MeridianLink (MLNK) Risk Analysis

We have been in the past and may be, at any point, subject to legal proceedings and claims that arise in the ordinary course of business, such as claims brought by our customers in connection with commercial disputes, third party claims regarding our customer's use of our software, or employment claims made by current or former employees. In other instances, our customers become involved in litigation where we are required to provide information pursuant to a court order, subpoena, or customer request or where we may be named as co-defendants. From time to time, we also may initiate litigation to enforce our rights, including with respect to payments that we are owed. Litigation could result in reputational damage and substantial costs and may divert management's attention and resources, any of which may adversely impact our business, overall financial condition, and results of operations and affect the value of our common stock. While we maintain insurance coverage for certain types of claims, such insurance coverage may be insufficient to cover all losses or all types of claims that may arise. We are not currently aware of any material pending or threatened litigation against us but can make no assurances the same will continue to be true in the future. During the year ended December 31, 2024, we paid $1.5 million related to settlements of class action litigation claims and $0.4 million in third-party legal fees directly related to the settlements.

An increasing number of states have considered or adopted laws that attempt to impose sales tax collection obligations on out-of-state sellers. We do not collect state and local sales and use taxes in all jurisdictions in which our customers are located, based on our belief that such taxes are not applicable to us. Jurisdictions in which we do not collect sales and use taxes may assert that such taxes are applicable to us and require us to calculate, collect, and remit taxes, interest, and penalties, as well as collect such taxes in the future. In addition, one or more states, the federal government, or other countries may seek to impose additional reporting, record-keeping, or indirect tax collection obligations on businesses like ours that offer subscription services. State or local governments may require us to collect and remit sales and use taxes where we have not collected and remitted sales and use taxes that occurred in prior tax years. The imposition by state or local governments of sales tax collection obligations on out-of-state sellers could also create additional administrative burdens for us, subject us to additional costs, put us at a competitive disadvantage if similar obligations are not imposed on our competitors, and decrease our future sales, which could have an adverse effect on our business, financial condition, and results of operations.

The regulatory framework governing privacy, information security, data protection, and the collection, processing, storage, and use of certain information, particularly financial and other personally identifiable information, is rapidly evolving. We expect that there will continue to be new proposed and adopted laws, regulations, and industry standards concerning privacy, data protection, and information security in the United States. At the federal level, failing to take appropriate steps to keep consumers' personal information secure may constitute unfair acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act (the FTCA), 15 U.S.C § 45(a). The FTC expects a company's data security measures to be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business and the cost of available tools to improve security and reduce vulnerabilities. In addition, certain state laws govern the privacy and security of personal information. For example, California enacted the California Consumer Privacy Act, or CCPA, which went into effect in January 2020 and established a comprehensive privacy framework for covered businesses by, among other things, creating an expanded definition of personal information, requiring companies covered by the legislation to provide certain disclosures to California residents and affording such individuals new data privacy rights, imposing special rules on the collection of consumer data from minors, and creating a new and potentially severe statutory damages framework for violations of the CCPA and for businesses that fail to implement reasonable security procedures and practices to prevent data breaches. Additionally, the California Privacy Rights Act, or CPRA, which went into effect January 1, 2023, amended and expanded the CCPA by imposing additional obligations on companies covered by the legislation. The CPRA significantly modified the CCPA, including by eliminating the exception for personal information processed in a business to business and/or human resources capacity, expanding California residents' rights with respect to certain sensitive personal information and establishing the California Privacy Protection Agency to enforce the legislation. The CCPA has required us to modify and augment our practices and policies and we may incur substantial costs and expenses in an effort to comply or respond to further changes to laws or regulations. Similar laws have been passed in numerous other states, and a number of other states have proposed new privacy laws, some of which are similar to the above discussed recently passed laws. Such proposed legislation, if enacted, may add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment of resources in compliance programs, impact strategies and the availability of previously useful data, and could result in increased compliance costs and/or changes in business practices and policies. The existence of comprehensive privacy laws in different states in the country would make our compliance obligations more complex and costly and may increase the likelihood that we may be subject to enforcement actions or otherwise incur liability for noncompliance. In addition, laws in all 50 U.S. states require businesses to provide notice to individuals if certain categories of their personal information are disclosed as a result of a qualifying data breach. Further, other states have proposed and/or passed legislation that regulates the privacy and/or security of certain specific types of information. For example, a small number of states have passed laws that regulate biometric data specifically. These various privacy and security laws may impact our business activities, including our identification of research subjects, relationships with business partners and ultimately the marketing and distribution of our products. State laws are changing rapidly and there is discussion in the U.S. Congress of a comprehensive federal data privacy law to which we could become subject to, if enacted. We cannot yet fully determine the impact that these or future laws, rules, and regulations may have on our business or operations. Any such laws, rules, and regulations may be inconsistent among different jurisdictions, subject to new or differing interpretations, or conflict with our current or future practices. Additionally, we may be bound by contractual requirements applicable to our collection, use, processing, and disclosure of various types of information, including financial and PII, and may be bound by, or voluntarily comply with, self-regulatory or other industry standards relating to these matters that may further change as laws, rules, and regulations evolve. Any failure or perceived failure by us, our third-party service providers, or any other third parties with which we do business, to comply with these laws, rules, and regulations, or with other obligations to which we or such third parties are or may become subject, may materially and adversely affect our business and results of operations, and result in reputational harm, governmental investigations and enforcement actions, litigation, claims, fines and penalties, or adverse publicity. Any of the foregoing could have a material adverse effect on our business, financial condition, results of operations, and prospects. Additionally, if in the future we seek to sell our solutions outside of the United States, we would face similar or potentially more stringent laws and regulations relating to personal privacy, information security, and data protection and we cannot be certain we would be able to adequately address these laws and regulations as part of any international expansion without incurring substantial costs and expenses to comply.

