Paymentus Holdings (PAY) Risk Factors

We anticipate expanding internationally as part of our long-term growth strategy and will thus become subject to additional laws and regulations for which we will need to implement new regulatory compliance controls. In some cases, our products are subject to export control laws and regulations, including the Export Administration Regulations administered by the U.S. Department of Commerce, and our activities may be subject to trade and economic sanctions, including U.S. economic and trade sanctions administered by the U.S. Department of Treasury's Office of Foreign Assets Control, or OFAC, which we collectively refer to as trade controls. As such, a license may be required to export or re-export our products, or provide related services, to certain countries and billers and financial institutions. Further, our products incorporating encryption functionality may be subject to special controls applying to encryption items or certain reporting requirements. The process for obtaining necessary licenses may be time-consuming or unsuccessful, potentially causing delays in sales or losses of sales opportunities. Even though we have procedures in place designed to ensure our compliance with trade controls, failure to comply with these controls could subject us to both civil and criminal penalties, including substantial fines, possible incarceration of responsible individuals for willful violations, possible loss of our export or import privileges and reputational harm. Although we have no knowledge that our activities have resulted in violations of trade controls, any failure by us or our partners to comply with applicable laws and regulations would have negative consequences for us, including reputational harm, government investigations and penalties. In addition, various countries regulate the import of certain encryption technology, including through import permit and license requirements, and have enacted laws that could limit our ability to distribute our products or could limit billers' and financial institutions' ability to implement our products in those countries. Changes in our products or changes in export and import regulations in such countries may create delays in the introduction of our products into international markets, prevent billers with international operations from deploying our products globally or, in some cases, prevent or delay the export or import of our products to certain countries, governments or persons altogether. Any change in export or import laws or regulations, economic sanctions or related legislation, shift in the enforcement or scope of existing export, import or sanctions laws or regulations, or change in the countries, governments, persons or technologies targeted by such export, import or sanctions laws or regulations, could result in decreased use of our products by, or in our decreased ability to export or sell our products to, existing or potential billers and financial institutions with international operations. Any decreased use of our products or limitation on our ability to export to or sell our products in international markets could adversely affect our business, operating results and financial condition. We are also subject to various anti-money laundering and counter-terrorist financing laws and regulations around the world that prohibit, among other things, our involvement in transferring the proceeds of criminal activities. There has been increased scrutiny in the United States and globally regarding compliance with these laws and regulations, which may require us to further revise or expand our compliance program, including the procedures we use to verify the identity of our billers. While we have controls in place that are designed to comply with applicable anti-money laundering and counter-terrorist financing laws and regulations, violations of these laws could subject us to investigations, settlements, prosecution, and other enforcement actions, which could have a material negative impact on our business, financial condition, and results of operations.

We are subject to the requirements of the Securities Exchange Act of 1934, as amended, or the Exchange Act, the Sarbanes-Oxley Act, the Dodd-Frank Wall Street Reform and Consumer Protection Act, the listing requirements of the New York Stock Exchange and other applicable securities rules and regulations. Complying with these rules and regulations has increased and will continue to increase our legal and financial compliance costs, make some activities more difficult, time consuming or costly and increase demand on our systems and resources. The Sarbanes-Oxley Act requires, among other things, that we maintain effective disclosure controls and procedures and internal control over financial reporting. We are required to disclose changes made in our internal control over financial reporting on a quarterly basis. In order to maintain and, if required, improve our disclosure controls and procedures and internal control over financial reporting to meet this standard, significant resources and management oversight are required. As a result, management's attention may be diverted from other business concerns, which could adversely affect our business and operating results. We have and may need to continue to hire additional employees or engage outside consultants to comply with these requirements, which has and will increase our costs and expenses. In addition, changing laws, regulations and standards relating to corporate governance and public disclosure are creating uncertainty for public companies, increasing legal and financial compliance costs and making some activities more time consuming. These laws, regulations and standards are subject to varying interpretations, in many cases due to their lack of specificity, and, as a result, their application in practice may evolve over time as new guidance is provided by regulatory and governing bodies. This could result in continuing uncertainty regarding compliance matters and higher costs necessitated by ongoing revisions to disclosure and governance practices. We intend to invest resources to comply with evolving laws, regulations and standards, and this investment may result in increased general and administrative expenses and a diversion of management's time and attention from revenue-generating activities to compliance activities. If our efforts to comply with new laws, regulations and standards differ from the activities intended by regulatory or governing bodies, due to ambiguities related to their application and practice or for other reasons, regulatory authorities may initiate legal proceedings against us and our business may be adversely affected. These new rules and regulations may make it more expensive for us to maintain director and officer liability insurance, and in the future, we may be required to accept reduced coverage or incur substantially higher costs to obtain coverage. These factors could also make it more difficult for us to attract and retain qualified members of our board of directors, particularly to serve on our audit committee and compensation committee, and qualified executive officers.

