MeridianLink (MLNK) Risk Factors

We have been in the past and may be, at any point, subject to legal proceedings and claims that arise in the ordinary course of business, such as claims brought by our customers in connection with commercial disputes or employment claims made by current or former employees. In other instances, our customers become involved in litigation where we are required to provide information pursuant to a court order, subpoena, or customer request or where we may be named as co-defendants. From time to time, we also may initiate litigation to enforce our rights, including with respect to payments that we are owed. Litigation could result in reputational damage and substantial costs and may divert management's attention and resources, any of which may adversely impact our business, overall financial condition, and results of operations and affect the value of our common stock. While we maintain insurance coverage for certain types of claims, such insurance coverage may be insufficient to cover all losses or all types of claims that may arise. We are not currently aware of any material pending or threatened litigation against us but can make no assurances the same will continue to be true in the future. During the three months ended June 30, 2024, we recorded estimated settlement charges amounting to $1.5 million related to the expected settlements of class action litigation claims. There were no such costs incurred or recorded in any of the other periods presented.

An increasing number of states have considered or adopted laws that attempt to impose sales tax collection obligations on out-of-state sellers. We do not collect state and local sales and use taxes in all jurisdictions in which our customers are located, based on our belief that such taxes are not applicable to us. Jurisdictions in which we do not collect sales and use taxes may assert that such taxes are applicable to us and require us to calculate, collect, and remit taxes, interest, and penalties, as well as collect such taxes in the future. In addition, one or more states, the federal government, or other countries may seek to impose additional reporting, record-keeping, or indirect tax collection obligations on businesses like ours that offer subscription services. For example, on June 21, 2018, the Supreme Court held in South Dakota v. Wayfair, Inc. that the state in which the buyer is located could impose sales tax collection obligations on out-of-state sellers even if those sellers lack any physical presence within the state imposing the sales taxes. In response to Wayfair, state or local governments may require us to collect and remit sales and use taxes where we have not collected and remitted sales and use taxes that occurred in prior tax years. The imposition by state or local governments of sales tax collection obligations on out-of-state sellers could also create additional administrative burdens for us, subject us to additional costs, put us at a competitive disadvantage if similar obligations are not imposed on our competitors, and decrease our future sales, which could have an adverse effect on our business, financial condition, and results of operations.

The regulatory framework governing privacy, information security, data protection, and the collection, processing, storage, and use of certain information, particularly financial and other personally identifiable information, is rapidly evolving. We expect that there will continue to be new proposed and adopted laws, regulations, and industry standards concerning privacy, data protection, and information security in the United States. For example, California enacted the California Consumer Privacy Act, or CCPA, which went into effect in January 2020 and, among other things, requires companies covered by the legislation to provide new disclosures to California consumers and afford such consumers new rights of access and deletion for personal information, as well as the right to opt-out of collection of their data and certain sales of personal information. Additionally, the California Privacy Rights Act, or CPRA, amends and expands the CCPA and went into effect January 1, 2023. The CCPA has required us to modify and augment our practices and policies and incur substantial costs and expenses in an effort to comply or respond to further changes to laws or regulations. Similar laws have been passed in numerous other states, and a number of other states have proposed new privacy laws, some of which are similar to the above discussed recently passed laws. Such proposed legislation, if enacted, may add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment of resources in compliance programs, impact strategies and the availability of previously useful data, and could result in increased compliance costs and/or changes in business practices and policies. The existence of comprehensive privacy laws in different states in the country would make our compliance obligations more complex and costly and may increase the likelihood that we may be subject to enforcement actions or otherwise incur liability for noncompliance. In addition, laws in all 50 U.S. states require businesses to provide notice to individuals if certain of their personal information has been disclosed as a result of a qualifying data breach. Further, other states have proposed and/or passed legislation that regulates the privacy and/or security of certain specific types of information. For example, a small number of states have passed laws that regulate biometric data specifically. These various privacy and security laws may impact our business activities, including our identification of research subjects, relationships with business partners and ultimately the marketing and distribution of our products. State laws are changing rapidly and there is discussion in the U.S. Congress of a new comprehensive stringent federal data privacy law to which we may likely become subject, if enacted. We cannot yet fully determine the impact that these or future laws, rules, and regulations may have on our business or operations. Any such laws, rules, and regulations may be inconsistent among different jurisdictions, subject to new or differing interpretations, or conflict with our current or future practices. Additionally, we may be bound by contractual requirements applicable to our collection, use, processing, and disclosure of various types of information, including financial and PII, and may be bound by, or voluntarily comply with, self-regulatory or other industry standards relating to these matters that may further change as laws, rules, and regulations evolve. Any failure or perceived failure by us, our third-party service providers, or any other third parties with which we do business, to comply with these laws, rules, and regulations, or with other obligations to which we or such third parties are or may become subject, may materially and adversely affect our business and results of operations, and result in reputational harm, governmental investigations and enforcement actions, litigation, claims, fines and penalties, or adverse publicity. Additionally, if in the future we seek to sell our solutions outside of the United States, we would face similar or potentially more stringent laws and regulations relating to personal privacy, information security, and data protection and we cannot be certain we would be able to adequately address these laws and regulations as part of any international expansion without incurring substantial costs and expenses to comply.

