Quiver Quantitative

Risk Factors Dashboard

Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.

View risk factors by ticker

Search filings by term

Risk Factors - IIIV

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Item 1A. Risk Factors

Our business faces significant risks and uncertainties. If any of the following risks are realized, our business, financial condition and results of operations could be materially and adversely affected. The following risk factors, some of which contain statements that constitute forward-looking statements, should be read in conjunction with “Management’s Discussion and Analysis of Financial Condition and Results of Operations” and our consolidated financial statements and related notes.

Risks Related to Our Business and Industry

Unauthorized disclosure, destruction or modification of data or disruption of our services or other cybersecurity or technological risks, including as a result of a cybersecurity incident, could expose us to liability, protracted and costly litigation and damage our reputation.

We and other third parties collect, process, store and transmit sensitive data, such as names, addresses, social security numbers, credit or debit card numbers and expiration dates, drivers’ license numbers and bank account numbers, and we have ultimate liability to the payment networks and member financial institutions that register us with the payment networks for our failure, or the failure of certain third parties with whom we contract, to protect this data in accordance with payment network requirements. The loss, destruction or unauthorized modification of customer or cardholder data could result in significant fines, sanctions and proceedings or actions against us by the payment networks, governmental bodies, consumers or others, which could have a material adverse effect on our business, financial condition and results of operations. Any such sanction, fine, proceeding or action could damage our reputation, force us to incur significant expenses in defense of these proceedings, disrupt our operations, distract our management, increase our costs of doing business and may result in the imposition of monetary liability.

We are subject to risk associated with information technology and cybersecurity matters. For example, on June 2, 2021, the State of Louisiana, Division of Administration and a putative class of Louisiana law enforcement districts filed a petition in the 19th Judicial District Court for the Parish of East Baton Rouge against i3-Software & Services, LLC (“S&S”), a subsidiary of the Company located in Shreveport, Louisiana, seeking monetary damages related to a third-party remote access software product used in connection with services provided by S&S to certain Louisiana Parish law enforcement districts and alleged inadequacies in the Company’s cybersecurity practices. For additional information about this litigation, see Note 16 to our consolidated financial statements.

Like other companies in our industry, our systems are subject to recurring attempts by third parties to access information, manipulate data or disrupt our operations. Although we proactively employ multiple measures to defend our systems against intrusions and attacks and to protect the data we collect, our measures may not prevent unauthorized access or use of sensitive data. In addition, the cybersecurity-related threats that we face may remain undetected for an extended period of time. In addition, the rapid evolution and increased adoption of artificial intelligence (“AI”) and other emerging technologies also may heighten our cybersecurity risks by making cyberattacks and social engineering more difficult to detect, contain and mitigate.

While we have experienced cyber threats and incidents, we have not (whether directly or indirectly, including through our third-party vendors, customers or other business relations) been subject to a cybersecurity event of which we are aware that has had a material impact on us, including our business strategy, financial condition or results of operations. However, despite our security measures, there is no assurance that we, or the third parties with which we interact, will not experience a cybersecurity incident in the future that materially impacts us. In addition, a breach of our system or a third-party system upon which we rely may subject us to material losses or liability, including payment network fines, assessments and claims for unauthorized purchases with misappropriated credit, debit or card information, impersonation or other similar fraud claims. A misuse of such data or a cybersecurity breach could harm our reputation and deter our customers and potential customers from using electronic payments generally and our products and services specifically, thus reducing our revenue. In addition, any such misuse or breach could cause us to incur costs to correct the breaches or failures, increase our risk of regulatory scrutiny, subject us to lawsuits and result in the imposition of material penalties and fines under

state and federal laws (including HIPAA) or by the payment networks. These risks may be heightened in connection with employees working from remote work environments, as our dependency on certain service providers, such as video conferencing and web conferencing services, has significantly increased. In addition, to access our network, products and services, customers and other third parties may use personal mobile devices or computing devices that are outside of our network environment and subject to their own security risks. While we maintain insurance coverage that may, subject to policy terms and conditions, cover certain aspects of cyber risks, such insurance coverage may be insufficient to cover all losses. A significant cybersecurity breach could also result in payment networks prohibiting us from processing transactions on their networks or the loss of our financial institution sponsorship that facilitates our participation in the payment networks, either of which could materially impede our ability to conduct business. In addition, as cybersecurity threats continue to evolve, we have expended, and expect to continue to expend, significant resources to continue to modify or enhance our protective measures or to investigate and remediate any information security vulnerabilities, but we still might be unable to successfully prevent certain cyberattacks.