Our success and increased visibility, and that of the electronic and online billing and payments sector more generally, may result in increased regulatory oversight and enforcement and more restrictive rules and regulations that apply to our business. We are subject to a wide variety of local, state, federal and international laws, rules, regulations, licensing schemes and industry standards in the United States and in other countries in which we operate. These laws, rules, regulations, licensing schemes and standards govern numerous areas that are important to our business. In addition to the payments and financial services-related regulations, and privacy, data protection and information security-related laws, our business is also subject to, without limitation, rules and regulations applicable to securities, labor and employment, immigration, competition and marketing and communications practices. Laws, rules, regulations, licensing schemes and standards applicable to our business are subject to change and evolving interpretations and application, including by means of legislative changes and executive orders, and it can be difficult to predict how they may be applied to our business and the way we conduct our operations, particularly as we introduce new products and services and expand into new jurisdictions. We may not be able to respond quickly or effectively to regulatory, legislative and other developments, and these changes may in turn impair our ability to offer our existing or planned features, products and services and increase our cost of doing business. There can be no assurance that our employees or contractors will not violate laws, rules, regulations, licensing schemes and industry standards. Any failure or perceived failure by us or our employees or contractors to comply with existing or new laws, rules, regulations, licensing schemes, industry standards or orders of any governmental authority (including changes to or expansion of the interpretation of those laws, regulations, standards or orders), may, among other things: - subject us to significant fines, penalties, criminal and civil lawsuits, license suspension or revocation, forfeiture of significant assets, audits, inquiries, whistleblower complaints, adverse media coverage, investigations and enforcement actions in one or more jurisdictions levied by federal, state, local or foreign regulators, state attorneys general and private plaintiffs who may be acting as private attorneys general pursuant to various applicable federal, state and local laws;- result in additional compliance and licensure requirements;- increase regulatory scrutiny of our business;- restrict our operations, product features, quality and breadth and depth of functionality; and - force us to change our business practices or compliance program, make product or operational changes or delay planned product launches or improvements. The complexity of U.S. federal and state regulatory and enforcement regimes, coupled with the current and potential future scope of our international operations and the evolving regulatory environment, could result in a single event giving rise to many overlapping investigations and legal and regulatory proceedings by multiple government authorities in different jurisdictions. Any of the foregoing could, individually or in the aggregate, harm our reputation as a trusted provider, damage our brand and business, cause us to lose existing billers, financial institutions and partners, prevent us from obtaining new billers, financial institutions and partners, require us to expend significant funds to remedy problems caused by breaches and to avert further breaches, expose us to legal risk and potential liability, and adversely affect our business, operating results and financial condition.

Our platform enables our billers and partners to communicate directly with their consumers, including via email, text messages and telephone calls. Our platform also enables recording and monitoring of calls between our billers and partners and their consumers for training and quality assurance purposes. On occasion we also send communications directly to consumers. These activities are subject to a variety of U.S. state and federal laws, rules and regulations, such as the TCPA, the CAN-SPAM Act, and others related to telemarketing, recording and monitoring of communications. The TCPA prohibits companies from making telemarketing calls to numbers listed in the Federal Do-Not-Call Registry and imposes other obligations and limitations on making phone calls and sending text messages to consumers. The CAN-SPAM Act regulates commercial email messages and specifies penalties for the transmission of commercial email messages that do not comply with certain requirements, such as providing an opt-out mechanism for stopping future emails from senders. The TCPA, the CAN-SPAM Act and other communications laws, rules and regulations are subject to varying interpretations by courts and governmental authorities and often require subjective interpretation, making it difficult to predict their application and therefore making compliance efforts more challenging. We and our billers and partners may be required to comply with these and similar laws, rules and regulations. To comply with these laws, rules and regulations, in some cases we rely on our billers and partners to obtain legally required consents from their consumers to receive communications sent using our platform. We cannot, however, be certain that our or their efforts to comply will always be successful. Our business could be adversely affected by changes to the application or interpretation of existing laws, rules and regulations governing our platform's communication capabilities, or the enactment of new laws, rules and regulations, and by our and our billers' and partners' failure to comply with such laws, rules and regulations in using our platform. If any of these laws, rules or regulations were to significantly restrict our or our billers' or partners' ability to use our platform to communicate with existing and potential consumers, we may not be able to develop adequate alternative communication modules for our platform. Further, our or our billers' or partners' non-compliance with these laws, rules and regulations could result in significant financial penalties, litigation, including class action litigation, consent decrees and injunctions, adverse publicity and other negative consequences, any of which could adversely affect our business, operating results and financial condition and significantly harm our reputation.

