Global Business Travel Group (GBTG) Risk Analysis

The travel industry is subject to changing client preferences and demands relating to travel and travel-related services, including in response to constant and rapid technological change. If we are unable to develop or enhance technology in response to such changes, products or technologies offered or developed by our competitors may render our services less attractive to travelers. Our ability to provide best-in-class service to our travelers depends upon the use of sophisticated information technologies and systems, including technologies and systems used for reservation systems, communications, procurement and administrative systems. As our operations grow in both size and scope, we continuously need to improve and upgrade our systems and infrastructure to offer and provide support for an increasing number of travelers and travel providers enhanced products, services, features and functionality, while maintaining the reliability and integrity of our systems and infrastructure. We may fail to effectively scale and grow our systems and infrastructure to accommodate these increased demands. Further, our systems and infrastructure may not be adequately designed with the necessary reliability and redundancy to avoid performance delays or outages that could be harmful to our business, or could contain errors, bugs or vulnerabilities. Our future success also depends on our ability to understand, adapt and respond to rapidly changing technologies in the travel industry that will allow us to address evolving industry standards and to improve the breadth, diversity and reliability of our services in a cost effective manner. We may not be successful, or may be less successful than our current or new competitors, in developing such technology, which would negatively impact our business and financial performance. If we are not able to maintain existing systems, obtain new technologies and systems, or replace or introduce new technologies and systems as quickly as our competitors or in a cost-effective manner, our business and operations could be materially adversely affected. Also, we may not achieve the benefits anticipated or required from any new technology or system or be able to devote financial resources to new technologies and systems in the future.

We, and our travel suppliers and third-party service providers on our behalf, collect, use and transmit a large volume of personal information. The secure transmission of client information over the internet is essential in maintaining the confidence of travel suppliers and travelers. Substantial or ongoing data security breaches or cyber-attacks, whether instigated internally or externally on our system or other internet-based systems, expose us to a significant risk of loss, theft, the rendering inaccessible, improper disclosure or misappropriation of this information, and resulting regulatory actions, litigation (including class action litigation) and potential liability, damages and regulatory fines and penalties, and other related costs (including in connection with our investigation and remediation efforts), which could significantly affect our reputation and harm our business. Further, some of our third-party service providers, travel suppliers and other third parties may receive or store information, including client information provided by us. Our travel suppliers currently require most travelers to pay for their transactions with their credit card, especially in the United States. Increasingly sophisticated technological capabilities pose greater cybersecurity threats and could result in a cyber-attack or a compromise or breach of the technology that we use to protect client transaction data. Any significant adverse change in any of these factors could have a material adverse effect on our business, results of operations and financial condition. We develop and maintain systems and processes aimed at detecting and preventing data breaches and fraudulent activity, which require significant investment, maintenance and ongoing monitoring and updating as technologies and regulatory requirements change and as efforts to overcome security measures become more sophisticated. We may need to increase our security-related expenditures to maintain or increase our systems' security in the future. Despite our efforts, the possibility of data breaches, malicious social engineering and fraudulent or other malicious activities, deep fake attacks and human error or malfeasance cannot be eliminated entirely, and risks associated with each of these remain, including the unauthorized disclosure, release, gathering, monitoring, misuse, loss or destruction of confidential, proprietary and other information (including account data information), online accounts and systems. .In addition, to the extent we experience a cyber-attack or security breach, we may be unsuccessful in implementing remediation plans to address exposure and future harms. It is possible that computer circumvention capabilities, new discoveries or advances or other developments, which change frequently and often are not recognized until launched against a target, could result in a compromise or breach of client data, even if we take all reasonable precautions, including to the extent required by law. These risks are likely to increase as we expand our offerings, expand internationally, integrate our products and services, and store and process more data, including personal information and other sensitive data. Further, if any of our third-party service providers, travel suppliers or other third parties with whom we share client data fail to implement adequate data-security practices or fail to comply with our terms and policies or otherwise suffer a network or other security breach, our clients' information may be improperly accessed, used or disclosed. We maintain a comprehensive portfolio of insurance policies to meet both our legal obligations and to cover perceived risks within our business, including those related to cybersecurity. We believe that our coverage and the deductibles under these policies are adequate for the risks that we face. Cyber-attacks are increasing in number and sophistication, are well-financed, in some cases supported by nation-state actors, and are designed to not only attack, but also to evade detection. Since the techniques used to obtain unauthorized access to systems, or to otherwise sabotage them, change frequently and are often not recognized until launched against a target, we may be unable to anticipate these techniques or to implement adequate detection or preventative measures. The emergence and maturation of artificial intelligence capabilities has led to new and/or more sophisticated methods of attack, including fraud that relies upon "deep fake" impersonation technology, of which we have been a target, or other forms of generative automation that have scaled up the effectiveness of cyber threat activity. If a party (whether internal, external, an affiliate or unrelated third-party) is able to circumvent our data security systems or those of the third parties with whom we share client information, or engage in cyber-attacks, such cyber-attacks or data breaches could result in such party obtaining our proprietary information, the loss, theft or inaccessibility of, unauthorized access to, or improper use or disclosure of, our clients' data and/or significant interruptions in our operations. Cyber-attacks and security breaches could also result in severe damage to our IT infrastructure, including damage that could impair our ability to offer our services. In addition, cyber-attacks or security breaches could result in negative publicity, damage our reputation, divert management's time and attention, increase our expenditure on cybersecurity measures, expose us to risk of loss or litigation and possible liability, subject us to regulatory penalties and sanctions (and lead to further enhanced regulatory oversight), or cause travelers and potential travel suppliers to lose confidence in our security and choose to use the services of our competitors, any of which would have a material adverse effect on our business, results of operations and financial condition. If such disruptions or breaches are not detected immediately, their effect and resulting impact could be compounded.