Any failure by such third parties to adequately take these protective measures could result in protracted or costly litigation.

Any failure to adequately comply with these protective measures could result in fees, penalties, litigation or termination of our bank sponsor agreement.

Our software and systems and our third-party providers’ software and systems may fail, or our third-party providers may discontinue providing their services or technology generally or to us specifically, which in either case could interrupt our business, cause us to lose business and increase our costs.

Our services are based on software and computing systems that often encounter development delays, and the underlying software may contain undetected errors, viruses or defects. Defects in our software services or errors or delays could result in additional development costs, diversion of technical and other resources from our other development efforts, loss of credibility with current or potential customers, harm to our reputation and exposure to liability claims.

Our systems and operations or those of our third-party technology vendors could be exposed to damage or interruption from, among other things, fire, natural disaster, power loss, telecommunications failure, unauthorized entry, computer viruses, denial-of-service attacks, acts of terrorism, human error, vandalism or sabotage, financial insolvency and similar events. Our property and business interruption insurance may not be adequate to compensate us for all losses or failures that may occur. Likewise, while we have disaster recovery policies and arrangements in place, they have not been tested under actual disasters or similar events. Although we seek to minimize these risks through security measures, controls, back-up data centers and emergency planning, there can be no assurance that such efforts will be successful or effective. Defects in our systems or those of third parties, errors or delays in the processing of payment transactions, telecommunications failures or other difficulties could result in:

•loss of revenues;

•loss of customers;

•loss of customer and cardholder data;

•fines imposed by payment networks or regulators;

•harm to our business or reputation resulting from negative publicity;

•exposure to fraud losses or other liabilities;

•additional operating and development costs; or

•diversion of management, technical and other resources, among other consequences.

We rely on third parties for specific services, software and hardware used in providing our products and services. These third parties, including hosting providers such as AWS, are necessary for our internal business needs and for the delivery of various cloud and other hosted solutions to customers. These hosting providers rely on the uninterrupted operation of data centers and the ability to protect computer equipment and information stored in these data centers against unanticipated failures, intrusions, viruses, acts of terrorism and similar damaging events.

We also rely in part on third parties for the development and access to new technologies, or for updates to existing products and services for which they provide ongoing support. Failure by these third-party providers to devote an appropriate level of attention to our products and services could result in delays in introducing new products or services, or delays in resolving any issues with existing products or services for which third-party providers provide ongoing support.

Some of our solutions contain "open-source" software, and any failure to comply with the terms of one or more of applicable open-source licenses could negatively affect our business.

We use certain software licensed under open-source licenses and may continue to use such software in the future. Some open-source licenses could require us to release the source code of our proprietary software if we combine our proprietary software with the open-source software subject to that license. Additionally, the terms of many open-source licenses have not been interpreted by United States or other courts, and there is a risk that these licenses could be construed in a manner that imposes unanticipated conditions or restrictions on our ability to commercialize our solutions. Using open-source software can also be riskier than using software subject to a more restrictive license because open-source licenses generally do not contain such protections as warranties. Many of the risks associated with using open-source software cannot be eliminated and using such software could adversely affect us.

We have a history of operating losses and will need to generate significant revenues to attain and maintain profitability and positive cash flow and continue our acquisition program.

Since inception in 2012, we have been engaged in growth activities and have made a significant number of acquisitions that have grown our business. This acquisition activity requires substantial capital and other expenditures. While we had substantial net income attributable to i3 Verticals, Inc. in the year ended September 30, 2024 as a result of the gain associated with the divestiture of our Merchant Services Business, taking into account the factors above, we incurred net losses attributable to i3 Verticals, Inc. A substantial portion of our historical revenue growth has resulted from acquisitions. For the year ended September 30, 2024, the incremental impact of revenues attributable to the acquisitions we completed in 2023 and 2024 were $2.4 million, or 1.0% of our total revenues, net of intercompany eliminations. We expect our cash needs to increase for the next several years as we:

•make additional acquisitions;

•market our products and services;

•expand our customer support and service operations;

•hire additional marketing, customer support and administrative personnel; and

•implement new and upgraded operational and financial systems, procedures and controls.

