Flywire (FLYW) Risk Factors

Our business depends on our ability to satisfy our clients and their customers with respect to our solutions as well as the services that are performed to help our clients and their customers use the features and functions of our solutions. Services are usually performed by us, and are also on occasion provided together with a third-party partner. If our clients or their customers are not satisfied with the functionality of our solutions or the services that we or a third-party partner provide, such dissatisfaction could damage our ability to retain our current clients or expand our clients' or their customers' use of our solutions. In addition, any negative publicity and reviews that we may receive which is related to our client relationships may further damage our business and may invite enhanced regulatory scrutiny at the federal and state level in the United States as well as internationally.

Many payment processing or enablement industry participants are consolidating to create larger and more integrated financial processing systems with greater market power. We expect regulatory and economic conditions to result in additional consolidation in the healthcare industry in the future. As consolidation accelerates, the economies of scale of our clients' organizations may grow. If a client experiences sizable growth following consolidation, it may determine that it no longer needs to rely on us and may reduce its demand for our solutions. In addition, as payment processing providers consolidate to create larger and more integrated systems with greater market power, these providers may try to use their market power to negotiate fee reductions for our solutions. Finally, consolidation may also result in the acquisition or future development by our clients of products and services that compete with our solutions. Any of these potential results of consolidation could have a material adverse effect on our business, financial condition and results of operations.

The continued growth and development of our proprietary global payments network will also depend on our ability to anticipate and adapt to changes in client and customer behavior. For example, behavior may change regarding the use of credit and debit card transactions, including the relative increased use of cash, crypto-currencies, other emerging or alternative payment methods and credit card systems that may include strong regional preferences that we or our processing partners do not adequately support. Any failure to timely integrate emerging payment methods into our solutions, anticipate behavior changes, or contract with payment processing partners that support such emerging payment technologies could cause our clients to use our solutions less, resulting in a corresponding loss of revenue, in the event such methods become popular among their customers. The number and variety of the payment methods we offer or currencies we are able to service may not meet client expectations, or the costs borne by our clients' customers in completing payments may become unsuitable. Accordingly, we may need to change our pricing strategies or reduce our prices, which could harm our revenue, gross profit, and operating results. We utilize a number of payment providers to clear and settle transactions for our clients, including payments providers such as China UnionPay Co. Ltd. and Adyen N.V. If the services provided by these partners become unavailable due to extended outages or interruptions or because they are no longer available on commercially reasonable terms or prices, or due to regulatory restrictions or for any other reason, our expenses could increase and our ability to process certain payments could be materially interrupted, all of which could harm our business, financial condition, and results of operations. In addition, our agreements with these providers include certain terms and conditions. These providers have broad discretion to change their terms of service and other policies with respect to our business, and those changes may be unfavorable to us. Therefore, we believe that maintaining successful partnerships with these payment providers is critical to our success.

We are required to comply with Mastercard, American Express, and Visa payment card network operating rules and the rules of other regional card (such as China UnionPay or Japan Credit Bureau (JCB)) or payment providers, in connection with our solutions. We have agreed to reimburse our merchant acquirers for any fines they are assessed by payment card networks as a result of any rule violations by us. We may also be directly liable to the payment card networks for rule violations. The payment card networks set and interpret the card operating rules. The payment card networks could adopt new operating rules or interpret or reinterpret existing rules that we or our processors might find difficult or even impossible to follow, or costly to implement. For example, the card networks could adopt new rules or reinterpret existing rules to substantially modify how we offer credit card payment methods to our clients, or impose new fees or costs (including demanding a cash reserve from Flywire) that could negatively impact our margins. Card networks also could modify security or fraud detection methodologies that could have a downstream impact on our business, and force us to change our solutions, payment experience or security protocols, which may increase our operating costs. We also may seek to introduce other card-related solutions in the future, which would entail additional operating rules. As a result of any violations of rules, new rules being implemented, or increased fees, we could lose our ability to offer certain cards as a payment method to our clients' customers, or such payments could become prohibitively expensive for us or for our clients. Additionally, from time to time, card networks, including Visa and Mastercard, increase the fees that they charge processors. We could attempt to pass these increases along to our clients and their customers, but this strategy might result in the loss of clients to our competitors who do not pass along the increases. If competitive practices prevent us from passing along the higher fees to our clients and their customers in the future, we may have to absorb all or a portion of such increases, which may increase our operating costs and reduce our profit margins. If we are unable to offer credit cards as a payment method to our clients' customers, our business would be adversely affected.