The markets in which we compete, however, are highly competitive, fragmented, evolving, complex, and defined by rapidly changing technology and customer demands. We currently compete with providers of technology and products in the financial services industry, primarily point solution vendors that focus on building functionality that competes with specific components of our solutions. From time to time, we also compete with systems internally developed by financial institutions. Many existing and potential competitors enjoy substantial competitive advantages, such as: - larger sales, development, support, and marketing budgets and resources;- the ability to bundle competitive offerings;- greater brand recognition and longer operating histories;- more extensive customer bases and broader customer relationships;- lower labor and development costs;- greater resources to make acquisitions;- larger and more mature intellectual property portfolios; and - substantially greater financial, technical, management, and other resources. Further, one of our competitors may establish or strengthen a cooperative relationship with, or acquire one or more software application, data analytics, compliance, or network vendors. We may also face competition from new companies entering our markets, which may include large established businesses that decide to develop, market, or resell cloud-based banking technology, acquire one of our competitors, or form a strategic alliance with one of our competitors. New companies entering our markets may choose to offer cloud-based consumer lending and related products at little or no additional cost to the customer by bundling them with their existing products, including adjacent financial services technologies. In addition, our current and potential customers have developed, and may continue to develop, their own in-house solutions that could replace our solutions within their organizations. We expect competition to intensify in the future, and these competitive pressures in our markets or our failure to compete effectively may result in fewer customers, increased pricing pressure, reduced revenues and gross profit, increased sales and marketing expenses, and loss of market share. Any failure to meet and address these factors could materially and adversely affect our business, operating results, and financial condition.

The market for our software solutions is characterized by rapid technological advancements, changes in customer requirements and technologies, frequent new solution introductions and enhancements, and changing regulatory requirements. The life cycles of our software solutions are difficult to estimate. Rapid technological changes and the introduction of new products and enhancements by new or existing competitors or large financial institutions could undermine our current market position. Other means of digital or virtual consumer lending and banking may be developed or adopted in the future, and our software solutions may not be compatible with these new technologies. In addition, the technological needs of, and services provided by, the banks, credit unions, mortgage lenders, specialty lending providers, and CRAs that we endeavor to serve may change if they or their competitors offer new services to account holders. Maintaining adequate research and development resources to meet the demands of the market is essential. The process of developing new technologies and software solutions is complex and expensive. The introduction of new products by our competitors, the market acceptance of competitive products based on new or alternative technologies, or the emergence of new technologies or products in the broader financial services industry could render our solutions obsolete or less effective. The success of any enhanced or new software solution depends on several factors, including timely completion, adequate testing, and market release and acceptance of the solution. Any new software solutions that we develop or acquire may not be introduced in a timely or cost-effective manner, may contain defects, or may not achieve the broad market acceptance necessary to generate significant revenues. In addition, we must continuously develop, market, and sell new features and functionalities to our existing software solutions that respond to the changing needs of our customers and offer better functionality than competing offerings from other providers. If we are unable to anticipate customer requirements or work with our customers successfully on implementing new software solutions or features in a timely manner or enhance our existing software solutions to meet our customers' requirements, our business, growth prospects, and operating results may be adversely affected.

