I3 Verticals (IIIV) Risk Analysis

We strive to comply with healthcare laws, regulations and other requirements applicable to us directly and to our customers and contractors, but there can be no assurance that our operations will not be challenged or impacted by enforcement initiatives. We have been, and in the future may become, involved in governmental investigations, audits, reviews and assessments. Even an unsuccessful challenge by regulatory and other authorities or private whistleblowers could be expensive and time-consuming, could result in loss of business, exposure to adverse publicity and injury to our reputation and could adversely affect our ability to retain and attract customers. Healthcare laws, regulations and other requirements impacting our Healthcare vertical operations include the following: Anti-Kickback Laws. A number of federal and state laws govern patient referrals, financial relationships with physicians and other referral sources and inducements to providers and patients, including restrictions contained in amendments to the Social Security Act, commonly known as the federal Anti-Kickback Statue ("AKS"). The AKS contains a limited number of exceptions, and the Office of Inspector General for the HHS ("OIG") has created regulatory safe harbors to the AKS. Activities that comply with a safe harbor are deemed protected from prosecution under the AKS. Certain of our contracts and other arrangements may not meet an exception or a safe harbor. Failure to qualify for safe harbor protection does not mean the arrangement necessarily violates the AKS, but it may subject the arrangement to greater government scrutiny. We cannot provide assurance that practices outside of a safe harbor will not be found to violate the AKS. Allegations of violations of the AKS may be brought under the federal Civil Monetary Penalties ("the CMP Law"), which requires a lower burden of proof than the AKS. The OIG has a longstanding concern that percentage-based billing arrangements may increase the risk of improper billing practices. The OIG recommends that medical billing companies develop and implement comprehensive compliance programs to mitigate this risk. In addition, certain states have adopted laws or regulations forbidding splitting of fees with non-physicians, which may be interpreted to prevent business service providers, including medical billing providers, from using a percentage-based billing arrangement. While we have developed and implemented a comprehensive billing compliance program that we believe is consistent with federal guidance, our failure to ensure compliance with controlling legal requirements, accurately anticipate the application of these laws and regulations to our business and contracting model, or comply with regulatory requirements, could create liability for us, result in adverse publicity and negatively affect our business. Violation of the AKS is a felony, and penalties may include imprisonment, criminal fines and substantial civil monetary penalties. In addition, submission of a claim for items or services generated in violation of the AKS may be subject to additional penalties under the federal False Claims Act ("FCA") as a false or fraudulent claim. False or Fraudulent Claim Laws; Medical Billing and Coding. Medical billing, coding and collection activities are governed by numerous federal and state civil and criminal laws, regulations and sub-regulatory guidance. Our Healthcare vertical may be subject to, or contractually required to comply with, numerous federal and state laws that prohibit false or fraudulent claims including but not limited to the federal FCA, the CMP Law and state equivalents. For example, errors or the unintended consequences of data manipulations by us or our systems with respect to the entry, formatting, preparation or transmission of claims, coding, audit, eligibility and other information, may result in allegations of false or fraudulent claims. False or fraudulent claims under the FCA and other laws include, but are not limited to, billing for services not rendered, making or causing to be made or used a false record or statement that is material to a false claim, failing to report and refund known overpayments within 60 days of identifying the overpayment, misrepresenting actual services rendered, improper coding and billing for medically unnecessary items or services. Submission of a claim for an item or service generated in violation of the AKS constitutes a false or fraudulent claim. In addition, the FCA prohibits the knowing submission of false claims or statements to the federal government, including to Medicare and Medicaid programs. Although simple negligence will not give rise to liability under the FCA, "knowingly" submitting a false claim may result in liability. When an entity is determined to have violated the FCA,the government may impose substantial civil fines and penalties for each false claim, plus treble damages, and exclude the entity from participation in federal healthcare programs. Private parties are able to bring qui tam, or whistleblower, lawsuits on behalf of the government in connection with alleged false claims submitted to the government, and these private parties are entitled to share in any amounts recovered by the government. Several states, including states in which we operate, have adopted their own false claims provisions and their own whistleblower provisions whereby a private individual may file a civil lawsuit in state court. Some fraud and abuse laws, such as the CMP Law, require a lower burden of proof than other fraud, waste and abuse laws. Federal and state authorities increasingly assert liability under the CMP Law, especially where they believe they cannot meet the higher burden of proof requirements under the various criminal healthcare