The market for our payment solutions is subject to rapid and significant changes. The market for technology-enabled payment services that empower healthcare clients and their customers is characterized by rapid technological change, new product and service introductions, increasing patient financial responsibility, consumerism and engagement, the ongoing shift to value-based care and reimbursement models, and the entrance of non-traditional competitors. In addition, there may be a limited-time opportunity to achieve and maintain a significant share of this market due in part to the rapidly evolving nature of the healthcare and technology industries and the substantial resources available to our existing and potential competitors. The market for technology-enabled payment services that empower healthcare clients and their customers is relatively new and unproven, and it is uncertain whether this market will achieve and sustain high levels of demand and market adoption. In order to remain competitive, we are continually involved in a number of projects to compete with these new market entrants by developing new solutions, growing our client base and penetrating new markets. Some of these projects include the expansion of our integration capabilities and the expansion of our mobile solutions. These projects carry risks, such as cost overruns, delays in delivery, performance problems and lack of acceptance by our clients. Our integration partners may also decide to develop and offer their own patient engagement solutions that are similar to our solutions. In addition, the decisions we make on allocation of engineering resources, reliance on, integration with or discontinuance of, legacy systems or those acquired in acquisition, or the pace at which we remain technologically current within our internal systems and customer payment platforms, may negatively affect the morale of our engineering teams and the payment experiences our clients wish to feature to their customers. We may lose engineering talent or healthcare clients as a result, which could have a material adverse effect on our business and results of operations. Our success depends on providing high-quality payment solutions that healthcare clients use to improve their financial and operational performance, allowing them to collect payments and enhance their revenue lifecycle management objectives. If we cannot adapt to rapidly evolving industry standards and technology and increasingly sophisticated and varied healthcare client and customer payment needs, our existing technology could become undesirable, obsolete or harm our reputation. We must continue to invest significant resources in our personnel and technology in a timely and cost-effective manner in order to enhance our existing solutions and introduce new high-quality solutions that existing clients and potential new clients will want. Our operating results would also suffer if our innovations are not responsive to the needs of our existing clients or potential new clients, are not appropriately timed with market opportunity, are not effectively brought to market or significantly increase our operating costs. If our new or modified product and service innovations are not responsive to the preferences of healthcare clients and their customers, emerging industry standards or regulatory changes, are not appropriately timed with market opportunity or are not effectively brought to market, we may lose existing clients or be unable to obtain new clients and our results of operations may suffer. We believe demand for our payment solutions in the healthcare industry has been driven in large part by more patient responsibility for out-of-pocket spend, a trend towards higher deductibles for health care services, increased digitization in payments, and the tailoring of payment offers and increased patient engagement. Our success also depends to a substantial extent on the ability of our solutions to increase the volume of our clients' customers payments, and our ability to demonstrate the value of our solutions to our clients. If our existing clients do not recognize or acknowledge the benefits of our solutions or our solutions do not drive payment volume, then the market for our solutions might not develop at all, or it might develop more slowly than we expect, either of which could adversely affect our operating results. A significant decrease in the payment volume and resulting revenue from our clients and their customers in the healthcare industry may have an adverse effect on our business, operating results and financial condition. In addition, we have limited insight into trends that might develop and affect our healthcare business. We might make errors in predicting and reacting to relevant business, legal and regulatory trends and healthcare reform, which could harm our business. If any of these events occur, it could materially adversely affect our business, financial condition or results of operations. Finally, our competitors, including major EHR providers, may have the ability to devote more financial and operational resources than we can to developing new technologies and services, including services that provide improved operating functionality, and adding features to their existing service offerings. Relationships with companies in the EHR space and business focused on revenue lifecycle management are critical to leverage if we are to add to our healthcare customer portfolio. However, intense competition and rising costs experienced by certain major EHR providers has resulted, in certain cases, in increased financial strain on these businesses, and in at least one notable instance, an action to seek bankruptcy protection. To the extent we have outstanding amounts owed to us by companies that seek bankruptcy protection or cease operations, it may become difficult for us to be paid in full in a timely manner, if at all. Many of these companies may offer products and services similar to ours and may have greater name recognition, longer operating histories, stronger and more dependent client relationships, larger marketing budgets, and greater resources than us. If successful, their development efforts could render our solutions less desirable, resulting in the loss of our existing clients or a reduction in the fees we generate from our solutions.

Our future growth and profitability will depend in large part upon the effectiveness and efficiency of our efforts to attract new clients and increase the number of our clients' customers that use our solutions. While we intend to dedicate resources to attracting new clients and increasing the number of our clients' customers that use our solutions, our ability to do so depends in large part on the success of these efforts and the success of the marketing channels we use to promote our solutions. Our marketing channels include search engine optimization, search engine marketing, account-based direct marketing campaigns, industry events and association marketing relationships. If any of our current marketing channels become less effective, if we are unable to continue to use any of these channels, if the cost of using these channels were to significantly increase or if we are not successful in generating new channels, we may not be able to attract new clients in a cost-effective manner or increase the number of our clients' customers that use our solutions. If we are unable to recover our marketing costs through increases in the number of clients and in the number of our clients' customers that use our solutions, or if we discontinue our marketing efforts, it could have a material adverse effect on our business, prospects, results of operations, and financial condition.