We are, and in the future, may be, subject to legal proceedings in the course of our business, including, but not limited to, actions relating to contract disputes, business practices, intellectual property and other commercial and tax matters. Such legal proceedings may involve claims for substantial amounts of money or for other relief or might necessitate changes to our business or operations, and the defense of such actions may be both time consuming and expensive. Further, if any such proceedings were to result in an unfavorable outcome, it could result in reputational damage and have a material adverse effect on our business, financial position and results of operations. Insurance may not cover such claims, may not provide sufficient payments to cover all of the costs to resolve one or more such claims and may not continue to be available on terms acceptable to us.

We are a multinational group and as such are subject to a variety of taxes in the United States and other jurisdictions where we operate. Tax laws and tax rates for income and other taxes in these jurisdictions may be subject to significant change as a result of the political and economic environment. We cannot predict the outcome of any specific legislative changes. Significant judgment is required in determining our worldwide provision for income taxes and our effective tax rate may change from year to year depending on a variety of factors including the mix of activities and income allocated or earned among various jurisdictions, the operation of tax laws in these jurisdictions, the classification of our legal entities for US tax purposes, tax treaties between countries, our eligibility for benefits under those tax treaties, changes in uncertain tax provisions and the estimated values of deferred tax assets and liabilities. Such changes could result in an increase in the effective tax rate applicable to all or a portion of our income which would reduce our profitability. In the ordinary course of our business, our tax returns for both income and non-income taxes are routinely subject to audit and adjustment by local tax authorities. Uncertain tax positions for income taxes and non-income tax reserves are evaluated on a quarterly basis in light of all current facts and circumstances. Although we believe our tax estimates are reasonable, the amount could change as a result of changes in facts and circumstances, changes in tax law, new audit activity and effectively settled issues under audit. The interpretation of tax laws and the determination of any potential liability can be subject to different interpretations, and therefore the amount of our liability may exceed our established reserves. Global taxing standards continue to evolve as a result of the Organization for Economic Co-Operation and Development ("OECD") recommendations aimed at preventing perceived base erosion and profit shifting ("BEPS") by multinational corporations. While these recommendations do not change tax law, the countries where we operate may implement legislation or take unilateral actions which may result in adverse effects to our income tax provision and financial statements. Current developments in tax legislation globally also mean that despite us having significant net operating losses ("NOLs"), the rate of monetization of these NOLs is likely to be affected. Many tax authorities already limit the utilization of NOLs to a percentage of current year taxable income (typically in the range of 50%-80%). This will result in cash tax outflows in years of profit even where significant NOLs exist.