fraud provisions. Current penalties under the CMP Law are significant and may result in penalties of up to three times the amount claimed or received. Civil monetary penalties, including those imposed under the AKS, FCA, and CMP Law are updated annually based on changes to the consumer price index. Although we believe our processes are consistent with applicable reimbursement rules and industry practice, a court, government authority or whistleblower could challenge these processes. In addition, we cannot guarantee that federal and state authorities will regard any billing and coding errors we process or make as inadvertent or will not hold us responsible for any compliance issues related to claims, reports and other information we handle on behalf of our customers. We cannot predict the impact of any enforcement actions under the various false claims and fraud, waste and abuse laws applicable to our operations. Even an unsuccessful challenge of our practices could cause us to incur adverse publicity and significant legal and related costs. The laws and regulations in this area are both broad and vague and judicial interpretation can be inconsistent. We review our practices with regulatory experts in an effort to comply with all applicable laws and regulatory requirements. However, we are unable to predict how laws and regulations will be interpreted or the full extent of their application, particularly to services that are not directly billed to or reimbursed by federal healthcare programs, such as transaction processing services. Any determination by a federal or state regulatory authority that any of our activities or those of our customers or vendors violate any of these laws or regulations could: subject us to civil or criminal penalties, require us to enter into corporate integrity agreements or similar agreements with government regulators to meet ongoing compliance obligations, require us to change or terminate some portions of our business, require us to refund a portion of our service fees and/or disqualify us from providing services to customers that are, or do business with, government programs. Any of these could result in a material adverse impact on our business, results of operations or financial condition. Even an unsuccessful challenge of our activities could result in adverse publicity and could require a costly response. The Cures Act and Implementing Regulations (Information Blocking and Health Information Technology ("HIT") Standards and Certification Requirements). Standards regarding electronic exchange of information and interoperability are subject to regular revision and updates, and we are required to modify and enhance products and services accordingly. The Information Blocking Rule prohibits healthcare providers, Health Information Exchange ("HIEs"), and HIT developers, including our subsidiary that provides electronic medical records, from information blocking, which is defined as practices likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information ("EHI"), except as required by law or specified by HHS as a reasonable and necessary activity. Civil monetary penalties for information blocking by HIT developers are substantial, up to $1 million per violation. The HIT Standards and Certification Criteria Final Rule imposes new criteria related to EHI export and standardized APIs for patient services, and HIT developers of certified HIT need to ensure that their products and services meet the requisite technical standards by the relevant deadlines and continue to evolve as developers and other stakeholders release revised versions of these standards. Additionally, HIT developers that participate in the ONC Health IT Certification Program, like us, must make various certifications regarding their HIT and attest to compliance with applicable conditions of certification, including those related to information blocking. These rules apply to certain services we offer, and customers may insist that we develop additional solutions that comply with these various interoperability requirements, which could subject us to additional costs. We currently have and likely will continue to have certain solutions certified by ONC, which could further increase development costs and delay customer sales and implementations. We also may incur costs in periods prior to the corresponding recognition of revenue. To the extent current regulations are subsequently changed or supplemented, or for other reasons beyond our control, customers may postpone or cancel their decisions to purchase or implement such solutions. Exclusion from participation in government healthcare programs. The OIG may or must exclude individuals and entities involved in misconduct related to federal healthcare programs, such as Medicare and Medicaid, from participation in those programs. Federal law prohibits federal healthcare programs from paying for items or services furnished, ordered, or prescribed by an individual or entity excluded from participation. The prohibition against federal program payment extends to payment for administrative and management services not directly related to patient care. Civil penalties may be imposed against providers and entities that employ or enter into contracts with excluded individuals to provide items or services to federal healthcare program beneficiaries. We have implemented compliance policies and procedures to screen for excluded individuals. However, if we employ or contract with an excluded individual or entity, we could face significant consequences such as exclusion from participation in federal healthcare programs, civil monetary penalties, and treble damages. In addition, we could be liable under our customer contracts, if we are excluded by the OIG or employ or contract with an excluded individual or entity.