We believe that our future growth will depend on the continued development of our direct sales force and its ability to obtain new clients and to manage our existing client base. Our ability to increase our client base and achieve broader market acceptance of our solutions will depend to a significant extent on our ability to expand our sales and marketing organizations, and to deploy our sales and marketing resources efficiently. We intend to continue to increase our number of direct sales professionals and to expand our relationships with new strategic channel partners. These efforts will require us to invest significant financial and other resources. New hires require training and take time to achieve full productivity. Similarly, new channel partnerships often take time to develop and may never yield results, as they require new partners to understand the services and solutions we offer, and how to position our value within the market. We cannot be certain that recent and future new hires or partner relationships will become as productive as necessary or that we will be able to hire enough qualified individuals or build effective channel sales in the future. If we are unable to hire, develop, integrate, and retain talented and effective sales personnel, if our new and existing sales personnel are unable to achieve desired productivity levels, or if our sales, channel strategy and marketing programs and advertising are not effective, we may not be able to expand our business and grow our revenue, which may harm our business, operating results and financial condition.

To increase our revenue, in addition to acquiring new clients, we must continue to retain existing clients, increase the volume of payments made by our clients' customers and sell additional functionality to our clients. We expect to derive a significant portion of our revenue from the renewal of existing clients' contracts and sales of additional features and solutions to existing clients. As the market for our solutions matures, solutions evolve, and competitors introduce lower cost or differentiated products or services that are perceived to compete with our solutions, our ability to attract (and our clients' ability to attract) new customers and maintain our current client base and clients' customer usage could be hindered. As a result, we may be unable to retain existing clients or increase the usage of our solutions by them or their customers, which would have an adverse effect on our business, revenue, gross profit, gross margins, and other operating results, and accordingly, on the trading price of our common stock. As the market for our solutions matures, or as new or existing competitors introduce new products or services that compete with our solutions, we may experience pricing pressure. This competition and pricing pressure could have an adverse effect on our ability to retain existing clients or attract new clients at prices that are consistent with our pricing model, operating budget and expected operating margins. In particular, it has become more common in the education sector for competitors to offer generous revenue sharing arrangements for clients we target. Our business could be adversely affected if clients or their customers perceive that features incorporated into alternative products reduce the need for our solutions or if they prefer to use competitive services. If we are unable to attract new clients and increase the number of our clients' customers that use our solutions, our revenue growth and operating results will be adversely affected. Further, in an effort to attract new clients and increase usage by their customers, we may need to offer simpler, lower-priced payment options, which may reduce our revenue. Our ability to sell additional functionality to our existing clients may require more sophisticated and costly sales efforts, especially for our larger clients with more senior management and established accounts receivable solutions. Similarly, the rate at which our clients deploy additional solutions from us depends on several factors, including general economic conditions, the availability of client technical personnel to implement our solutions, and the pricing of additional functionality. If our efforts to sell additional functionality to our clients are not successful, our business and growth prospects would suffer. Contracts with our clients generally have a stated initial term of three years, are not subject to termination for convenience and automatically renew for one-year subsequent terms. Our clients may negotiate terms less advantageous to us upon renewal, which may reduce our revenue. If our clients fail to renew their contracts, renew their contracts upon terms less favorable to us or at lower fee levels or fail to purchase new solutions from us, our revenue may decline or our future revenue growth may be constrained. In addition, certain of our clients are subject to requirements to issue requests for proposals (RFPs) to open up competition for their ongoing business notwithstanding their satisfaction with our solutions. In order to retain their business, we may be required to accept terms or pricing conditions less favorable to us than would be the case with automatic renewal of an existing contract. Should any of our clients terminate their relationship with us after implementation has begun, we would not only lose our time, effort and resources invested in such implementation, but we would also have lost the opportunity to leverage those resources to build a relationship with other clients over that same period of time.

We devote significant resources to establish relationships with new clients and deepen relationships with existing clients. The sales cycles of our solutions tend to vary depending on the client industry sector which may make forecasting more complex and uncertain. In addition, sales and sale cycles may be based in part or entirely on factors, or perceived factors, not directly related to the features of our solutions, including, among others, a client or prospective client's projection of business growth, uncertainty about economic conditions (including as a result of increased inflationary conditions, recession concerns and the escalation of hostilities between Russia and Ukraine, and Israel and Hamas), capital budgets, anticipated cost savings from the implementation of our solution, potential preference for internally-developed software solutions, perceptions about our business and solutions, more favorable terms offered by potential competitors, and previous technology investments. Mid-market and large enterprises tend to have more complex operating environments than smaller businesses, making it often more difficult and time-consuming for us to demonstrate the value of our solutions to prospective clients. The decision to use our solutions may also be an enterprise-wide decision, and require us to provide greater levels of education regarding the use and benefits of our solutions, which may result in additional time, effort, and money spent on our sales cycle without any assurance that our efforts will be successful in generating any sales. Often, major hospital systems and national or state higher education systems will solicit service offers by issuing RFPs, which are generally a time- and resource-intensive process, with no assurances of being selected as a vendor after the RFP process is completed. Additionally, large enterprises typically have longer implementation cycles, especially hospital and education systems, require greater product functionality and scalability and a broader range of services, demand that vendors take on a larger share of risks, sometimes require longer testing periods that delay general availability of our solutions, and expect greater payment flexibility from vendors. All of these factors can add further risk to business conducted with these clients. If we fail to realize an expected sale from a large end-client in a particular quarter or at all, our business, operating results, and financial condition could be materially and adversely affected. In addition, we may face unexpected deployment challenges with enterprise clients. It may be difficult to deploy our software solutions if a client has unexpected database, hardware or software technology issues, or if a client insists on a more customized or unique solution that is time intensive or that we have little prior experience in delivering. Decisions on timing of deployments may also be impacted by cost and availability of personnel. Any difficulties or delays in the initial implementation could cause clients to reject our solutions or lead to the delay or non-receipt of future orders, in which case our business, operating results and financial condition would be harmed.