We or our travel suppliers and third-party service providers collect, use, analyze and transmit a large volume of personal information in processing travel transactions and delivering other travel-related products and services. There are numerous laws with a significant impact on our operations regarding privacy, cybersecurity and the storage, sharing, use, analysis, processing, transfer, disclosure and protection of personal information and consumer data, the scope of which are changing, subject to differing interpretations, and may be inconsistent between states within a country or between countries. For example, the GDPR, UK GDPR and UK Data Protection Act impose numerous technical and operational obligations on processors and controllers of personal data and have resulted and will continue to result in significantly greater compliance burdens and costs for companies with users and operations in the EU and the United Kingdom. Further, we are subject to evolving laws and regulations that dictate whether, how, and under what circumstances we can transfer, process and/or receive personal data. For example, in July 2020, the Court of Justice of the European Union ("CJEU") invalidated the "EU-US Privacy Shield," a framework for transfers of personal data from the European Economic Area to the United States. While the same CJEU decision considered and left intact the Standard Contractual Clauses ("SCCs"), another mechanism to safeguard data transfers from the EU to third countries, including the United States, reliance on SCCs is subject to enhanced due diligence on the data importer's national laws, according to the CJEU. Additional measures may have to accompany the SCCs for a transfer to be compliant. If a new transatlantic data transfer framework is not adopted and we are unable to continue to rely on SCCs or validly rely upon other alternative means of data transfers from the European Economic Area or the United Kingdom to the United States and other countries where safeguards for transfers of personal data are required under the GDPR (and UK GDPR), we may be unable to operate material portions of our business in the European Economic Area or the United Kingdom as a result of the CJEU's ruling and related guidance of competent European and national agencies, which would materially and adversely affect our business, financial condition, and results of operations. Additionally, if we are restricted from sharing data among our products and services, or if we are restricted from sharing data with our travel suppliers and third-party service providers, it could affect our ability to provide our services or the manner in which we provide our services. Our current data transfer practices may also be more closely reviewed by supervisory authorities and could become subject to private actions. In the United States, the California Consumer Privacy Act ("CCPA") and the California Privacy Rights Act ("CPRA") limit how we may collect and use personal information, including by requiring companies that process information relating to California residents to make disclosures to consumers about their data collection, use and sharing practices, provide consumers with rights to know and delete personal information and allow consumers to opt out of certain data sharing with third parties. The CPRA also creates new rights for California residents to direct a business to limit the use and disclosure of such information to that which is necessary to perform the services reasonably expected by the consumer and to request that a company correct inaccurate personal information that is retained by the company. The Virginia Consumer Data Protection Act, which took effect in January 2023, gives new data protection rights to Virginia residents and imposes additional obligations on controllers and processors of consumer data similar to the CCPA and CPRA. A number of other U.S. states have recently signed into law or are considering legislation governing the handling of personal data, indicating a trend toward more stringent privacy legislation in the United States. In addition to the existing framework of data privacy laws and regulations, the U.S. Congress, U.S. state legislatures and many states and countries outside the United States are considering new privacy and security requirements that would apply to our business. Compliance with current or future privacy, cybersecurity, data protection, data governance, account access and information and cybersecurity laws requires ongoing investment in systems, policies and personnel and will continue to impact our business in the future by increasing our legal, operational and compliance costs and could significantly curtail our collection, use, analysis, sharing, retention and safeguarding of personal information and restrict our ability to fully maximize our closed-loop capability, deploy data analytics or AI technology or provide certain products and services, which could materially and adversely affect our profitability. We or our third-party service providers could be adversely affected if legislation or regulations are expanded to require changes in our or our third-party service providers' business practices or if governing jurisdictions interpret or implement their legislation or regulations in ways that negatively affect our or our third-party service providers' business, results of operations or financial condition. As a merchant that processes and accepts cards for payment, we have adopted and implemented internal controls over the use, storage and security of card data pursuant to the Payment Card Industry Data Security Standards ("PCI-DSS"). We assess our compliance with the PCI-DSS rules on a periodic basis and make necessary improvements to our internal controls. If we fail to comply with these rules or requirements, we may be liable for card issuing banks' costs, subject to fines and higher transaction fees, and lose our ability to accept credit and debit card payments from our clients, or facilitate other types of online payments, and our business and operating results could be adversely affected. For existing and future payment options we offer to both our business clients and travel suppliers, we may become subject to additional regulations and compliance requirements, such as the EU Payment Services Directive or local tokenization requirements including obligations to implement enhanced authentication processes, which could result in significant costs to us and our travel suppliers and reduce the ease of use of our payments options. While we have taken steps to comply with privacy, cybersecurity, data protection, data governance, account access and information and cybersecurity laws and PCI-DSS, any failure or perceived failure by us, our third-party service providers, our independent travel advisors or our partners or affiliates to comply with the privacy policies, privacy- or cybersecurity-related obligations to travelers or other third parties, or privacy- or cybersecurity-related legal obligations could result in potentially significant regulatory and/or governmental investigations and/or actions, litigation, fines, sanctions, monetary penalties and damages, ongoing regulatory monitoring and increased regulatory scrutiny, client attrition, diversion of management's time and attention, decreases in the use or acceptance of our cards and damage to our reputation and our brand, all of which could have a material adverse effect on our business and financial performance. In recent years, there has been increasing regulatory enforcement and litigation activity in the areas of privacy, data protection and information and cybersecurity in the United States, the EU and various other countries in which we operate.