As a result of these continuing costs and expenses, we need to generate significant revenues to attain and maintain profitability and positive cash flow. To date, our operations have been supported by equity and debt financings. If we do not continue to increase our revenues, our business, results of operations and financial condition could be materially and adversely affected.

Such competition could adversely affect the revenue we receive, and as a result, our margins, business, financial condition and results of operations.

Our growth will largely depend on our ability to increase our market share.

Our competitors in the vertical market software industry include, among others, Tyler Technologies, Inc., Constellation Software, Inc. Verra Mobility Corp, EverCommerce Inc., Roper Technologies, Inc., Flywire Corp, Weave Communications Inc., Phreesia Inc. and Waystar Holding Corp.

Many of our competitors have substantially greater financial, technological, and marketing resources than we have. They also may be able to offer and provide products and services that we do not offer. Additionally, larger financial institutions may decide to perform in-house some or all of the services we provide or could provide, which may give them a competitive advantage in the market. There are also a large number of small providers of vertical market software services or payment processing services that provide various ranges of services to our customers and our potential customers. This competition may effectively limit the prices we can charge and requires us to control costs aggressively in order to maintain acceptable profit margins. One or more of these factors could have a material adverse effect on our business, financial condition and results of operations.

In addition, we are also subject to risks as a result of changes in business habits of our vendors and customers as they adjust to the competitive marketplace. Because our standing arrangements and agreements with our vendors and customers typically contain no purchase or sale obligations and are terminable by either party upon no or relatively short notice, we are subject to significant risks associated with the loss or change at any time in the business habits and financial condition of key vendors as they adapt to changes in the market.

If we cannot keep pace with rapid developments and changes in our industry, the use of our products and services could decline, causing a reduction in our revenues.

To remain competitive, we continually pursue initiatives to develop new products and services to compete in an effective manner. These projects carry risks, such as cost overruns, delays in delivery, performance problems and lack of customer acceptance. In addition, new products and offerings may not perform as intended or generate the business or revenue growth expected. Additionally, we look for acquisition opportunities, investments and alliance relationships with other businesses that will increase our market penetration and enhance our technological capabilities, product offerings and distribution capabilities. Any delay in the delivery of new products and services or the failure to differentiate our products and services or to accurately predict and address market demand could render our products and services less desirable, or even obsolete.Further, the development of AI is complex and uncertain, and presents various risks and uncertainties, including as the result of the rapidly evolving legal, regulatory and ethical landscape associated with the use of AI. Our inability to successfully or effectively implement AI initiatives, or other deficiencies or failures in our AI systems or initiatives, could subject us to competitive harm, legal and regulatory risk, and increase our cybersecurity, intellectual property, and privacy risks. Any of the foregoing could have a material and adverse effect on our operating results and financial condition.

The continued growth and development of our software and related services will depend on our ability to anticipate and adapt to changes in consumer behavior. For example, our failure to timely integrate emerging payment methods into our software could cause us to lose traction among our customers , resulting in a corresponding loss of revenue.

Our payment processing technology offerings in connection with our software must also integrate with a variety of network, hardware, mobile and software platforms and technologies. If we are unable to develop, adapt to or access technological changes or evolving industry standards on a timely and cost-effective basis, our business, financial condition and results of operations would be materially adversely affected.

If we fail to comply with the applicable requirements of the Visa and Mastercard payment networks, those payment networks could seek to fine us, suspend us or terminate our registrations through our bank sponsor.

We do not directly access the payment card networks, such as Visa and Mastercard, that enable our acceptance of credit cards and debit cards, including some types of prepaid cards. To provide our payment facilitator services, we are registered through our bank sponsor with the Visa and Mastercard networks. The rules of the card networks are set by their boards, which may be influenced by card issuers, some of which offer competing transaction processing services. The PCI Security Standards Council released fulsome revisions in version 4.0, which has been further updated by version 4.0.1, and includes stronger standards that increase the compliance burden on processors and require additional training, education and support tools for processors to support their merchants.