Our billers, financial institutions and consumers store personal and business information, financial information and other sensitive information on our platform. In addition, we receive, store, handle, transmit, use and otherwise process personal and business information and other data from and about actual and prospective billers and financial institutions, as well as our employees and service providers. As a result, we are subject to a variety of laws, rules and regulations relating to privacy, data protection and information security, including regulation by various governmental authorities, such as the FTC, and various state, local and foreign agencies. Our data handling and processing activities are also subject to contractual obligations and industry standard requirements. The legislative and regulatory landscapes for privacy, data protection and information security continue to evolve in jurisdictions worldwide, with an increasing focus on privacy and data protection issues with the potential to affect our business. Failure to comply with any of these laws or regulations could result in litigation, enforcement actions, damages, fines, penalties or adverse publicity and reputational damage, any of which could have a material adverse effect on our business, operating results and financial condition. The U.S. federal and various state and foreign governments have also adopted or proposed limitations on the collection, distribution, use and storage of data relating to individuals and businesses, including the use of contact information and other data for marketing, advertising and other communications with individuals and businesses. In the United States, various laws and regulations apply to the security, collection, processing, storage, use, disclosure and other processing of certain types of data, including the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the Gramm Leach Bliley Act, and state and local laws relating to privacy and data security. Additionally, the FTC and many state attorneys general have interpreted and are continuing to interpret federal and state consumer protection laws to impose standards for the online collection, use, dissemination, processing and security of data. In addition, many states in which we operate have laws that protect the privacy and security of sensitive and personal data and are considering or enacting new laws. Certain U.S. state laws may be more stringent or broader in scope, or offer greater individual rights, with respect to sensitive and personal information than international, federal, or other state laws,and such laws may differ from each other, which may complicate compliance efforts. For example, in June 2018, California enacted the CCPA, which became operative on January 1, 2020 and broadly defines personal information, gives California residents expanded privacy rights and protections, including the right to access and delete certain personal information, as well as the right to opt-out of certain sales of personal information, and provides for civil penalties for violations and a private right of action for data breaches. This private right of action may increase the likelihood of, and risks associated with, data breach litigation. Additionally, the CPRA, was passed in November 2020. Effective as of January 1, 2023, the CPRA imposes additional obligations on companies covered by the legislation and significantly modifies the CCPA, including by expanding California residents' rights with respect to certain categories of sensitive personal information. California also has a dedicated state agency that is vested with authority to implement and enforce the CCPA, as amended by the CPRA. The interpretation and enforcement of the CCPA is in nascent stages, and the effects of the CCPA, as amended by the CPRA are potentially significant and may require us to modify our data collection or processing practices and policies and to incur substantial costs and expenses in an effort to comply and increase our potential exposure to regulatory enforcement and sanctions and litigation. Certain other state laws impose similar privacy obligations, and all 50 states have laws including obligations to provide notification of security breaches of computer databases that contain personal information to affected individuals, state officers and others. For example, the CCPA has prompted the enactment of several new state laws or amendments of existing state laws, such as in New York, Nevada, Virginia, Colorado, Connecticut and Utah. These laws marked the beginning of a trend toward more stringent privacy legislation in other U.S. states and have prompted a number of proposals for new federal and state-level privacy legislation. This legislation, if passed, may add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment of resources in compliance programs, impact strategies and the availability of previously useful data and could result in increased compliance costs or changes in business practices and policies. In addition, several foreign countries and governmental bodies, including the EU, have established their own laws, rules and regulations addressing privacy, data protection and information security with regard to the handling and processing of sensitive and personal data obtained from their residents with which we or our billers, financial institutions or partners may need to comply. These laws and regulations are in certain cases more stringent than those in the United States. Laws and regulations in these jurisdictions apply broadly to the collection, use, storage, disclosure and security of various types of