The travel industry, and the business travel services industry, are highly competitive, and if we cannot compete effectively against the number and type of sellers of travel-related services, we may lose sales to our competitors, which may adversely affect our financial results and performance. We currently compete, and will continue to compete, with a variety of travel and travel-related companies, including other business travel management service providers, consumer travel agencies and emerging and established online travel agencies. We also compete with travel suppliers, such as airlines and hotels, where they market their products and services directly to business travelers through their platforms to book and fulfill travel, including by offering more favorable rates, exclusive products and services and loyalty points to business travelers who purchase directly from such travel suppliers ("B2C"). B2C may include business travelers who purchase travel outside of a company-sponsored and managed channel, or whose companies do not have such a channel. We compete, to a lesser extent, with credit card loyalty programs, online travel search and price comparison services, facilitators of alternative accommodations such as short-term home or condominium rentals and social media and e-commerce websites. Some of our competitors may have access to more financial resources, greater name recognition and better established client bases in their target client segments, differentiated business models, technology and other capabilities or a differentiated geographic coverage, which may make it difficult for us and our Network Partners to retain or attract new clients. We cannot guarantee that we will be able to compete successfully against any current, emerging and future competitors or provide sufficiently differentiated products and services to our client and traveler base. Increasing competition from current and emerging competitors, consolidation of our competitors, the introduction of new technologies and the continued expansion of existing technologies may force us to make changes to our business models, which could materially and adversely affect our business, financial condition, results of operations and prospects. If we cannot compete effectively against the number and type of sellers of travel-related services, we may lose sales to our competitors, which may adversely affect our financial results and performance.

Some of our travel suppliers, including some of the largest airlines, have sought to increase usage of direct distribution channels. For example, these travel suppliers are trying to move more client traffic to their proprietary websites. This direct distribution trend enables them to apply pricing pressure on intermediaries and negotiate travel distribution arrangements that are less favorable to intermediaries. With travel suppliers' adoption of certain technology solutions over the last decade, air travel suppliers have increased the proportion of direct bookings relative to indirect bookings. In the future, airlines may increase their use of direct distribution, which may cause a material decrease in their use of our services. Travel suppliers may also offer travelers advantages through their websites such as special fares and bonus miles, which could make their offerings more attractive than those available from us. The possible loss of content (e.g., certain fares, including net fares and NDC content, and availability) from our travel suppliers would also negatively impact us. In addition, with respect to ancillary products, travel suppliers may choose not to comply with the technical standards that would allow ancillary products to be immediately distributed via intermediaries, thus resulting in a delay before these products become available through us relative to availability through direct distribution. In addition, if enough travel suppliers choose not to develop ancillary products in a standardized way with respect to technical standards our investment in adapting our various systems to enable the sale of ancillary products may not be successful. Companies with close relationships with end clients, like Facebook, as well as new entrants introducing new paradigms into the travel industry, such as metasearch engines like Google, may promote alternative distribution channels by diverting client traffic away from intermediaries and travel agents, which may adversely affect our business, financial condition and results of operations.