The markets in which we compete, however, are highly competitive, fragmented, evolving, complex, and defined by rapidly changing technology and customer demands. We currently compete with providers of technology and products in the financial services industry, primarily point solution vendors that focus on building functionality that competes with specific components of our solutions. From time to time, we also compete with systems internally developed by financial institutions. Many existing and potential competitors enjoy substantial competitive advantages, such as: - larger sales, development, support, and marketing budgets and resources;- the ability to bundle competitive offerings;- greater brand recognition and longer operating histories;- more extensive customer bases and broader customer relationships;- lower labor and development costs;- greater resources to make acquisitions;- larger and more mature intellectual property portfolios; and - substantially greater financial, technical, management, and other resources. Further, one of our competitors may establish or strengthen a cooperative relationship with, or acquire one or more software application, data analytics, compliance, or network vendors. We may also face competition from new companies entering our markets, which may include large established businesses that decide to develop, market, or resell cloud-based banking technology, acquire one of our competitors, or form a strategic alliance with one of our competitors. New companies entering our markets may choose to offer cloud-based consumer lending and related products at little or no additional cost to the customer by bundling them with their existing products, including adjacent financial services technologies. In addition, our current and potential customers have developed, and may continue to develop, their own in-house solutions that could replace our solutions within their organizations. We expect competition to intensify in the future, and these competitive pressures in our markets or our failure to compete effectively may result in fewer customers, increased pricing pressure, reduced revenues and gross profit, increased sales and marketing expenses, and loss of market share. Any failure to meet and address these factors could materially and adversely affect our business, operating results, and financial condition.

The market for our software solutions is characterized by rapid technological advancements, changes in customer requirements and technologies, frequent new solution introductions and enhancements, and changing regulatory requirements. The life cycles of our software solutions are difficult to estimate. Rapid technological changes and the introduction of new products and enhancements by new or existing competitors or large financial institutions could undermine our current market position. Other means of digital or virtual consumer lending and banking may be developed or adopted in the future, and our software solutions may not be compatible with these new technologies. In addition, the technological needs of, and services provided by, the banks, credit unions, mortgage lenders, specialty lending providers, and CRAs that we endeavor to serve may change if they or their competitors offer new services to account holders. Maintaining adequate research and development resources to meet the demands of the market is essential. The process of developing new technologies and software solutions is complex and expensive. The introduction of new products by our competitors, the market acceptance of competitive products based on new or alternative technologies, or the emergence of new technologies or products in the broader financial services industry has in the past and could in the future render our solutions obsolete or less effective. The success of any enhanced or new software solution depends on several factors, including timely completion, adequate testing, and market release and acceptance of the solution. Any new software solutions that we develop or acquire may not be introduced in a timely or cost-effective manner, may contain defects, or may not achieve the broad market acceptance necessary to generate significant revenues. In addition, we must continuously develop, market, and sell new features and functionalities to our existing software solutions that respond to the changing needs of our customers and offer better functionality than competing offerings from other providers. If we are unable to anticipate customer requirements or work with our customers successfully on implementing new software solutions or features in a timely manner or enhance our existing software solutions to meet our customers' requirements, our business, growth prospects, and operating results may be adversely affected.