From time to time, we have been, are and may in the future be, a party to legal and regulatory proceedings, including investigations, audits, and other reviews. There are an increasing number of investigations and proceedings in the healthcare industry that seek recovery under HIPAA, AKS, the FCA, the CMP, state laws and other statutes and regulations applicable to our business as described in more detail above. Such proceedings can result in verdicts, injunctive relief or other sanctions that may affect how we operate our business and/or have an adverse effect on our financial condition. Violations of applicable statutes and regulations may result in criminal penalties and substantial civil penalties, including exclusion from government healthcare programs, and settlements of lawsuits involving Medicare and Medicaid issues routinely require monetary penalties and corporate integrity agreements. Assessing and predicting the outcome of these matters involves substantial uncertainties. Unexpected outcomes in these legal proceedings, or changes in management's evaluations or predictions and accompanying changes in established reserves, could have a material adverse impact on our business, results of operations or financial condition. Litigation is costly, time-consuming and disruptive to normal business operations. In addition, the defense of these matters could result in continued diversion of our management's time and attention away from business operations, which could also harm our business. Even if these matters are resolved in our favor, the uncertainty and expense associated with unresolved legal proceedings could harm our business and reputation.

We are subject to extensive tax liabilities, including federal and state and transactional taxes such as excise, sales/use, payroll, franchise, withholding, and ad valorem taxes. Changes in tax laws or their interpretations could increase our tax burden and decrease the amount of revenues we receive, the value of any tax loss carryforwards and tax credits recorded on our balance sheet and the amount of our cash flow, and have a material adverse impact on our business, financial condition and results of operations. Some of our tax liabilities are subject to periodic audits by the respective taxing authority which could increase our tax liabilities. Furthermore, companies in the payment processing industry, including us, may become subject to incremental taxation in various tax jurisdictions. Taxing jurisdictions have not yet adopted uniform positions on this topic. If we are required to pay additional taxes and are unable to pass the tax expense through to our customers, our costs would increase and our net income would be reduced, which could have a material adverse effect on our business, financial condition and results of operations.