If we are unable to maintain or enhance the reputation of our brands, including the American Express Global Business Travel and American Express GBT Meetings & Events brands which include the American Express trademarks licensed under the A&R Trademark License Agreement with American Express, and generate demand in a cost-effective manner, it could negatively impact our ability to compete in the travel industry and could have a material adverse effect on our business, financial condition and results of operations. Brand value can be severely damaged even by isolated incidents, particularly if the incidents receive considerable negative publicity or result in litigation. Some of these incidents may occur in the ordinary course of our business or the business of our partners or affiliates. Other incidents may arise from events that are or may be beyond our control and may damage our brands, such as actions taken (or not taken) by one or more travel suppliers, travel advisors, partners or affiliates relating to information security and data privacy, adverse publicity, litigation and claims, failure to maintain high ethical and moral standards for all of our operations and activities, failure to comply with local laws and regulations, and illegal activity targeted at us or others. If, under the A&R Trademark License Agreement, certain events impacting the licensed American Express trademarks used in our business occur, we may be required to financially contribute to a fund to rehabilitate the licensed American Express trademarks used in our business and/or American Express may be entitled to terminate the A&R Trademark License Agreement. Our brand value could diminish significantly if any such incidents or other matters erode client confidence in us or in American Express with respect to the licensed American Express trademarks used in our business, which may result in a decrease in client activity, our total travel advisor count and, ultimately, lower fees, which in turn could materially and adversely affect our business, financial condition and results of operations.

The global travel industry, and as a result, our business and financial performance, are affected by macroeconomic conditions. Travel expenditures are sensitive to personal and business-related discretionary spending levels and tend to decline or grow more slowly during economic downturns, including during periods of slow, slowing or negative economic growth, higher unemployment or inflation rates, weakening currencies and concerns over government responses such as higher taxes or tariffs, increased interest rates and reduced government spending. Concerns over government responses to declining economic conditions such as higher taxes and reduced government spending could impair consumer and business spending and have an adverse effect on travel demand. In addition, our relative exposure to certain sectors compared to the broader economy may mitigate or exacerbate the effect of macroeconomic conditions. The global travel industry, which historically has grown at a rate in excess of global GDP growth during economic expansions, has experienced cyclical downturns in the past in times of economic decline or uncertainty. Future adverse economic developments in areas such as employment levels, business conditions, interest rates, tax rates, environmental impacts, fuel and energy costs and other matters could reduce discretionary spending and cause the travel industry to contract. Other macroeconomic uncertainties beyond our control, such as oil prices, geopolitical tensions, consumer confidence, large-scale business failures, tightened credit markets and stock market volatility, terrorist attacks, changing, unusual or extreme weather or natural disasters such as earthquakes, hurricanes, tsunamis, floods, fires, droughts and volcanic eruptions (whether due to climate change or otherwise), travel-related health concerns including pandemics and epidemics such as COVID-19, Ebola and Zika, political instability, changes in economic conditions, wars and regional and international hostilities, such as Russia's invasion of Ukraine and conflicts in the Middle-East, tensions between China and Taiwan, the imposition of taxes, tariffs or surcharges by regulatory authorities, changes in trade policies or trade disputes, changes in immigration policies or other travel restrictions or travel-related accidents have previously and may in the future create volatility in the travel market and negatively impact client travel behavior. In addition, an increased focus on the environmental impact of travel could also affect the travel market and travel behavior due to the rise of sustainability regulations. While we strive to promote our and our clients' mutual commitment to a more sustainable future for business travel, if we are unable to find economically viable and/or publicly acceptable solutions that allow us to maintain our commitment to sustainability and net-zero emissions, we could lose business or experience reputational harm. As an intermediary in the travel industry, a significant portion of our revenue is affected by prices charged by our travel suppliers, including airlines, hotels and car rental companies. Events or weaknesses specific to a supplier industry segment could negatively affect our business. For example, events specific to the airline industry that could impact us include airfare fluctuations, airport, airspace and landing fee increases, increases in fuel prices, environmental impacts, seat capacity constraints, removal of destinations or flight routes, travel-related strikes or labor unrest, political instability and wars. Similarly, travel suppliers often face destination overcapacity issues and imposition of taxes or surcharges by regulatory authorities, which can lower their travel volumes and impact our revenue. During periods of poor economic conditions, airlines and hotels tend to reduce rates or offer discounted sales to stimulate demand, thereby reducing our commission-based income. A slowdown in economic conditions, macroeconomic volatility, inflationary pressures and fuel and energy cost volatility that result in the bankruptcy of travel suppliers or otherwise cause them to cease or limit their operations, may also result in a decrease in transaction volumes and have an adverse effect on our business and results of operations. While decreases in prices for flights and other travel products generally increase demand, such price decreases generally also have a negative effect on the commissions and other financial incentives we earn. The overall effect of price increases or decreases in the global travel industry is therefore uncertain. The uncertainty of macroeconomic factors and their impact on client behavior, which may differ across regions, makes it more difficult to forecast industry and client trends and the timing and degree of their impact on our markets and business, which in turn could adversely affect our ability to effectively manage our business and could materially and adversely affect our business, financial condition and results of operations.