Certain elements of our business and software solutions, particularly our origination and analytics solutions, involve the processing and storage of personally identifiable information, or PII, such as banking information and PII of our customers' clients. We may also have access to PII during various stages of the implementation process of our solutions or during the course of providing customer support. Furthermore, as we develop additional functionality, we may gain greater access to PII and process additional PII. While we maintain policies, procedures, and technological safeguards designed to protect the confidentiality, integrity, and availability of this information and our information technology systems, we cannot entirely eliminate the risk of improper, unlawful, or unauthorized access to, or disclosure, alteration, corruption, unavailability, or loss of PII or other data that we process or maintain, other security events that impact the integrity or availability of PII or other data or our systems and operations, or the related costs we may incur to mitigate the consequences from certain events such as the following: - third-party social engineering attempts (including phishing attacks) to fraudulently induce our employees, partners, or customers to disclose sensitive information;- malicious intrusions and attacks by individuals or groups of hackers and sophisticated organizations, such as state-sponsored organizations or nation-states, to launch coordinated attacks, such as ransomware and distributed denial-of-service attacks;- cyberattacks such as ransomware on our internally built infrastructure on which many of our solutions operate, or on third-party cloud-computing platform providers;- vulnerabilities resulting from the configuration, implementation, enhancement, or update of our software solutions, as well as in the products or components across the broad ecosystem that our solutions operate in conjunction with and are dependent on;- vulnerabilities or breach of those third-party providers' (cloud, software, data center, and other critical technology vendors) software, systems, or security measures or a failure in our third-party providers' data security procedures, measures, and policies;- vulnerabilities existing within new technologies and infrastructures, including those from acquired companies;- attacks on, or vulnerabilities in, the many different underlying networks and services that power the Internet that our products depend on, most of which are not under our control or the control of our vendors, partners or customers; and - employee or contractor human errors or intentional insider threats that compromise our security systems. As we integrate artificial intelligence, or AI, technologies to enhance efficiency and innovation, we must acknowledge associated cybersecurity risks. AI systems, while beneficial, can be exploited by cybercriminals for sophisticated attacks that evade traditional security measures. Bad actors around the world use increasingly sophisticated methods, including the use of AI, to engage in illegal activities involving the theft and misuse of PII, confidential data, and intellectual property. Unauthorized access to AI tools may lead to data manipulation, deepfake generation, and highly personalized spear-phishing campaigns. The rapid advancement of AI increases complexity in cyber threats. Although we have developed systems and processes designed to protect our customers' clients' sensitive data, we can provide no assurances that such measures will provide absolute security or that a cybersecurity incident, data breach, or other compromise will not occur. Our efforts to prevent, contain, and mitigate cyberattacks and other threats to our information technology systems may be impacted by factors such as: - changes to, and complexity of, techniques used to obtain unauthorized access to, or sabotage IT systems and infrastructure, which generally are not identified until after an initial launch against a target, resulting in a reduced ability to anticipate or implement adequate preventive measures;- continued refinement, updating, and replacement of our internal systems and technology, particularly when adopting new technologies and new methods of sharing data and communicating internally and with customers and partners;- the acquisition of new companies and their solutions, requiring us to integrate, improve, and secure different or more complex IT environments and technologies;- authorization by our customers to third-party technology providers to access their clients' data, which may lead to our customers' inability to protect their data that is stored on our servers;- our limited control over our customers or third-party technology providers, or the processing of data by third-party technology providers, which may not allow us to maintain the integrity or security of such transmissions or processing; and - increased risk of security compromises associated with our employees working remotely. A cybersecurity incident, data breach, or other compromise could result in operational disruptions, loss, compromise, unauthorized use of, or access to, alteration, or corruption of customer data or customers' client data or data we rely on to provide our software solutions, including our analytics initiatives and offerings, that impair our ability to provide our software solutions and meet our customers' requirements. Such impairment would result in decreased revenues and could otherwise negatively impact our financial results. Also, the occurrence, or perception of an occurrence, of any of these events could results in a loss of confidence in the security of our services, irreparable reputational damage, a decline in current and prospective customer use of our software solutions, business disruptions, increases in cybersecurity insurance premiums, and allocation of significant financial and operational resources in response, including repairing system damage, increasing security protection costs by deploying additional personnel and protection technologies, and defending against and resolving legal and regulatory claims and proceedings. The detection, prevention, and remediation of known or potential security vulnerabilities, including those arising from third-party hardware or software, may result in additional financial burdens due to additional direct and indirect costs, such as additional infrastructure capacity spending to mitigate any system degradation and the reallocation of resources from development activities. Furthermore, cybersecurity incidents, data breaches, and other compromises could expose us to legal, regulatory, and financial exposure and liability, notification requirements to affected stakeholders (including affected individuals, customers, investors, and regulators), third-party claims and lawsuits, indemnification, or other claims from customers and other third parties, regulatory investigations or proceedings, fines, or other actions or liabilities, which could adversely affect our business and results of operations. In addition, some of our customers contractually require notification of cybersecurity incidents, data breaches, and other compromises and include representations and warranties in their contracts with us that our software solutions comply with certain legal and technical standards related to cybersecurity and privacy and meets certain service levels. In certain of our contracts, a cybersecurity incident, data breach, or other compromise or operational disruption impacting us or one of our vendors, or system unavailability or damage due to other circumstances, may constitute a breach of contract and give rise to a customer's right to terminate their contract with us or may cause us to be liable for certain monetary penalties, including as a result of a failure to meet service level agreements. We moved to a fully remote work-from-home work model in 2020 and plan to continue operating as remote-first. In connection with the shift, we assessed our IT security measures, identify any vulnerabilities, and enhance protections against unauthorized access to our network and systems. We cannot guarantee these private work environments and electronic connections to our work environment have the same robust security measures deployed in our physical offices. We are unable to unequivocally affirm that the protective measures we have taken will remain sufficient given the ever-changing threat landscape, and any such related security compromise that may occur could materially and adversely impact our business, results of operations, or reputation. Like other companies in our industry, we, and our third party vendors, have experienced threats and cybersecurity incidents relating to our information technology systems and infrastructure. Because of the frequently changing nature of attack techniques, along with the increased volume and sophistication of the attacks, there is the continued potential for us to be adversely impacted. This impact could result in reputational, competitive, operational or other business harm, as well as financial costs, including fines from regulators and other regulatory action. We maintain cybersecurity insurance in the event of an information security or cyber incident, however, the coverage may not be sufficient to cover all financial losses. In these circumstances, it may be difficult or impossible to cure such a cybersecurity incident, data breach, or other compromise in order to prevent customers from potentially terminating their contracts with us. Furthermore, although our customer contracts typically include limitations on our potential liability, there can be no assurance that such limitations of liability would be adequate. We also cannot be sure that our existing general liability insurance coverage and coverage for errors or omissions will be available on acceptable terms or in sufficient amounts to cover one or more claims or that our insurers will not deny or attempt to deny coverage as to any future claim. The successful assertion of one or more claims against us, the inadequacy or denial of coverage under our insurance policies, litigation to pursue claims under our policies, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or coinsurance requirements, could adversely affect our business and results of operations.