If we or our bank sponsor fails to comply with the applicable rules and requirements of the Visa or Mastercard payment networks, Visa or Mastercard could suspend or terminate our member registration or certification, which would make it impossible for us to conduct our business on its current scale. Further, our transaction processing capabilities, including with respect to settlement processes, could be delayed or otherwise disrupted, and recurring non-compliance could result in the payment networks seeking to fine us. In addition, card networks and their member financial institutions regularly update, and generally expand, security expectations and requirements related to the security of cardholder data and environment. Under certain circumstances, we are required to report incidents to the card networks within a specified time frame.

We may also be subject to penalties from the payment card networks if we fail to detect that our customers are engaging in activities that are illegal, contrary to the payment card network operating rules, or considered “high-risk.” We must either prevent high-risk merchants from using our products and services or register such merchants with the payment card networks and conduct additional monitoring with respect to such merchants. Such penalties could be material and could result in termination of registration or could require changes in our process for registering new customers. This could materially and adversely affect our business.

Under certain circumstances specified in the payment network rules, we may be required to submit to periodic audits, self-assessments or other assessments of our compliance with the PCI DSS. Such activities may reveal that we have failed to comply with the PCI DSS. In addition, even if we comply with the PCI DSS, there is no assurance that we will be protected from a security breach. If we are unable to comply with the requirements applicable to our settlement activities, the payment networks may no longer allow us to provide these services, which would require us to spend additional resources to obtain settlement services from a third-party provider. In addition, if we were precluded from processing Visa and Mastercard electronic payments, we would lose substantially all of our payments-related revenues.

The Nacha Operating Rules impose obligations on us and our partner financial institutions. These obligations include audit and oversight by the financial institutions and the imposition of mandatory corrective action, including termination, for serious violations.

If the bank that sponsors us with the Visa and Mastercard networks stop sponsoring us, we would need to find other financial institutions to provide those services, which could be difficult and expensive. If we were unable to find a replacement financial institution to provide sponsorship, we could no longer provide processing services to affected customers, which would negatively impact our revenues and earnings.

If our processing services agreement with Payroc is terminated and we are not able to enter into replacement processing relationship with another party, our ability to provide payment processing services to our affected software customers may be adversely impacted.

In connection with the sale of our Merchant Services Business, we entered into a processing services agreement with Payroc (the “Payroc Processing Agreement”). Under the Payroc Processing Agreement, Payroc agreed to, among other things, process payments for a portion of our software customers in accordance with Payroc’s relationships with certain payment processors and sponsor banks. This processing structure for these specific software customers is intended to be temporary, and we expect such customers will eventually transition into our payment facilitation platform. If, however, the Payroc Processing Agreement is terminated and we are unable to enter into a replacement processing relationship with another party on acceptable terms or in a timely fashion, or if Payroc’s relationship with its processors or sponsor banks is terminated or significantly modified in fashion that is adverse to us or our customers, our ability to provide payment processing services to our affected software customers may be adversely impacted, which could have a material adverse effect on our business, financial condition, and results of operations.

Consolidation in the banking and financial services industry could adversely affect our business, results of operations and financial condition.

It is possible that larger financial institutions that result from consolidations will have increased bargaining power when negotiating, which could result in less favorable contractual terms for us. Larger financial institutions resulting from consolidations may also decide to perform in-house some or all of the services we provide or could provide. These foregoing matters could have an adverse effect on our business, result of operations and financial condition.

We have faced, and may in the future face, chargeback liabilities if our customers refuse or cannot reimburse chargebacks resolved in favor of their customers, and we may not accurately anticipate these liabilities.

We have potential liability for chargebacks associated with our customers’ processing transactions. In most circumstances, if a billing dispute between a customer and a cardholder is not ultimately resolved in favor of our customer, the disputed transaction is “charged back” to the customer’s bank and credited to the account of the cardholder. Anytime our customer is unable to satisfy a chargeback, we are responsible for that chargeback.