data, including data that identifies or may be used to identify an individual, such as names, email addresses and in some jurisdictions, IP addresses. The EU's privacy, data protection and information security landscapes are currently evolving, resulting in possible significant operational costs for internal compliance and risk to our business. Within the EU, the GDPR, which went into effect in May 2018, contains numerous requirements and changes from previously existing EU law, including more robust, direct obligations on data processors in addition to data controllers, heavier documentation requirements for data protection compliance programs by companies and significant increase in the level of sanctions for non-compliance as compared to previous EU data protection law. In particular, under the GDPR, EU data protection authorities have the power to impose administrative fines for violations of the GDPR of up to a maximum of €20 million or 4% of the data controller's or data processor's total global turnover for the preceding fiscal year, whichever is higher, and violations of the GDPR may also lead to damages claims by data controllers and data subjects. Such penalties are in addition to any civil litigation claims by data controllers, customers and data subjects. We have taken steps to comply with applicable portions of the GDPR, but we cannot assure you that such steps completely eliminate the risk of liability under the GDPR. The laws and regulations relating to privacy, data protection and information security are evolving, can be subject to significant change, and may result in ever-increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions. We are also subject to certain obligations under HIPAA, as amended by HITECH, as well as certain state laws and related contractual obligations. HIPAA imposes obligations on certain covered entity healthcare providers, health plans and healthcare clearinghouses, as well as on business associates, like us, that perform certain services involving the use or disclosure of individually identifiable health information, including mandatory contractual terms, with respect to safeguarding the privacy, security and transmission of individually identifiable health information. The scope and interpretation of the laws and regulations relating to privacy, data protection and information security that are or may be applicable to us are often uncertain and may be conflicting, as a result of the rapidly evolving regulatory framework for privacy issues worldwide. It is possible that these laws, regulations, rules, self-regulatory standards and other actual or alleged legal obligations may be interpreted and applied in a manner that is inconsistent with our existing data management practices, solutions or platform capabilities. For example, laws relating to the liability of providers of online services for activities of their users and other third parties are currently being tested by a number of claims, including actions based on invasion of privacy and other torts, unfair competition, copyright and trademark infringement, and other theories based on the nature and content of the materials searched, the ads posted or the content provided by users. As a result of the laws that are or may be applicable to us, and due to the sensitive nature of the information we collect, we have implemented policies and procedures to preserve and protect our data and our platform users' data against loss, misuse, corruption, misappropriation caused by systems failures or unauthorized access. If our policies, procedures or measures relating to privacy, data protection, information security or the processing of data for marketing purposes or consumer communications fail to comply with laws, regulations, policies, legal obligations or industry standards, we may be subject to governmental enforcement actions, litigation, regulatory investigations, fines, penalties and negative publicity, and could cause our application providers, billers, financial institutions and partners to lose trust in us, and have an adverse effect on our business, operating results and financial condition. In addition to government regulation, privacy advocates and industry groups may propose new and different self-regulatory standards that may apply to us. Because the interpretation and application of privacy, data protection and information security laws, regulations, rules and other standards are still uncertain, it is possible that these laws, rules, regulations and other actual or alleged legal obligations, such as contractual or self-regulatory obligations, may be interpreted and applied in a manner that is inconsistent with our existing data management practices or the functionality of our platform. If so, in addition to the possibility of fines, lawsuits and other claims, we could be required to fundamentally change our business activities and practices or modify our software, which could have an adverse effect on our business. Further, any failure or perceived failure by us, or any third parties with which we do business, to comply with laws, regulations, policies (including our publicly posted privacy policies), procedures, measures, legal or contractual obligations, industry standards or regulatory guidance relating to privacy, data protection or information security may result in governmental investigations and enforcement actions, litigation, fines and penalties, or adverse publicity, and could cause our billers, financial institutions and partners to lose trust in us, which could have an adverse effect on our reputation, business, operating results and financial