We believe our future success will depend in large part upon our ability to attract and retain highly skilled managerial, technical, finance, creative, and sales and marketing personnel. Moreover, we believe that our future success is highly dependent on the contributions of our executive officers. All of our officers and other employees are at-will employees, which means they may terminate their employment relationship with us at any time, and their knowledge of our business and industry would be extremely difficult to replace. In addition, the loss of any key employees or the inability to attract or retain qualified personnel could delay the development and introduction of, and harm our ability to sell, our software solutions and harm the market's perception of us. We may be unable to attract and retain suitably qualified individuals who are capable of meeting our growing sales, operational, and managerial requirements, or may be required to pay increased compensation in order to do so. Furthermore, although we believe a remote-first work model will help us attract and retain talent across a broad geographic base, a remote work environment could, among other things, negatively impact company culture, employee morale, and productivity, inhibit our ability to hire and train new employees, and impede our ability to support customers at the levels they expect. If we are unable to attract and retain the qualified personnel we need to succeed, our business will suffer. Volatility or lack of performance in our stock price may also affect our ability to attract and retain our key employees. Certain of our employees have become, or will soon become, vested in a substantial amount of stock options or restricted stock units. Employees may be more likely to leave us if the shares they own or the shares underlying their vested options have significantly appreciated in value relative to the original purchase prices of the shares or the exercise prices of the vested options, or if the exercise prices of the options that they hold are significantly above the market price of our common stock. In addition, job candidates and existing employees often consider the actual and potential value of the equity awards they receive as part of their overall compensation. If the perceived value or future value of our stock declines, our ability to attract and retain highly skilled employees may be adversely affected. If we are unable to retain or find a suitable replacement for our named executive officers or other key employees, our business will be harmed.