If we are unable to collect the chargeback from the customer’s account or reserve account (if applicable), or if the customer refuses or is financially unable due to bankruptcy or other reasons to reimburse us for the chargeback, we bear the loss for the amount of the refund paid to the cardholder’s bank. While we did not incur material chargeback losses in our 2024 or 2023 fiscal years, any increase in chargebacks not paid by our customers could have a material adverse effect on our business, financial condition and results of operations.

We are potentially liable for losses caused by fraudulent card transactions. Card fraud occurs when a customer’s customer uses a stolen or counterfeit credit, debit or prepaid card, card number or other credentials to purchase merchandise or services. In a traditional card-present transaction, if the customer swipes the card, receives authorization for the transaction from the card issuing bank and verifies the signature on the back of the card against the paper receipt signed by the customer, the card issuing bank remains liable for any loss. In a fraudulent card-not-present transaction, even if the customer receives authorization for the transaction, the customer is liable for any loss arising from the transaction. Because their sales are card-not-present transactions, these customers are more vulnerable to customer fraud than other customers.

Business fraud occurs when a business or organization, rather than a cardholder, knowingly uses a stolen or counterfeit card or card number to record a false sales transaction, or intentionally fails to deliver the merchandise or services sold in an otherwise valid transaction. Business fraud also occurs when employees of businesses change the business demand deposit accounts to their personal bank account numbers, so that payments are improperly credited to the employee’s personal account. We have established systems and procedures to detect and reduce the impact of business fraud, but there can be no assurance that these measures are or will be effective. Incidents of fraud could increase in the future. Failure to effectively manage risk and prevent fraud could increase our chargeback liability and other liability, which could have a material adverse effect on our business, financial condition and results of operations.

Visa rules associated with chargeback and fraud are being consolidated effective April 1, 2025, into the Visa Acquirer Monitoring Program, which will phase out the existing Visa Fraud Monitoring Program and Visa Dispute Monitoring Program. Visa's new rules could have serious implications for the types of businesses that we can support, and high-risk merchants will be impacted by the changes.

On occasion, we experience increases in interchange and sponsorship fees; if we cannot pass these increases along to our customers, our profit margins will be reduced.

From time to time, the card associations increase the interchange fees that they charge processors and the sponsoring bank. If we are not able to pass these fee increases along to customers through corresponding increases in our processing fees, our profit margins will be reduced.

Third-party hardware that we sell to our customers is generally procured from a limited number of suppliers. Thus, we are at risk of shortages, price increases, changes, delays or discontinuations of hardware, which could disrupt our business.

A number of such products come from

limited number of suppliers. Due to our reliance on the products produced by a limited number of suppliers, we are subject to the risk of shortages and long lead times in the supply of certain products. Additionally, various sources of supply-chain risk, including strikes or shutdowns at delivery ports or loss of or damage to our products while they are in transit or storage, intellectual property theft, losses due to tampering, issues with quality or sourcing control, failure by our suppliers to comply with applicable laws and regulation, potential tariffs or other trade restrictions, or other similar problems could limit or delay the supply of our products or harm our reputation. In the event of a shortage or supply interruption from suppliers, we may not be able to develop alternate sources quickly, cost-effectively, or at all. Any interruption or delay in manufacturing supply, any increases in costs, or the inability to obtain these products from alternate sources at acceptable prices and within a reasonable amount of time, could harm our ability to provide products to our customers.

We are subject to economic and political risk, the business cycles of our customers and changes in the overall level of consumer and commercial spending, which could negatively impact our business, financial condition and results of operations.

We are exposed to general economic conditions that affect consumer confidence, consumer spending, consumer discretionary income and changes in consumer purchasing habits, as well as changes in political conditions. Adverse economic conditions may adversely affect our financial performance.

U.S. and international markets are experiencing uncertain and volatile economic and geopolitical conditions, including from the impacts of military conflict in the Middle East, Russian aggression in Ukraine, rises in fuel costs, sustained inflation, threats or concerns of recession, and supply chain disruptions. These conditions make it extremely difficult for us to accurately forecast and plan future business activities. Together, these circumstances create an environment in which it is challenging for us to predict future operating results.