condition. We expect that there will continue to be new proposed laws, regulations and industry standards relating to privacy, data protection, information security, marketing and consumer communications, and we cannot predict the impact such future laws, regulations and standards may have on our business. Future laws, regulations, standards and other obligations or any changed interpretation of existing laws or regulations may be inconsistent among jurisdictions and may conflict with our current or future practices, which could impair our ability to develop and market new functionality and maintain and grow our biller and financial institution base and increase revenue. Additionally, our billers, financial institutions or partners may be subject to differing privacy laws, rules and legislation, which may mean that they require us to be bound by varying contractual requirements applicable to certain other jurisdictions. Future restrictions on the collection, use, processing, storage, sharing or disclosure of various types of data, including financial information and other personal data, or additional requirements for express or implied consent of our billers, financial institutions, partners or consumers for the collection, use, processing, storage, sharing and disclosure of such information could require us to incur additional costs or modify our platform, possibly in a material manner, and could limit our ability to develop new functionality. Complying with these requirements and changing our policies and practices may be onerous and costly, and we may not be able to respond quickly or effectively to regulatory, legislative and other developments. If we are not able to comply with these laws or regulations, or if we become liable under these laws or regulations, we could be directly harmed, including through fines and litigation, and we may be forced to implement new measures to reduce our exposure to this liability. This may require us to expend substantial resources or to discontinue certain products, which would negatively affect our business, operating results and financial condition. In addition, the increased attention focused upon liability issues as a result of lawsuits and legislative proposals could harm our reputation or otherwise adversely affect the growth of our business. Furthermore, any costs incurred as a result of this potential liability could harm our operating results.

Payment networks, such as Visa, Mastercard, American Express, NACHA and INTERAC, establish their own rules and standards that allocate liabilities and responsibilities among the payment networks and their participants. These rules and standards, including PCI-DSS, govern a variety of areas, including how consumers may use their cards, surcharging limitations, the security features of cards, security standards for processing, data protection and information security and allocation of liability for certain acts or omissions, including liability in the event of a data breach. Participants are subject to audits by the payment networks to ensure compliance with applicable rules and standards. We are required to comply with card network operating rules and have agreed to reimburse our service providers for any fines they are assessed by payment networks as a result of any rule violations by us. We may also be directly liable to the payment networks for rule violations. The payment networks set and interpret the card operating rules. The payment networks could adopt new operating rules or interpret or reinterpret existing rules that we or our processors might find difficult or even impossible to follow or costly to implement. These changes may be made for any number of reasons, including as a result of changes in the regulatory environment, to maintain or attract new participants or to serve the strategic initiatives of the networks, and may impose additional costs and expenses on or be disadvantageous to certain participants. As a result of any violations of rules or new rules being implemented, the networks may fine, penalize or suspend the registration of participants for certain acts or omissions or the failure of the participants to comply with applicable rules and standards, existing billers, partners or other third parties may cease using or referring our services, prospective billers, partners or other third parties may choose to terminate negotiations with us, or delay or choose not to consider us for their processing needs, and the networks could refuse to allow us to process payments through their networks. Any of the foregoing could materially adversely impact our business, operating results and financial condition. From time to time, these networks increase the fees that they charge payment processors. We could attempt to pass these increases along to our billers, but this strategy might result in the loss of billers to competing solutions. If competitive practices prevent us from passing along the higher fees to our billers in the future, we may have to absorb all or a portion of such increases, which may increase our operating costs and reduce our earnings. In addition, regulators are subjecting interchange, surcharging and other fees to increased scrutiny, and new regulations could require greater pricing transparency of the breakdown in fees or fee limitations, which could lead to increased price-based competition, lower margins and higher rates of biller attrition and negatively affect our business, operating results and financial condition. As a result of any increased fees, such payments could become prohibitively expensive for us or for our billers.