We have used, and intend to continue to use, unrelated third parties to provide us with technology development services, through individuals based in India. We have increased the amount of our product development work performed by contractors in India to expand our access to additional resources so we can meet the needs of our increased development efforts. However, we may not achieve the cost savings and other benefits we anticipate from these programs, and we may not be able to find sufficient numbers of developers with the necessary skill sets in India to meet our needs. While our experience to date with our India-based contractors has been positive, there is no assurance that this will continue. Specifically, there are a number of risks associated with this activity, including, but not limited to, the following: - communications and information flow may be less efficient and accurate as a consequence of the time and distance differences between our primary development organization and the foreign-based activities, resulting in delays in development or errors in the software developed;- in addition to the risk of misappropriation of intellectual property from departing personnel, there is a general risk of the potential for misappropriation of our intellectual property that might not be readily discoverable;- the ability to obtain fulsome rights to intellectual property arising from the work performed by India-based individuals may be more difficult than it is with respect to intellectual property arising from work performed for us by our U.S.-based employees;- the quality of the development efforts undertaken offshore may not meet our requirements, including due to experiential differences, resulting in potential product errors and/or delays;- currency exchange rates could fluctuate and adversely impact the cost advantages intended from maintaining these relationships; and - as would be the case with any of our third-party developers, if those based in India were to leave their employment or if the third-party development services agreement with us were terminated, we would lose some short-term development capacity, and while we believe we would still be able to continue maintaining and improving all of our service offerings, we would need to expend resources and management time to on-board additional development resources. In addition, as a result of the foregoing arrangements, we have a heightened risk exposure to changes in the economic, security, and political conditions of India. Economic and political instability, military actions, and other unforeseen occurrences in India could impair our ability to develop and introduce new software applications and functionality in a timely manner, which could put our products at a competitive disadvantage whereby we lose existing customers and/or fail to attract new customers.

Our overall performance depends on economic conditions, which are beyond our control and may be difficult or impossible to forecast. The United States and other key international economies have experienced significant economic and market downturns and periods of uncertainty, including recently in connection with elevated interest rates and inflation, and are likely to experience additional cyclical downturns from time to time, in which economic activity is impacted by falling demand for a variety of goods and services, restricted credit, poor liquidity, inflation, fluctuations in interest rates, reduced corporate profitability, volatility in credit and equity markets, bankruptcies, and overall uncertainty. Macroeconomic developments can arise suddenly, as did the conditions associated with the fluctuating rates of inflation, and the full impact can be difficult to predict. Changes in laws, policies and regulations, including in connection with changes in policies and regulations in connection with the new presidential administration, and adverse macroeconomic conditions, including inflation, slower growth or recession, changes to fiscal and monetary policy, tighter credit, higher or fluctuating interest rates, high unemployment, and currency fluctuations have in the past and may in the future adversely impact the rate of technology spending generally and could adversely affect our customers' ability or willingness to purchase our software solutions, delay prospective customers' purchasing decisions, reduce the value or duration of their subscriptions or affect renewal rates, or impact the demand for our customers' services, any of which could adversely affect our results of operations. In addition, changes in laws, regulations, and governmental policies may require us to devote significant time and resources to modify our solutions to reflect such changes in law, regulations, and governmental policies. As a result, our operating results are sensitive to changes in political and macroeconomic conditions that impact our customers' technology spending and overall usage, volume, and type of transactions handled or processed using our software solutions. We continue to evaluate, and adjust, our hiring plans and investment spending accordingly. We are monitoring the potential effects of changed rate of spending on software solutions, purchasing decisions, delayed payments, and supply chain shortages on our business. To the extent economic volatility adversely affects our business, results of operations, financial condition, or liquidity, many of the other risks described in this "Risk Factors" section may also be heightened.