In addition, our business, financial condition and results of operations could be materially adversely affected by outbreaks of illnesses, epidemics or pandemics, climate-related events, including extreme weather events and natural disasters, riots, strikes, civil insurrection or social unrest, terrorist or criminal activities, or other catastrophic events or other political and economic instability.

A decline in the use of cards and ACH as payment mechanisms for consumers and businesses or adverse developments in the electronic payment industry in general could adversely affect our business, financial condition and operating results.

If consumers and businesses do not continue to use cards or ACH as payment mechanisms for their transactions or if the mix of payments among the types of cards and ACH changes in a way that is adverse to us, it could have a material adverse effect on our business, financial condition and results of operations. Regulatory changes may also result in our customers seeking to charge their customers additional fees for use of credit or debit cards. Additionally, in recent years, increased incidents of security breaches have caused some consumers to lose confidence in the ability of businesses to protect their information, causing certain consumers to discontinue use of electronic payment methods. Security breaches could result in financial institutions canceling large numbers of credit and debit cards, or consumers or businesses electing to cancel their cards following such an incident.

We may not be able to successfully execute our strategy of growth through acquisitions.

Our future growth and profitability depend, in part, upon our continued growth within the vertical markets in which we currently operate.

Although we expect to continue to execute our acquisition strategy:

•we may not be able to identify suitable acquisition candidates or acquire additional assets on favorable terms;

•we may compete with others to acquire assets, which competition may increase, and any level of competition could result in decreased availability or increased prices for acquisition candidates;

•we may compete with others for select acquisitions and our competition may consist of larger, better-funded organizations with more resources and easier access to capital;

•we may experience difficulty in anticipating the timing and availability of acquisition candidates;

•we may not be able to obtain the necessary financing, on favorable terms or at all, to finance any of our potential acquisitions; and

•we may not be able to generate cash necessary to execute our acquisition strategy.

The occurrence of any of these factors could adversely affect our growth strategy.

There are certain risks associated with the sale of our Merchant Services Business which was completed in September 2024.

In September 2024, we completed the sale of our Merchant Services Business. There is no assurance that we will be able to realize the anticipated benefits from the disposition of our Merchant Services Business. Moreover, there are post-closing risks associated with the ancillary agreements entered into by us at the closing, including the transition services agreement, the processing services agreement, and the restrictive covenant agreement. In addition, pursuant to the Purchase Agreement, we agreed to indemnify Payroc with respect to certain matters and we agreed to retain certain liabilities related to the Merchant Services Business, which in any such case could result in liability to us following the closing. Further, we are now highly dependent on the success of our two remaining business segments, our Public Sector segment and Healthcare segment.

Revenues and profits generated via acquisition may be less than anticipated, the integration process could experience delays or difficulties, and we may fail to uncover all liabilities of acquisition targets through the due diligence process prior to an acquisition, resulting in unanticipated costs, losses or a decline in profits, as well as potential impairment charges.

In evaluating and determining the purchase price for a prospective acquisition, we estimate the future revenues and profits from that acquisition based largely on historical financial performance. Following an acquisition, we may experience some customer attrition.

We perform a due diligence review of each of our acquisition partners. This due diligence review, however, may not adequately uncover all of the contingent or undisclosed liabilities we may incur as a consequence of the proposed acquisition, exposing us to potentially significant, unanticipated costs, as well as potential impairment charges. An acquisition may also subject us to additional regulatory burdens that affect our business in potentially unanticipated and significantly negative ways.

In connection with some acquisitions, we may incur non-recurring severance expenses, restructuring charges or change of control payments. These expenses, charges or payments, as well as the initial costs of integrating the personnel and facilities of an acquired business with those of our existing operations, may adversely affect our operating results during the initial financial periods following an acquisition. In addition, the integration of newly acquired companies may lead to diversion of management attention from other ongoing business concerns.

We may not be able to successfully manage our intellectual property.