We may in the future become subject to and involved in lawsuits, disputes, legal proceedings or claims to protect or enforce our intellectual property rights, and we may be subject to claims by third parties that we have infringed, misappropriated or otherwise violated their intellectual property rights. Even if we believe that these claims are without merit, litigation may be necessary to determine the scope and validity of intellectual property or proprietary rights of others or to protect or enforce our intellectual property rights. The ultimate outcome of any litigation is often uncertain. Also, regardless of the outcome, lawsuits, with or without merit, are time-consuming and expensive to resolve and they divert management's time and attention. Lawsuits may also require us to, among other things, redesign or stop providing our products or services, pay substantial amounts to satisfy judgments or settle claims or lawsuits, pay substantial royalty or licensing fees, or satisfy indemnification obligations that we have with certain parties with whom we have commercial relationships. Although we carry insurance, our insurance may not cover potential claims of this type or may not be adequate to indemnify us for all liability that may be imposed. We cannot predict the outcome of lawsuits and cannot assure you that the results of any such actions will not have an adverse effect on our business, operating results or financial condition. The software industry is characterized by the existence of many patents, copyrights, trademarks, trade secrets and other intellectual property rights. Companies in the software industry are often required to defend against litigation claims based on allegations of infringement or other violations of intellectual property rights. Our software and technology may not be able to withstand any third-party claims against their use. We could also face trade name or trademark or service mark infringement claims brought by owners of other registered or unregistered trademarks or service marks, including trademarks or service marks that may incorporate variations of our brand names. Any claims related to our intellectual property or biller, financial institution or consumer confusion related to our marketplace could damage our reputation and adversely affect our growth prospects. In addition, many companies have the capability to dedicate substantially greater resources to enforce their intellectual property rights and to defend claims that may be brought against them than we do. Any litigation may also involve patent holding companies or other adverse patent owners that have no relevant product revenue, and therefore, our patents may provide little or no deterrence as we would not be able to assert them against such entities or individuals. If a third party is able to obtain an injunction preventing us from accessing such third-party's intellectual property rights, or if we cannot license or develop alternative technology for any allegedly infringing aspect of our business, we may be forced to limit or stop sales of our products or cease business activities related to such intellectual property. Any inability to license third-party technology in the future would have an adverse effect on our business or operating results and would adversely affect our ability to compete. We also are, and may in the future become, contractually obligated to indemnify our billers, financial institutions and partners in the event of infringement, misappropriation or other violation of a third party's intellectual property rights. Responding to such claims, regardless of their merit, can be time-consuming, costly to defend and damaging to our reputation and brand.

We may modify, enhance, upgrade and implement new systems, procedures and controls in our software and technology to reflect changes in our business, technological advancements and changing industry trends. These modifications, enhancements or updates incorporated in our platform may contain undetected errors, viruses or defects when implemented or when new functionality is released. Despite extensive testing, from time to time we have discovered and may in the future discover defects or errors in our software and technology. Any performance problems or defects in our software and technology could materially and adversely affect our business, operating results and financial conditions, and could increase the risk of a cybersecurity incident. Defects, errors or other similar performance problems or disruptions, whether in connection with day-to-day operations or otherwise, could be costly for us, adversely affect our billers', financial institutions' or partners' businesses, harm our reputation and result in reduced sales or a loss of, or delay in, the market acceptance of our solutions. In addition, if we have any such errors, defects or other performance problems, our billers,financial institutions or partners could seek to terminate, or elect not to renew, their contracts with us, delay or withhold payment or assert claims against us. Any of these actions could result in liability, lost business, increased insurance costs, difficulty in collecting accounts receivable, costly litigation, regulatory actions, or adverse publicity, which could materially and adversely affect our business, operating results and financial condition. Additionally, our software incorporates open-source code and any defects or security vulnerabilities in such open-source software could materially and adversely affect our business, operating results and financial condition by increasing the risk of a cybersecurity incident. Further, we rely on technology and software supplied by third parties that may also contain undetected errors, viruses or defects. Software defects and errors or delays in electronic bill presentment or our facilitation of payment processing could result in additional development and remediation costs, diversion of technical and other resources from our existing development efforts, loss of credibility with current or potential billers, financial institutions, partners and consumers, harm to our reputation and exposure to liability claims, any of which could result in a material adverse effect on our business, operating results and financial condition.