Certain elements of our business and software solutions, particularly our origination and analytics solutions, involve the processing and storage of personally identifiable information, or PII, such as banking information and PII of our customers' clients. We may also have access to PII during various stages of the implementation process of our solutions or during the course of providing customer support. Furthermore, as we develop additional functionality, we may gain greater access to PII and process additional PII. While we maintain policies, procedures, and technological safeguards designed to protect the confidentiality, integrity, and availability of this information and our information technology systems, we cannot entirely eliminate the risk of improper, unlawful, or unauthorized access to, or disclosure, alteration, corruption, unavailability, or loss of PII or other data that we process or maintain, other security events that impact the integrity or availability of PII or other data or our systems and operations, or the related costs we may incur to mitigate the consequences from certain events such as the following: - third-party social engineering attempts to fraudulently induce our employees, partners, or customers to disclose sensitive information;- malicious intrusions and attacks by individuals or groups of hackers and sophisticated organizations, such as state-sponsored organizations or nation-states, to launch coordinated attacks, such as ransomware and distributed denial-of-service attacks;- cyberattacks such as ransomware on our internally built infrastructure on which many of our solutions operate, or on third-party cloud-computing platform providers;- vulnerabilities resulting from the configuration, implementation, enhancement, or update of our software solutions, as well as in the products or components across the broad ecosystem that our solutions operate in conjunction with and are dependent on;- vulnerabilities or breach of those third-party providers' (cloud, software, data center, and other critical technology vendors) software, systems, or security measures or a failure in our third-party providers' data security procedures, measures, and policies;- vulnerabilities existing within new technologies and infrastructures, including those from acquired companies;- attacks on, or vulnerabilities in, the many different underlying networks and services that power the Internet that our products depend on, most of which are not under our control or the control of our vendors, partners or customers; and - employee or contractor human errors or intentional insider threats that compromise our security systems. As we integrate artificial intelligence, or AI, technologies to enhance efficiency and innovation, we must acknowledge associated cybersecurity risks. AI systems, while beneficial, can be exploited by cybercriminals for sophisticated attacks that evade traditional security measures. Unauthorized access to AI tools may lead to data manipulation, deepfake generation, and highly personalized spear-phishing campaigns. The rapid advancement of AI increases complexity in cyber threats. We are committed to robust security protocols, but investors should be aware of inherent risks. Currently, we mitigate these risks, to the extent possible, by maintaining and enhancing an information security program, and an incident response and disaster recovery program, as well as participating in third-party audits. Our board of directors formed a cybersecurity committee to delegate oversight of risks in this area, and our board of directors, cybersecurity committee, and executive leadership are briefed on our cybersecurity policies, practices, and efforts, and any cybersecurity events, on a routine basis and as appropriate. When engaging third-party providers who have access to our systems, applications or data, we assess their policies and procedures relating to cybersecurity and privacy. Although we have developed systems and processes designed to protect our customers' clients' sensitive data, we can provide no assurances that such measures will provide absolute security or that a material cybersecurity incident will not occur. Mitigation efforts may be impacted by factors such as: - changes to, and complexity of, techniques used to obtain unauthorized access to, or sabotage IT systems and infrastructure, which generally are not identified until after an initial launch against a target, resulting in a reduced ability to anticipate or implement adequate preventive measures;- continued refinement, updating, and replacement of our internal systems and technology, particularly when adopting new technologies and new methods of sharing data and communicating internally and with customers and partners;- the acquisition of new companies and their solutions, requiring us to integrate, improve, and secure different or more complex IT environments and technologies;- authorization by our customers to third-party technology providers to access their clients' data, which may lead to our customers' inability to protect their data that is stored on our servers;- our limited control over our customers or third-party technology providers, or the processing of data by third-party technology providers, which may not allow us to maintain the integrity or security of such transmissions or processing; and - increased risk of security compromises associated with our employees working remotely. A cybersecurity incident or compromise could result in operational disruptions, loss, compromise, unauthorized use of, or access to, alteration, or corruption of customer data or customers' client data or data we rely on to provide our software solutions, including our analytics initiatives and offerings, that impair our ability to provide our software solutions and meet our customers' requirements. Such impairment would result in decreased revenues and could otherwise materially negatively impact our financial results. Also, the occurrence, or perception of an occurrence, of any of these events could results in a loss of confidence in the security of our services, irreparable reputational damage, a decline in current and prospective customer use of our software solutions, business disruptions, increases in cybersecurity insurance premiums, and allocation of significant financial and operational resources in response, including repairing system damage, increasing security protection costs by deploying additional personnel and protection technologies, and defending against and resolving legal and regulatory claims and proceedings. The detection, prevention, and remediation of known or potential security vulnerabilities, including those arising from third-party hardware or software, may result in additional financial burdens due to additional direct and indirect costs, such as additional infrastructure capacity spending to mitigate any system degradation and the reallocation of resources from development activities. Furthermore, cybersecurity incidents and compromises could expose us to legal, regulatory, and financial exposure and liability, notification requirements, third-party claims and lawsuits, indemnification, or other claims from customers and other third parties, regulatory investigations or proceedings, fines, or other actions or liabilities, which could materially and adversely affect our business and results of operations. In addition, some of our customers contractually require notification of cybersecurity incidents or compromises and include representations and warranties in their contracts with us that our software solutions comply with certain legal and technical standards related to cybersecurity and privacy and meets certain service levels. In certain of our contracts, a cybersecurity incident or compromise or operational disruption impacting us or one of our vendors, or system unavailability or damage due to other circumstances, may constitute a material breach of contract and give rise to a customer's right to terminate their contract with us or may cause us to be liable for certain monetary penalties, including as a result of a failure to meet service level agreements. As of the date of this Quarterly Report on Form 10-Q, we have not experienced any material impact to the business or operations resulting from cybersecurity attacks; however, we and our third-party vendors have experienced non-material incidents in the past, and because of the frequently changing nature of attack techniques, along with the increased volume and sophistication of the attacks, there is the continued potential for us to be adversely impacted. This impact could result in reputational, competitive, operational or other business harm, as well as financial costs, including fines from regulators and other regulatory action. We maintain cybersecurity insurance in the event of an information security or cyber incident, however, the coverage may not be sufficient to cover all financial losses. In these circumstances, it may be difficult or impossible to cure such a cybersecurity incident or compromise in order to prevent customers from potentially terminating their contracts with us. Furthermore, although our customer contracts typically include limitations on our potential liability, there can be no assurance that such limitations of liability would be adequate. We also cannot be sure that our existing general liability insurance coverage and coverage for errors or omissions will be available on acceptable terms or in sufficient amounts to cover one or more claims or that our insurers will not deny or attempt to deny coverage as to any future claim. The successful assertion of one or more claims against us, the inadequacy or denial of coverage under our insurance policies, litigation to pursue claims under our policies, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or coinsurance requirements, could materially and adversely affect our business and results of operations.