We devote significant resources to establish relationships with new clients and deepen relationships with existing clients. Our sales cycle for our solutions can be variable, typically ranging from three to nine months from initial contact to contract execution. However, there is potential for our sales cycle to extend beyond three to nine months. During the period of our sales cycle, our efforts involve educating our clients about the use, technical capabilities and benefits of our solutions. Our operating results depend in substantial part on our ability to deliver a successful client experience and persuade our clients to grow their relationship with us over time. As we expect to grow rapidly, our client acquisition costs could outpace our build-up of recurring revenue, and we may be unable to reduce our total operating costs through economies of scale such that we are unable to achieve or maintain profitability. Any increased or unexpected costs or unanticipated delays, including delays caused by factors outside of our control, could cause our operating results to suffer.

Our clients and their customers rely on our support services to resolve issues and realize the full benefits provided by our solutions. High-quality support is also important for the expansion of the use of our solutions with existing clients and their customers. We provide multilingual support over chat, email or via telephone. The number of our clients, and the number of their customers utilizing our solutions, has grown significantly and such growth, as well as any future growth, will put additional pressure on our client service organization. If we do not help our clients and their customers quickly resolve issues and provide effective ongoing support, or if our support personnel or methods of providing support are insufficient to meet the needs of our clients and their customers, our ability to retain clients and their customers and acquire new clients and customers could suffer, and our reputation with existing or potential clients could be harmed. Providing an exceptional client experience requires significant time and resources from our client service team. Therefore, failure to scale our client service organization adequately may adversely impact our business results and financial condition. In addition, as we continue to operate and grow our operations and continue to expand to new jurisdictions, we need to be able to provide efficient client service that meets our clients' needs globally at scale. In geographies where we sell through our channel partners, if we are unable to provide a high quality client experience tailored to the language and culture of the applicable jurisdiction, our business operations and reputation may suffer.

We may in the future become subject to intellectual property disputes. Lawsuits are time-consuming and expensive to resolve and they divert management's time and attention. We cannot predict the outcome of lawsuits and cannot assure you that the results of any such actions will not have an adverse effect on our business, operating results, or financial condition. During litigation, we may become subject to provisional rulings, including preliminary injunctions requiring us to cease some or all of our operations. We may decide to settle legal disputes on terms that are unfavorable to us. Furthermore, such disputes, even those without merit, may subject us to an unfavorable judgment that we may not choose to appeal or that may not be reversed upon appeal. In such a situation, we could be required to pay substantial damages or license fees to third party patent owners. In addition, we may also be required to modify, redesign, reengineer, or rebrand our solutions, or stop making, licensing, or providing solutions that incorporate the asserted intellectual property. Alternatively, we may enter into a license agreement to continue practices found to be in violation of a third party's rights. If we are required, or choose to enter into, royalty or licensing arrangements, such arrangements may not be available on reasonable terms or at all. In addition, we may also be contractually obligated to indemnify our clients in the event of infringement of a third party's intellectual property rights.

We use open source software in our solutions and expect to continue to use open source software in the future. There are uncertainties regarding the proper interpretation of and compliance with open source licenses, and there is a risk that such licenses could be construed in a manner that imposes unanticipated conditions or restrictions on our ability to use such open source software, and consequently to provide or distribute our solutions. Although use of open source software has historically been free, recently several open source providers have begun to charge license fees for use of their software. If our current open source providers were to begin to charge for these licenses or increase their license fees significantly, this would increase our research and development costs and have a negative impact on our results of operations and financial condition. Additionally, we may from time to time face claims from third parties claiming ownership of, or seeking to enforce the terms of, an open source license, including by demanding release of source code for the open source software, derivative works or our proprietary source code that was developed using, or that is distributed with, such open source software. These claims could also result in litigation and could require us to make our proprietary software source code freely available, require us to devote additional research and development resources to change our solutions or incur additional costs and expenses, any of which could result in reputational harm and would have a negative effect on our business and operating results. In addition, if the license terms for the open source software we utilize change, we may be forced to reengineer our solutions or incur additional costs to comply with the changed license terms or to replace the affected open source software. Further, use of certain open source software can lead to greater risks than use of third-party commercial software, as open source licensors generally do not provide warranties or controls on the origin of software or indemnification for third party infringement claims. Although we have implemented policies to regulate the use and incorporation of open source software into our solutions, we cannot be certain that we have not incorporated open source software in our solutions in a manner that is inconsistent with such policies.