Our third-party service providers are ultimately responsible for maintaining their own network security, disaster recovery and system management procedures, and our review processes for such providers may be insufficient to identify, prevent or mitigate adverse events. The owners and operators of our current and future hosting facilities do not guarantee that our billers' or partners' or their consumers' access to our solutions will be uninterrupted, error-free or secure. We or our third-party service providers may experience website disruptions, outages and other performance problems. We have periodically experienced service disruptions in the past, and we cannot assure you that we will not experience service interruptions or delays in the future. We depend on our third-party service providers to protect their infrastructure against damage, interruption and other performance problems, maintain their respective configuration, architecture and interconnection specifications and protect information stored by such providers, as well as on internet service providers to transmit data. We may also incur significant costs for using alternative equipment or taking other actions in preparation for, or in reaction to, events that damage the data storage services we use. Although we have disaster recovery plans that use multiple data storage locations, any incident affecting their infrastructure that may be caused by fire, flood, severe storm, earthquake, power loss, telecommunications failures, unauthorized entry or intrusion, sabotage, criminal acts, intentional acts of vandalism and other misconduct, computer viruses and disabling devices, natural disasters, military actions, terrorist attacks, negligence, infrastructure changes, human or software errors, fraud, spikes in biller, financial institution, partner or consumer usage and denial of service issues, hardware failures, improper operation, data loss, compromise or corruption, cybersecurity attacks, wars, hurricanes, tornadoes and other similar events beyond our control could negatively affect our platform. In some instances, we may not be able to identify the cause or causes of these performance problems within an acceptable period of time. Any prolonged service disruption affecting our platform for any of the foregoing reasons could result in lengthy interruptions in the delivery of our platform, products or services, cause system interruptions, prevent our billers, financial institutions, partners or consumers from accessing their accounts online, damage our reputation with current and potential billers, financial institutions, partners or consumers, expose us to liability, cause us to lose billers, financial institutions, partners or consumers, cause the loss or unavailability of critical data, prevent us from supporting our platform, products or services, result in regulatory investigations, enforcement actions and litigation or cause us to incur additional expense in investigating, remediating and responding to these disruptions and arranging for new facilities and support or otherwise harm our business. Also, in the event of damage or interruption, our insurance policies may not adequately compensate us for any losses that we may incur. System failures or outages could compromise our ability to perform these functions in a timely manner, which could harm our ability to conduct business or delay our financial reporting. Such failures could adversely affect our operating results and financial condition. In addition, certain of our third-party service providers are required to notify us if they experience a security breach or unauthorized disclosure of certain personal information, or, in some cases, confidential data or information of ours or our billers, financial institutions, partners or consumers, and their failure to timely notify us of such a breach or disclosure may cause us to incur significant costs or otherwise harm our business. Our platform is accessed by many billers, financial institutions, partners and consumers, often at the same time. As we continue to expand the number of our billers, financial institutions, partners and consumers, and products available through our platform, we may not be able to scale our technology to accommodate the increased capacity requirements, which may result in interruptions or delays in service. In addition, the failure of data centers, internet service providers or other third-party service providers to meet our capacity requirements could result in interruptions or delays in access to our platform or impede our ability to grow our business and scale our operations. If our third-party infrastructure service agreements are terminated, or there is a lapse of service, interruption of internet service provider connectivity, or damage to data centers, we could experience interruptions in access to our platform as well as delays and additional expense in arranging new facilities and services. We also depend on third-party internet-hosting providers and continuous and uninterrupted access to the internet through third-party bandwidth providers to operate our business. If we lose the services of one or more of our internet-hosting or bandwidth providers for any reason or if their services are disrupted, for example due to viruses, ransomware, denial of service or other attacks on their systems, or due to human error, intentional bad acts, power loss, hardware failures, telecommunications failures, fires, wars, terrorist attacks, floods, earthquakes, hurricanes, tornadoes or similar catastrophic events, we could experience disruption in our ability to offer our solutions and adverse perception of our solutions' reliability, or we could be required to retain the services of replacement providers, which could increase our operating costs and materially and adversely affect our business, operating results and financial condition. Furthermore, prolonged interruption in the availability, or reduction in the speed or other functionality, of our platform, products or services could materially harm our reputation and business. Frequent or persistent interruptions in accessing our platform, products and services could cause billers, financial institutions, partners or consumers to believe that our platform, products and services are unreliable, leading them to switch to our competitors or to avoid our platform, products and services, and could permanently harm our reputation and business. Additionally, as our billers, financial institutions and partners and their consumers may use our platform for critical transactions, any errors, defects or other infrastructure problems could result in damage to such billers', financial institutions', partners' or consumers' businesses. These billers, financial institutions, partners and consumers could seek significant compensation from us for their losses and our insurance policies may be insufficient to cover a claim. Even if unsuccessful, this type of claim may be time-consuming and costly for us to defend. Any of the foregoing could have a material adverse effect on our business, operating results and financial condition.

