respect to trade policies, treaties, government regulations and tariffs. There have also been concerns on the relationship between China and other countries, including the surrounding Asian countries, which may potentially have economic effects. Economic conditions in China are sensitive to global economic conditions, as well as changes in domestic economic and political policies and the expected or perceived overall economic growth rate in China. Any severe or prolonged slowdown in the global or PRC economy may materially and adversely affect our business, results of operations and financial condition. In addition, continued turbulence in the international markets may adversely affect our ability to access capital markets to meet liquidity needs.

The change in value of the Renminbi against the U.S. dollar and other currencies is affected by various factors such as changes in political and economic conditions in the PRC. On July 21, 2005, the PRC government changed its decade-old policy of pegging the value of the Renminbi to the U.S. dollar, and the Renminbi appreciated more than 20% against the U.S. dollar over the following three years. Between July 2008 and June 2010, this appreciation halted and the exchange rate between the Renminbi and the U.S. dollar remained within a narrow band. Since June 2010, the Renminbi has fluctuated against the U.S. dollar, at times significantly and unpredictably. It is difficult to predict how market forces or PRC or U.S. government policy may impact the exchange rate between the Renminbi and the U.S. dollar in the future. Any significant appreciation or revaluation of the Renminbi may have a material adverse effect on the value of, and any dividends payable on, our ADSs in foreign currency terms. More specifically, if we decide to convert our Renminbi into U.S. dollars, appreciation of the U.S. dollar against the Renminbi would have a negative effect on the U.S. dollar amount available to us. To the extent that we need to convert U.S. dollars we receive from our initial public offering into Renminbi for our operations, appreciation of the Renminbi against the U.S. dollar would have an adverse effect on the Renminbi amount we would receive from the conversion. In addition, appreciation or depreciation in the exchange rate of the Renminbi to the U.S. dollar could materially and adversely affect the price of our ADSs in U.S. dollars without giving effect to any underlying change in our business or results of operations.