Our solutions integrate with ERP systems, such as Ellucian Company, L.P. in education, Epic Systems Corporation in healthcare, Rezdy Pty Ltd in travel and Oracle Corporation in B2B payments. We automatically synchronize suppliers, clients, client customers, invoices, and payment transactions between our solutions and these systems. This two-way sync eliminates duplicate data entry and provides the basis for managing cash-flow through an integrated solution for accounts receivable, and payments. In addition, we are subject to certain standard terms and conditions with these partners. These partners have broad discretion to change their terms of service and other policies, and those changes may be unfavorable to us. Therefore, we believe that maintaining successful partnerships with these providers is critical to our future success. We also rely on our proprietary global payment network comprised of leading global, regional and local banks and technology and payment partners. If we do not or cannot maintain the interoperability of their products or services or the products or our key software vendors that are integral to our solutions, our business may be materially and adversely affected. These third parties periodically update and change their systems, and although we have been able to adapt our solutions to their evolving needs in the past, there can be no guarantee that we will be able to do so in the future. In particular, if we are unable to adapt to such changes, we may not be able to utilize these strategic partners and we may lose access to large numbers of clients as a result. If any of the third party software providers change the features of their application programming interfaces (APIs), discontinue their support of such APIs, restrict our access to their APIs, or alter the terms governing their use in a manner that is adverse to our business, we will not be able to provide synchronization capabilities, which could significantly diminish the value of our solutions and harm our business, operating results, and financial condition.

In the future, as a result of the regulations applicable to our business, we could be subject to investigations and resulting liability, including governmental fines, restrictions on our business, or other sanctions, and we could be forced to cease conducting certain aspects of our business with residents of certain jurisdictions, be forced to change our business practices in certain jurisdictions, or be required to obtain additional licenses or regulatory approvals. For example, because a majority of voters in the U.K. approved an exit from the E.U. (commonly referred to as Brexit), we were required to obtain a license from a member state of the European Economic Area (EEA) which would allow us to continue to provide our solutions to clients located in the EEA under a principle known as "passporting". We were able to obtain a license as an authorized payment institution from the Bank of Lithuania in September 2019 and subsequently obtained the right to passport our solutions to other EEA member states. Government agencies may impose new or additional rules on money transmission, which may increase our costs of doing business, including, but not limited to regulations that: - prohibit, restrict, and/or impose taxes or fees on money transmission transactions in, to or from certain countries or with certain governments, individuals, and entities;- impose additional client identification and client due diligence requirements;- impose additional reporting or recordkeeping requirements, or require enhanced transaction monitoring;- limit the types of entities capable of providing money transmission services, or impose additional licensing or registration requirements;- impose minimum capital or other financial requirements;- limit or restrict the revenue that may be generated from money transmission, including revenue from the transaction value associated with the payment method used by our clients' customers and platform-related fees for access to our solutions and invoice and payment plan fees;- require enhanced disclosures to our money transmission clients or their customers;- require the principal amount of money transmission transactions originated in a country to be invested in that country or held in trust until paid;- limit the number or principal amount of money transmission transactions that may be sent to or from a jurisdiction, whether by an individual or in the aggregate; and - restrict or limit our ability to process transactions using centralized databases, for example, by requiring that transactions be processed using a database maintained in a particular country or region.

We are currently required to comply with U.S. economic and trade sanctions administered OFAC and we have processes in place to comply with the OFAC regulations as well as similar requirements in the foreign jurisdictions in which we already operate. As part of our compliance efforts, we scan our clients and their customers against watch lists promulgated by OFAC and certain other international agencies. Our application can be accessed from nearly anywhere in the world, and if our service is accessed from a sanctioned country or otherwise accessed or used in violation of applicable trade and economic sanctions, we could be subject to fines or other enforcement actions. In the course of enhancing our sanctions compliance function, we initiated an internal review that identified issues related to our compliance with sanctions, including payments that may have originated from sanctioned jurisdictions or sanctioned persons. We have made voluntary submissions to OFAC to report the apparent violations and to provide supplemental information. Flywire is currently engaging with OFAC to resolve these matters. Although the internal investigation completed to date suggests that any loss incurred as a result of this matter would not be material to our business, if OFAC ultimately concludes any violation has occurred in connection with these or other transactions, it could result in penalties, fines, costs, and restrictions on our ability to do business, which could also harm our operating results. We are also subject to various AML and CFT laws and regulations around the world that prohibit, among other things, our involvement in transferring the proceeds of criminal or terrorist activities. In the United States, most of our solutions are subject to AML laws and regulations, including the BSA, and similar laws and regulations. The BSA, among other things, requires MSBs to develop and implement risk-based AML programs, to report large cash transactions and suspicious activity, and in some cases, to collect and maintain information about clients who use their services and maintain other transaction records. Regulators and third-party auditors have identified gaps in how similar businesses have implemented AML programs, and we could likewise be subject to significant fines, penalties, inquiries, audits,investigations, enforcement actions, and criminal and civil liability if our AML program is found to be insufficient by a regulator. Our business operations in other parts of the world such as the U.K., Lithuania, Canada, Australia, Hong Kong, New Zealand, Indonesia and Singapore are subject to similar laws and requirements. Regulators in the United States and globally continue to increase their scrutiny of compliance with these obligations, which may require us to further revise or expand our compliance program, including the procedures we use to verify the identity of our clients and to monitor transactions on our system, including payments to persons outside of the United States. Regulators regularly re-examine the transaction volume thresholds at which we must obtain and keep applicable records or verify identities of clients, and any change in such thresholds could result in greater costs for compliance. Similarly, as a condition to doing business with us, our banking and other strategic partners also impose ongoing obligations on us related to AML and CFT and sanctions screening. Any failure on our part to maintain the necessary processes and policies to comply with these regulations and requirements, or to adapt our processes and policies to changes in laws, would subject us to penalties, fines, or loss of key relationships which would have a material adverse effect on our business and results of operations. Furthermore, government sanctions imposed with respect to Russia's invasion of Ukraine in early 2022 are impacting our ability to offer our services in the region, and additional sanctions could be imposed in the future. Further instability or tension in Russia, Ukraine, and the surrounding region could also cause us to adjust our operating model, which would increase our costs of operations.