Our platform must integrate with a variety of software suites, applications and other technologies that are developed by third parties, and we need to continuously modify and enhance our platform to adapt to changes in such software and other technologies. In particular, we have developed our platform to be able to easily integrate with key third-party applications of our software partners. We are typically subject to standard terms and conditions of providers of software or other technology, which govern the distribution and operation of such software and other technologies and are subject to change by such providers from time to time. Our business will be harmed if any provider of such software or other technologies: - discontinues or limits our access to its software or other technologies;- modifies its terms of service or other legal terms or policies, including fees charged to, or other restrictions on us;- changes how information is accessed by us or our billers, financial institutions or partners or their consumers;- has performance or other problems that affect the perception of our platform, products or services;- establishes exclusive or more favorable relationships with one or more of our competitors; or - develops or otherwise favors its own competitive offerings over our platform or products. For example, to deliver a comprehensive solution, our platform integrates with offerings of popular software providers, including Oracle and SAP, through application program interfaces, or APIs, made available by these software providers. If any providers of software or other technologies change the features of their APIs, discontinue their support of such APIs, restrict our access to their APIs or alter the terms governing their use in a manner that is adverse to our business, we will not be able to provide synchronization capabilities, which could significantly diminish the value of our platform and harm our business, operating results and financial condition. Third-party services and products are constantly evolving, and we may not be able to modify our platform to assure its compatibility with that of other third parties as they continue to develop or emerge in the future, or we may not be able to make such modifications in a timely and cost-effective manner. In addition, some of our competitors may be able to disrupt the operations or compatibility of our platform with their products or services, or exert strong business influence on our ability to, and terms on which we, operate our platform. Should any of our competitors modify their products or standards in a manner that degrades the functionality of our platform or gives preferential treatment to our competitors or competitive products, whether to enhance their competitive position or for any other reason, the interoperability of our platform with these products could decrease and our business, results of operations and financial condition would be harmed. If we are not permitted or able to integrate with these and other third-party software suites, applications and other technologies in the future, our business, results of operations and financial condition would be harmed. Furthermore, the functionality of our platform also depends on our and our partners' ability to integrate our platform with their offerings. These partners periodically update and change their systems, and although we have been able to adapt our platform to their evolving needs in the past, there can be no guarantee that we will be able to do so in the future or in a way such that our billers, financial institutions or partners or their consumers are satisfied with the quality of work performed by us or with the technical support services rendered. In particular, if we are unable to adapt to the needs of our partners' platforms, software and solutions, our billers', financial institutions' and partners' operations may be disrupted, which could result in disputes with our billers, financial institutions or partners or their consumers or other third parties and additional costs to address the situation. Additionally, our billers, financial institutions and partners may terminate their relationship with us and we may lose access to large numbers of consumers and biller and financial institution referrals as a result. Any negative publicity related to our solutions, regardless of its accuracy or whether the ultimate cause of any poor performance actually results from our platform, or from the systems of our billers, financial institutions, partners or consumers, may adversely affect our reputation, business, operating results and financial condition.

Billers and financial institutions and their consumers rely on our customer support services to resolve issues and realize the full benefits provided by our platform. High-quality support is also important to maintain and drive further adoption by our existing billers and their consumers. We primarily provide customer support to our clients over email, with some additional support provided over chat and through our platform, and to consumers over the phone. If we do not help our billers and financial institutions and their consumers quickly resolve issues and provide effective ongoing support, or if our support personnel or methods of providing support are insufficient to meet the needs of our billers and financial institutions and their consumers, our ability to retain billers and financial institutions, increase adoption by our existing billers and financial institutions and acquire new billers could suffer, and our reputation with existing or potential billers and financial institutions could be harmed. In addition, biller, financial institution and consumer complaints or negative publicity about our customer service could diminish confidence in and use of our products or services. Effective customer service requires significant expenses, which, if not managed properly, could negatively impact our profitability. If we are not able to meet the customer support needs of our billers and their consumers during the hours that we currently provide support, we may need to increase our support coverage and provide additional support by other means and methods, which may reduce our profitability.

Many of our agreements with our billers, financial institutions and partners contain service level commitments, including commitments regarding the accuracy of information and data we provide and how quickly we will respond to support inquiries. If we are unable to meet the stated service level commitments or our platform suffers extended periods of unavailability or downtime, we may be contractually obligated to provide these parties with service credits or refunds. In addition, certain billers and financial institutions could shift to using a different solution such that we would no longer be their exclusive payment provider and we could also face contract terminations, either of which would adversely affect our future revenue. Further, any extended service outages could adversely affect our reputation, revenue and operating results.