We believe our future success will depend in large part upon our ability to attract and retain highly skilled managerial, technical, finance, creative, and sales and marketing personnel. Moreover, we believe that our future success is highly dependent on the contributions of our executive officers. All of our officers and other employees are at-will employees, which means they may terminate their employment relationship with us at any time, and their knowledge of our business and industry would be extremely difficult to replace. In addition, the loss of any key employees or the inability to attract or retain qualified personnel could delay the development and introduction of, and harm our ability to sell, our software solutions and harm the market's perception of us. The workforce reductions we implemented as part of our 2023 Restructuring Plan and 2024 Realignment Plan may also adversely impact our ability to attract, integrate, retain, and motivate highly qualified employees, and may harm our reputation with current or prospective employees. We may be unable to attract and retain suitably qualified individuals who are capable of meeting our growing sales, operational, and managerial requirements, or may be required to pay increased compensation in order to do so. Furthermore, although we believe a remote-first work model will help us attract and retain talent across a broad geographic base, a remote work environment could, among other things, negatively impact company culture, employee morale, and productivity, inhibit our ability to hire and train new employees, and impede our ability to support customers at the levels they expect. If we are unable to attract and retain the qualified personnel we need to succeed, our business will suffer. Volatility or lack of performance in our stock price may also affect our ability to attract and retain our key employees. Certain of our employees have become, or will soon become, vested in a substantial amount of stock options or restricted stock units. Employees may be more likely to leave us if the shares they own or the shares underlying their vested options have significantly appreciated in value relative to the original purchase prices of the shares or the exercise prices of the vested options, or if the exercise prices of the options that they hold are significantly above the market price of our common stock. In addition, job candidates and existing employees often consider the actual and potential value of the equity awards they receive as part of their overall compensation. If the perceived value or future value of our stock declines, our ability to attract and retain highly skilled employees may be adversely affected. If we are unable to retain or find a suitable replacement for our named executive officers or other key employees, our business will be harmed.