In addition to those laws and regulations discussed previously that are imposed by the card networks and Nacha, governmental bodies in the United States have adopted, or are considering the adoption of, laws and regulations restricting the use, collection, storage, transfer and disposal of, and requiring safeguarding of, personal information. Our operations are subject to certain provisions of these laws. Relevant federal privacy laws include, in addition to FERPA, PPRA and HIPAA described above, the Gramm-Leach-Bliley Act of 1999, which applies directly to a broad range of financial institutions and indirectly, or in some instances directly, to companies that provide services to financial institutions. The U.S. Children's Online Privacy Protection Act also regulates the collection of information by operators of websites and other electronic solutions that are directed to children under 13 years of age. These laws and regulations restrict the collection, processing, storage, use and disclosure of personal information, require notice to individuals of privacy practices and provide individuals with certain rights to prevent the use and disclosure of protected information. They also impose requirements for safeguarding and proper destruction of personal information through the issuance of data security standards or guidelines. In addition, there are state laws and regulations restricting the ability to collect and utilize certain types of information such as Social Security and driver's license numbers. Certain states impose similar privacy obligations as well as obligations to provide notification of security breaches of computer databases that contain personal information to affected individuals, state officers and consumer reporting agencies and businesses and governmental agencies that own data. In connection with providing products and services to our customers, we are required by regulations, applicable industry standards, and our contracts with customers and financial institution distribution partners to provide assurances regarding the confidentiality and security of non-public consumer information. These contracts may require periodic audits by independent companies regarding our compliance with applicable standards. The compliance standards relate to the security of our infrastructure, including components and operational procedures designed to safeguard the confidentiality and security of individuals' non-public personal information that our customers share with us. Our ability to maintain compliance with these standards and satisfy these audits will affect our ability to attract, grow and maintain business in the future. If we fail to comply with the laws and regulations relating to data privacy and information security, we could be exposed to legal claims and actions or to regulatory enforcement proceedings. In addition, our relationships and reputation could be harmed, which could inhibit our ability to retain existing customers and obtain new customers. Legal requirements relating to the collection, storage, handling and transfer of personal data continue to evolve at both the federal and state level. For example, the CFPB finalized a rule which goes into effect January 17, 2025, that requires certain data providers to make covered data regarding covered financial products and services available to consumers and authorized third parties in an electronic form, subject to a number of requirements. Many states have introduced or passed comprehensive consumer privacy laws, including California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah and Virginia, that may impose varying standards and requirements on our data collection use and processing activities. These laws require companies (regardless of their location) that process personal information of residents of those states make certain disclosures to consumers about data practices, grant consumers specific rights to their data, and allow consumers to opt out of certain data sharing activities. Additionally, the Federal Trade Commission and many state attorneys general are interpreting federal and state consumer protection laws to impose standards for the online collection, use, dissemination and security of data. Government regulators, industry groups and class action attorneys are increasingly scrutinizing how companies collect, process, use, store, share and transmit personal data. Regulators and courts may expand interpretations of existing laws, thereby further impacting our business. If more restrictive privacy laws or rules and/or inconsistent legal requirements are adopted by authorities in the future on the federal or state level, or regulators' enforcement priorities shift, our compliance costs may increase and our ability to perform due diligence on, and monitor the risk of, our current and potential customers may decrease, which could create liability for us. Many consumer privacy laws provide for civil penalties for violations, and the CCPA and CPRA provide for a private right of action for data breaches that may increase data breach litigation. We may also be exposed to litigation, regulatory fines, penalties or other sanctions if the personal, confidential or proprietary information of our customers is mishandled or misused by any of our suppliers, counterparties or other third parties, or if such third-parties do not have appropriate controls in place to protect such personal, confidential or proprietary information. Further, many foreign data privacy regulations (including India's Digital Personal Data Protection Act) can be more stringent than those in the United States. These laws and regulations are rapidly evolving and changing and could have an adverse effect on our operations. Our obligations and requirements under these laws and regulations are subject to uncertainty in how they may be interpreted by government authorities and regulators. The costs of compliance with, and the other burdens imposed by, these and other laws or regulatory actions may increase our operational costs, affect our customers' willingness to permit us to use and store personal data, prevent us from selling our products or services, and/or affect our ability to invest in or jointly develop products. Failure to comply with these laws may result in governmental enforcement actions, private claims, including class action lawsuits, and damage to our reputation. We may also face audits or investigations by one or more domestic or foreign government agencies relating to our compliance with these regulations. Additionally, if we suffer a data breach, other privacy or cybersecurity regulatory compliance failures or are subject to fines, sanctions or proceedings as a result of actual or perceived compliance failures, or any similar event causing reputational harm, our opportunities for growth may be curtailed, and our potential liability for security breaches may increase, all of which could have a material adverse effect on our business, financial condition and results of operations. These laws and regulations may change rapidly, and it is frequently unclear how they apply to our business. Any failure of our products or services to comply with these laws and regulations could result in substantial civil or criminal liability and could, among other things, adversely affect demand for our services, invalidate all or portions of some of our contracts with our customers and financial institution partners, or require us to change or terminate some portions of our business. Further, reform efforts or changing healthcare regulatory requirements may also render our products or services obsolete or may block us from fully realizing or accomplishing our work or from developing new products or services. This may in turn impose additional costs upon us to adapt to the new operating environment or to further develop or modify our products and services. Such healthcare reforms may also make introduction of new products and service costlier or more time-consuming than we currently anticipate. These changes may also prevent our introduction of new products and services or make the continuation or maintenance of our existing products and services unprofitable or impossible.

If consumers and businesses do not continue to use cards or ACH as payment mechanisms for their transactions or if the mix of payments among the types of cards and ACH changes in a way that is adverse to us, it could have a material adverse effect on our business, financial condition and results of operations. Regulatory changes may also result in our customers seeking to charge their customers additional fees for use of credit or debit cards. Additionally, in recent years, increased incidents of security breaches have caused some consumers to lose confidence in the ability of businesses to protect their information, causing certain consumers to discontinue use of electronic payment methods. Security breaches could result in financial institutions canceling large numbers of credit and debit cards, or consumers or businesses electing to cancel their cards following such an incident.