We have a proprietary presence in over 31 countries worldwide, including the United States, United Kingdom, Canada, Germany, Mexico, China and France, and we indirectly provide services to travelers worldwide through our partners and affiliates. Our international operations can pose complex management, compliance, foreign currency, legal, tax, labor, data privacy and economic risks that we may not adequately address, including changes in the priorities and budgets of international travelers and geopolitical uncertainties, which may be driven by changes in threat environments and potentially volatile worldwide economic conditions, various regional and local economic and political factors, risks and uncertainties, as well as U.S. foreign policy. We are also subject to a number of other risks with respect to our international operations, including: - the absence in some jurisdictions of effective laws to protect our intellectual property rights;- multiple and possibly overlapping and conflicting tax laws;- duties, taxes or government royalties, including the imposition or increase of withholding and other taxes on the activities of, and remittances and other payments by, our non-U.S. subsidiaries;- restrictions on movement of cash;- the burden of complying with a variety of national and local laws and regulations;- political, economic and social instability, including as a result of the war in Ukraine and the conflicts in the Middle East, along with any other geopolitical conflicts including emerging tensions between China and Taiwan;- currency fluctuations;- longer payment cycles;- price controls or restrictions on exchange of foreign currencies;- trade barriers, including further legislation or actions taken by the United States or other countries that restrict trade, as well as protectionist or retaliatory measures taken by the United States and other countries; and - potential travel restrictions. The existence of any one of these risks could harm our international business and, consequently, our operating results. Additionally, operating in international markets requires significant management attention and financial resources and may negatively affect our business and financial results.

Governments, investors, customers, employees and other stakeholders are increasingly focusing on climate change and sustainability-related matters, including corporate ESG practices and disclosures, and expectations in this area are rapidly evolving. In addition, new ESG laws and regulations are expanding mandatory disclosure, reporting and diligence requirements. Changes in consumer and corporate preferences, travel patterns and legal requirements could impact our revenues or expenses or otherwise adversely affect our business, and/or our customers and partners. We occasionally announce new initiatives, including goals, under our ESG framework. This framework is aligned with our areas of interest as a purpose led company and includes environment and sustainability, social impact, inclusion, effective governance and supply chain management, among others. The criteria by which our ESG practices are assessed may change due to the quickly evolving landscape, which could result in greater expectations of us and may cause us to undertake costly initiatives to satisfy such new criteria. Moreover, the increasing attention to corporate ESG initiatives could also result in reduced demand for travel related products, reduced profits and increased regulatory examinations, investigations and potential litigation. If we are unable to satisfy such criteria, investors may conclude that our policies and/or actions with respect to ESG matters are inadequate. If we fail or are perceived to have failed to achieve previously announced initiatives or goals or to accurately disclose our progress on such initiatives or goals, our reputation, business, financial condition and results of operations could be adversely impacted.