Our clients and their customers store personal and business information, financial information and other sensitive information through our solutions. In addition, we collect, store, and process personal and business information and other data from and about actual and prospective clients, their customers, our FlyMates and our service providers and other business partners, as well as their personnel. Our handling of data is subject to a variety of laws and regulations, including regulation by various government agencies, such as the U.S. Federal Trade Commission (FTC), and various state, local, and foreign agencies. Our data handling is also subject to contractual obligations and industry standards. The U.S. federal and various state and foreign governments have adopted or proposed limitations on the collection, distribution, use, and storage of data relating to individuals and businesses, including the use of contact information and other data for marketing, advertising, and other communications with individuals and businesses. In the United States, various laws and regulations apply to the collection, processing, disclosure, and security of certain types of data, including the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the Gramm Leach Bliley Act, FERPA, HIPAA, and the now in question E.U.-U.S. and Swiss-U.S. Privacy Shield protections, as well as state laws relating to privacy and data security. Additionally, the FTC and many state attorneys general are interpreting federal and state consumer protection laws as imposing standards for the online collection, use, dissemination, and security of data. For example, California enacted the California Consumer Protection Act (CCPA), which took effect on January 1, 2020 and became enforceable by the California Attorney General on July 1, 2020, and broadly defines personal information. The CCPA creates new individual privacy rights for consumers (as that term is broadly defined) and places increased privacy and security obligations on entities handling personal data of consumers or households. The CCPA requires covered companies to provide certain disclosures to California consumers about its data collection, use and sharing practices, provide such consumers with ways to opt-out of certain sales or transfers of personal information, provides for civil penalties for violations, and allows for a new private right of action for data breaches that has resulted in an increase in data breach litigation. It remains unclear, however, how the CCPA will be interpreted. As currently written, it will likely impact our business activities and exemplifies the vulnerability of our business to not only cyber threats but also the evolving regulatory environment related to personal data and protected health information. On August 24, 2022, the California Attorney General announced the entry of a final judgment enforcement action resulting in a fine and settlement under the CCPA, as the defendant was ordered to pay a $1.2 million penalty and, among other things, implement a monitoring and reporting program to demonstrate its ongoing compliance with the CCPA. Additionally, the California Privacy Rights Act (CPRA), which was passed in November 2020 and became effective on January 1, 2023, imposed additional obligations on companies covered by the legislation and significantly modified the CCPA, including by expanding consumers' rights with respect to certain sensitive personal information. The CPRA also created a new state agency that will be vested with authority to implement and enforce the CCPA and the CPRA. The effects of the CCPA and the CPRA are potentially significant and may require us to modify our data collection or processing practices and policies and to incur substantial costs and expenses in an effort to comply and increase our potential exposure to regulatory enforcement and/or litigation. The laws and regulations relating to privacy and data security are evolving, can be subject to significant change, and may result in ever-increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions. The CCPA, in particular, has prompted a number of proposals for new federal and state-level privacy legislation, which could increase our potential liability and adversely affect our business. Several states in the U.S. have proposed or enacted laws that contain obligations similar to the CCPA and CPRA that have taken effect or will take effect in coming years. The U.S. federal government also is contemplating federal privacy legislation. The effects of recently proposed or enacted legislation potentially are far-reaching. Such legislation may add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment of resources in compliance programs, impact strategies and the availability of previously useful data and could result in increased compliance costs and/or changes in business practices and policies. Many of the foreign jurisdictions where we or our clients operate or conduct business, including the E.U., have laws and regulations dealing with the collection, use, storage, and disclosure and other handling (collectively, processing) of personal information, which in some cases are more restrictive than those in the U.S. In addition to regulating the processing of personal information within the relevant jurisdictions, these legal requirements often also apply to the processing of personal information outside these jurisdictions, where there is some specified link to the relevant jurisdiction. For example, we have multiple offices in Europe and serves clients and their customers throughout the E.U., where the General Data Protection Regulation (GDPR) went into effect in 2018. The GDPR, which is also the law in Iceland, Norway, Liechtenstein, and-to a large degree-the U.K., has an extensive global reach and imposes robust obligations relating to the processing of personal information, including documentation requirements, greater control for data subjects (e.g., the "right to be forgotten" and data portability), security requirements, notice requirements, restrictions on sharing personal information, data governance obligations, data breach notification requirements, and restrictions on the export of personal information to most other countries. The solutions that we currently offer subject us to many of these laws and regulations in many of the foreign jurisdictions where we operate or conduct business, and these laws and regulations may be modified or subject to new or different interpretations, and new laws and regulations may be enacted in the