We may be subject to costly litigation if our products or services are alleged to infringe upon or otherwise violate a third party's proprietary rights. Third parties may have, or may eventually be issued, patents that could be infringed by our products and services. Any of these third parties could make a claim of infringement against us with respect to our products and services. We may also be subject to claims by third parties for patent infringement, breach of copyright, trademark, license usage or other intellectual property rights. Any claim from third parties may result in a limitation on our ability to use the intellectual property subject to these claims. Additionally, in recent years, individuals and groups have been purchasing intellectual property assets for the sole purpose of making claims of infringement and attempting to extract settlements from companies like ours. Even if we believe that intellectual property related claims are without merit, defending against such claims is resource intensive and expensive and could result in the diversion of the time and attention of our management and employees. Claims of intellectual property infringement also might require us to redesign affected products or services, enter into costly settlement or license agreements, pay costly damage awards for which we may not have insurance, or face a temporary or permanent injunction prohibiting us from marketing or selling certain of our products or services. Even if we have an agreement for indemnification against such costs, the indemnifying party, if any in such circumstances, may be unable to uphold its contractual obligations. If we cannot or do not license the infringed technology on reasonable terms or substitute similar technology from another source, our revenue and earnings could be materially and adversely affected.

We use certain software licensed under open-source licenses and may continue to use such software in the future. Some open-source licenses require us to make available source code for modifications or derivative works that we create based upon the open source software, and that we license such modifications or derivative works pursuant to a particular open source license or other license allowing further use by third parties. Some open-source licenses could require us to release the source code of our proprietary software if we combine our proprietary software with the open-source software subject to that license. Additionally, the terms of many open-source licenses have not been interpreted by United States or other courts, and there is a risk that these licenses could be construed in a manner that imposes unanticipated conditions or restrictions on our ability to commercialize our solutions. Using open-source software can also be riskier than using software subject to a more restrictive license because open-source licenses generally do not contain such protections as warranties. Many of the risks associated with using open-source software cannot be eliminated and using such software could adversely affect us.

Our business functions at the intersection of rapidly changing technological, social, economic and regulatory developments that require a wide-ranging set of expertise and intellectual capital. For us to continue to successfully compete and grow, we must attract, recruit, develop and retain the necessary personnel who can provide the needed expertise across the entire spectrum of our intellectual capital needs. While we have a number of key personnel who have substantial experience with our operations, we must also develop our personnel to provide succession plans capable of maintaining continuity in the midst of the inevitable unpredictability of human capital. The market for qualified personnel is competitive, and we may not succeed in recruiting additional personnel or may fail to effectively replace current personnel who depart with qualified or effective successors. Our effort to retain and develop personnel may also result in significant additional expenses, which could adversely affect our profitability. We can make no assurances that qualified employees will continue to be employed or that we will be able to attract and retain qualified personnel in the future. Failure to retain or attract key personnel could have a material adverse effect on our business, financial condition and results of operations.

We pay interchange fees or assessments to the issuing bank through the card associations for each transaction that is processed using their credit and debit cards. From time to time, the card associations increase the interchange fees that they charge processors and the sponsoring bank. At their sole discretion, our sponsoring bank may pass increases in interchange fees on to us. In addition, our sponsoring bank may seek to increase its sponsorship fees charged to us, all of which are based upon the dollar amount of the payment transactions we process. If we are not able to pass these fee increases along to customers through corresponding increases in our processing fees, our profit margins will be reduced.

We are exposed to general economic conditions that affect consumer confidence, consumer spending, consumer discretionary income and changes in consumer purchasing habits, as well as changes in political conditions. Economic conditions in the United States continue to be challenging in certain respects, and the United States economy has experienced significant inflation, elevated interest rates, and challenging labor market conditions. Adverse economic conditions may adversely affect our financial performance. We have been adversely impacted by challenging economic conditions in the United States and may continue to adversely impacted by such conditions, particularly if current economic conditions deteriorate.