We have used, and intend to continue to use, unrelated third parties to provide us with technology development services, through individuals based in India. We have increased the amount of our product development work performed by contractors in India to expand our access to additional resources so we can meet the needs of our increased development efforts. However, we may not achieve the cost savings and other benefits we anticipate from these programs, and we may not be able to find sufficient numbers of developers with the necessary skill sets in India to meet our needs. While our experience to date with our India-based contractors has been positive, there is no assurance that this will continue. Specifically, there are a number of risks associated with this activity, including, but not limited to, the following: - communications and information flow may be less efficient and accurate as a consequence of the time and distance differences between our primary development organization and the foreign-based activities, resulting in delays in development or errors in the software developed;- in addition to the risk of misappropriation of intellectual property from departing personnel, there is a general risk of the potential for misappropriation of our intellectual property that might not be readily discoverable;- the ability to obtain fulsome rights to intellectual property arising from the work performed by India-based individuals may be more difficult than it is with respect to intellectual property arising from work performed for us by our U.S.-based employees;- the quality of the development efforts undertaken offshore may not meet our requirements, including due to experiential differences, resulting in potential product errors and/or delays;- currency exchange rates could fluctuate and adversely impact the cost advantages intended from maintaining these relationships; and - as would be the case with any of our third-party developers, if those based in India were to leave their employment or if the third-party development services agreement with us were terminated, we would lose some short-term development capacity, and while we believe we would still be able to continue maintaining and improving all of our service offerings, we would need to expend resources and management time to on-board additional development resources. In addition, as a result of the foregoing arrangements, we have a heightened risk exposure to changes in the economic, security, and political conditions of India. Economic and political instability, military actions, and other unforeseen occurrences in India could impair our ability to develop and introduce new software applications and functionality in a timely manner, which could put our products at a competitive disadvantage whereby we lose existing customers and/or fail to attract new customers.

Our overall performance depends on economic conditions, which are beyond our control and may be difficult or impossible to forecast. The United States and other key international economies have experienced significant economic and market downturns and periods of uncertainty, including recently in connection with increasing interest rates, and rising inflation, and are likely to experience additional cyclical downturns from time to time, in which economic activity is impacted by falling demand for a variety of goods and services, restricted credit, poor liquidity, inflation, fluctuations in interest rates, reduced corporate profitability, volatility in credit and equity markets, bankruptcies, and overall uncertainty. Macroeconomic developments can arise suddenly, as did the conditions associated with the fluctuating rates of inflation, and the full impact can be difficult to predict. Adverse macroeconomic conditions, including inflation, slower growth or recession, changes to fiscal and monetary policy, tighter credit, higher or fluctuating interest rates, high unemployment, and currency fluctuations have in the past and may in the future adversely impact the rate of technology spending generally and could adversely affect our customers' ability or willingness to purchase our software solutions, delay prospective customers' purchasing decisions, reduce the value or duration of their subscriptions or affect renewal rates, or impact the demand for our customers' services, any of which could adversely affect our results of operations. As a result, our operating results are sensitive to changes in macroeconomic conditions that impact our customers' technology spending and overall usage, volume, and type of transactions handled or processed using our software solutions. We moved to a fully remote work-from-home work model in 2020 and plan to continue operating as remote-first. However, we cannot be certain that a prolonged remote work model will continue to be effective or will not introduce new operational difficulties that could result in harm to our business. Our shift to remote work has caused us to assess our IT security measures, identify any vulnerabilities, and enhance protections against unauthorized access to our network and systems. We cannot guarantee these private work environments and electronic connections to our work environment have the same robust security measures deployed in our physical offices. While we have not yet experienced a network breach or intrusion as a result of moving to a remote work model, we are unable to unequivocally affirm that the protective measures we have taken will remain sufficient given the ever-changing threat landscape, and any such related security compromise that may occur could materially and adversely impact our business, results of operations, or reputation. We continue to evaluate, and adjust, our hiring plans and investment spending accordingly. We are monitoring the potential effects of changed rate of spending on software solutions, purchasing decisions, delayed payments, and supply chain shortages on our business. To the extent economic volatility adversely affects our business, results of operations, financial condition, or liquidity, many of the other risks described in this "Risk Factors" section may also be heightened.