future. Legal developments have created compliance uncertainty regarding some transfers of personal information from the U.K. and EEA to locations where we or our clients operate or conduct business, including the United States and potentially Singapore, particularly with respect to cross-border transfers. Under the GDPR, such transfers can take place only if certain conditions apply or if certain data transfer mechanisms are in place. In July 2020, the Court of Justice of the E.U. ruled in its "Schrems II" decision (C-311/18), that the Privacy Shield, a transfer mechanism used by thousands of companies to transfer data between those jurisdictions and United States (and also used by us), was invalid and could no longer be used due to the strength of United States surveillance laws. In September 2020, the Federal Data Protection and Information Commissioner of Switzerland (where the law has a similar restriction on the export of personal information) issued an opinion concluding that the Swiss-U.S. Privacy Shield Framework does not provide an adequate level of protection for data transfers from Switzerland to the United States pursuant to Switzerland's Federal Act on Data Protection. We and our clients continue to use alternative transfer strategies, including the European Commission's Standard Contractual Clauses (SCCs), while the authorities interpret the Schrems II decision and the validity of alternative data transfer mechanisms. The SCCs, though previously approved by the European Commission, have faced challenges in European courts (including being called into question in the Schrems II decision), and may be further challenged, suspended or invalidated for transfers to some or all countries. For example, guidance regarding Schrems II issued by the European Data Protection Board (which is comprised of representatives from every E.U. member state's top data protection authority) have cast serious doubt on the validity of SCCs for most transfers of personal information to the United States. At present, there are few if any viable alternatives to the Privacy Shield and the SCCs, so such developments may necessitate further expenditures on local infrastructure, changes to internal business processes, changes to clients and clients' customer facing solutions, or may otherwise affect or restrict our sales and operations. On June 4, 2021, the European Commission released the final Implementing Decision on SCCs (New SCCs) for the transfer of personal data from the E.U. to "third countries" such as the US. The New SCCs will repeal and replace the existing SCCs (dating from 2001, 2004 and 2010) and address the entry into force of the GDPR) and the July 2020 decision of the CJEU in Schrems II, which invalidated the E.U.-U.S. Privacy Shield. The New SCCs broadly follow the draft implementing decision on standard contractual clauses (Draft SCCs) issued by the European Commission on November 12, 2020, but there are some material differences. The Draft SCCs' significant and extensive new requirements for data importers that act as controllers (for example, obligations to give notice to data subjects and to notify personal data breaches to EU authorities) remain, but have been aligned more closely with the GDPR requirements. While the New SCCs are not immediately in force, compliance with them will be required for new transfer agreements entered into from late September 2021. SCCs then in effect were required to be replaced with the New SCCs by December 27, 2022. On July 10, 2023, the European Commission formally approved the new EU-U.S. Data Privacy Framework (the "Framework"), under which European entities will now be able to transfer personal data to Framework participants in the U.S. without having to put in place additional data protection safeguards or use the Standard Contractual Clauses for data transfers. We are in the process of evaluating how we may self-certify as a participating organization with the U.S. Department of Commerce. E.U. data protection authorities have the power to impose administrative fines for violations of the GDPR of up to a maximum of €20 million or 4% of a corporate family's total worldwide global turnover for the preceding fiscal year, whichever is higher. Such penalties are in addition to any civil litigation claims by clients, data subjects or other third parties. We believe that the solutions that we currently offer subject us to the GDPR and other laws and regulations relating to privacy, data protection, and information security, and these may be modified or subject to new or different interpretations in the future. We will need to take steps to address compliance obligations in this rapidly evolving legal environment, but we cannot assure you that we will be able to implement changes in a timely manner or without significant disruption to our business, or that such steps will be effective, and we may face the risk of liability and loss of business. In addition, further to the U.K. exit from the E.U. on January 31, 2020, the GDPR ceased to apply in the U.K. at the end of the transition period on December 31, 2020. However, as of January 1, 2021, the U.K.'s European Union (Withdrawal) Act 2018 incorporated the GDPR (as it existed on December 31, 2020 but subject to certain U.K. specific amendments) into U.K. law (referred to as the U.K. GDPR). The U.K. GDPR and the U.K. Data Protection Act 2018 set out the U.K.'s data protection regime, which is independent from but aligned to the E.U.'s data protection regime. Non-compliance with the U.K. GDPR may result in monetary penalties of up to £17.5 million or 4% of worldwide revenue, whichever is higher. Like the GDPR, the U.K. GDPR restricts personal data transfers outside the U.K. to countries not regarded by the U.K. as providing adequate protection (this means that personal data transfers from the U.K. to the EEA remain free flowing). On June 28, 2021, the European Commission adopted an adequacy decision under the GDPR, thereby recognizing that the U.K.'s data protection system continues to provide the same protections with respect to personal data as when it was an EU member state, and enabling the continued exchange of personal data between the E.U. and the U.K. The adequacy decision facilitates the implementation of the E.U.-U.K. Trade Cooperation Agreement, which foresaw the need for bilateral data flow and continued cooperation. The adequacy decision does, however, include a ‘sunset clause', limiting its duration to four years, at which point the European Commission will need to once again review the safeguards in place in the U.K.'s post-Brexit legal system and decide if the adequacy decision may be renewed. This lack of clarity on future U.K. laws and regulations and their interaction with E.U. laws and regulations could add legal risk, uncertainty, complexity and cost to our handling of E.U. personal information and our privacy and data security compliance programs. It is possible that over time the U.K. Data Protection Act 2018 could become less aligned with the GDPR, which could require us to implement different compliance measures for the U.K. and the E.U. and result in potentially enhanced compliance obligations for E.U. personal data. In Asia, there has been an increase in both regulation and enforcement of privacy laws. The Act on Protection of Personal Information originally enacted in June 2020 by the Japanese government, was amended and came into effect on April 1, 2022 (Amended APPI). Since the passage of the Amended APPI, a number of implementing regulations and supporting documents have been released, addressing the requirements for transferring personal data outside Japan, notifying security breaches and creating pseudonymous information exempt from certain obligations under the Amended APPI. We have taken steps to address compliance obligations that apply to us under the Amended APPI, but cannot assure you that such steps will be effective, and we may face the risk of increased costs, liability and loss of business. China (home to the most online users in the world) passed its DSL and its PIPL in 2021. The DSL applies to a wide range of data processing activities including, but not limited to, processing personal information. With extraterritorial scope and severe fines and penalties, these laws are set to impose an increasingly complex and comprehensive legal framework for processing personal information when doing business in China. The PIPL is enforced and administered by the Cyberspace Administration of China and relevant state and local government departments. The law draws from the GDPR, with heavy penalties up to the greater of 5% of the previous year's revenue (possibly global) or $7.7 million. Chinese authorities have demonstrated a willingness to impose significant fines for violations of PIPL and other privacy laws, as evidenced by enforcement actions against Alibaba Group Holding Ltd and Didi Global Inc. in 2022. As a reaction to data security concerns, in 2022, the Australian parliament approved a bill to amend the country's privacy legislation, significantly increasing the maximum penalties for companies and data controllers who suffer large-scale data breaches to the greater of: (i) AU$50 million, (ii) three times the value of any benefit obtained through the misuse of information, and (iii) 30% of a company's adjusted turnover in the relevant period. Previously, the penalty for severe data exposures was AU$2.22 million, considered by the current parliament to be wholly inadequate to incentivize companies to improve their data security mechanisms. The Office of the Australian Information Commissioner has new regulatory tools and flexibility that should, together with an ongoing focus on funding enforcement, see a more proactive regulator with capacity and capability to investigate and litigate more privacy incidents in Australia. We have taken steps to address compliance obligations that apply to us under the Amended APPI, the DSL, the PIPL and applicable Australian regulations, but cannot assure you that such steps will be effective, and we may face the risk of increased costs, liability and loss of business. In addition to government regulation, privacy advocates and industry groups may propose new and different self-regulatory standards that, if adopted, may apply to us, or which clients or clients' customers may require us to adopt. Because the interpretation and application of privacy and data protection laws, regulations, rules, and other standards are still uncertain, it is possible that these laws, rules, regulations, and other actual or alleged legal obligations, such as contractual or self-regulatory obligations, may be interpreted and applied in a manner that is inconsistent with our existing data management practices or the functionality of our solutions. If so, in addition to the possibility of fines, lawsuits and other claims, we could be required to fundamentally change our business activities and practices or modify our software, which could have an adverse effect on our business. Any failure or perceived failure by us to comply with laws, regulations, policies, legal, or contractual obligations, industry standards, or regulatory guidance relating to privacy or data security, may result in governmental investigations and enforcement actions, litigation, fines and penalties, or adverse publicity, and could cause our clients and partners to lose trust in us, which could have an adverse effect on our reputation and business. We expect that there will continue to be new proposed laws, regulations, and industry standards relating to privacy, data protection, marketing, consumer communications, and information security, and we cannot determine the impact such future laws, regulations, and standards may have on our business. Future laws, regulations, standards, and other obligations or any changed interpretation of existing laws or regulations could impair our ability to develop and market new functionality and maintain and grow our client base and increase revenue. Future restrictions on the collection, use, sharing, or disclosure of data, or additional requirements for express or implied consent of our clients, partners, or end users for the use and disclosure of such information could require us to incur additional costs or modify our solutions, possibly in a material manner, and could limit our ability to develop new functionality. If we are not able to comply with these laws or regulations, or if we become liable under these laws or regulations, we could be directly harmed, and we may be forced to implement new measures to reduce our exposure to this liability. This may require us to expend substantial resources or to discontinue certain solutions, which would negatively affect our business, financial condition, and operating results. In addition, the increased attention focused upon liability issues as a result of lawsuits and legislative proposals could harm our reputation or otherwise adversely affect the growth of our business. Furthermore, any costs incurred as a result of this potential liability could harm our operating results.