Our intellectual property is critical to our future success, particularly in our strategic verticals where we may offer proprietary software solutions to our customers. We rely on a combination of contractual license rights and copyright, trademark and trade secret laws to establish and protect our proprietary technology. Third parties may challenge, invalidate, circumvent, infringe or misappropriate our intellectual property or the intellectual property of our third-party licensors, or such intellectual property may not be sufficient to permit us to take advantage of current market trends or otherwise to provide competitive advantages, which could result in costly redesign efforts, discontinuance of certain service offerings or other competitive harm. Others, including our competitors, may independently develop similar technology, duplicate our products and services, design around or reverse engineer our intellectual property, and in such cases neither we nor our third-party licensors may be able to assert intellectual property rights against such parties. Further, our contractual license arrangements may be subject to termination or renegotiation with unfavorable terms to us, and our third-party licensors may be subject to bankruptcy, insolvency and other adverse business dynamics, any of which might affect our ability to use and exploit the products licensed to us by these third-party licensors. We may have to litigate to enforce or determine the scope and enforceability of our intellectual property rights (including litigation against our third-party licensors), which is expensive, could cause a diversion of resources and may not prove successful. The loss of intellectual property protection or the inability to obtain third-party intellectual property could harm our business and ability to compete.

We may be subject to infringement claims.

We may be subject to costly litigation if our products or services are alleged to infringe upon or otherwise violate a third party’s proprietary rights. Third parties may have, or may eventually be issued, patents that could be infringed by our products and services. Any of these third parties could make a claim of infringement against us with respect to our products and services. We may also be subject to claims by third parties for patent infringement, breach of copyright, trademark, license usage or other intellectual property rights. Any claim from third parties may result in a limitation on our ability to use the intellectual property subject to these claims. Additionally, in recent years, individuals and groups have been purchasing intellectual property assets for the sole purpose of making claims of infringement and attempting to extract settlements from companies like ours. Claims of intellectual property infringement also might require us to redesign affected products or services, enter into costly settlement or license agreements, pay costly damage awards for which we may not have insurance, or face a temporary or permanent injunction prohibiting us from marketing or selling certain of our products or services. Even if we have an agreement for indemnification against such costs, the indemnifying party, if any in such circumstances, may be unable to uphold its contractual obligations. If we cannot or do not license the infringed technology on reasonable terms or substitute similar technology from another source, our revenue and earnings could be materially and adversely affected.

If we lose key personnel, or if their reputations are damaged, our business, financial condition and results of operations may be adversely affected, and proprietary information of our company could be shared with our competitors.

We depend on the ability and experience of a number of our key personnel who have substantial experience with our operations, the rapidly changing payment processing industry and the vertical markets in which we offer our products and services. Many of our key personnel have worked for us for a significant amount of time or were recruited by us specifically due to their experience. It is possible that the loss of the services of one or a combination of our senior executives or key managers could have a material adverse effect on our business, financial condition and results of operations. In addition, contractual obligations related to confidentiality and assignment of intellectual property rights may be ineffective or unenforceable, and departing employees may share our proprietary information with competitors in ways that could adversely impact us.

In a dynamic industry like ours, our success and growth depend on our ability to attract, recruit, retain and develop qualified employees.

Our business functions at the intersection of rapidly changing technological, social, economic and regulatory developments that require a wide-ranging set of expertise and intellectual capital. For us to continue to successfully compete and grow, we must attract, recruit, develop and retain the necessary personnel who can provide the needed expertise across the entire spectrum of our intellectual capital needs. While we have a number of key personnel who have substantial experience with our operations, we must also develop our personnel to provide succession plans capable of maintaining continuity in the midst of the inevitable unpredictability of human capital. The market for qualified personnel is competitive, and we may not succeed in recruiting additional personnel or may fail to effectively replace current personnel who depart with qualified or effective successors. Our effort to retain and develop personnel may also result in significant additional expenses, which could adversely affect our profitability. We can make no assurances that qualified employees will continue to be employed or that we will be able to attract and retain qualified personnel in the future. Failure to retain or attract key personnel could have a material adverse effect on our business, financial condition and results of operations.

Our operating results and operating metrics are subject to seasonality and volatility, which could result in fluctuations in our quarterly revenues and operating results or in perceptions of our business prospects.

The number of business days in a month or quarter also may affect seasonal fluctuations. Certain revenues in our Public Sector segment fluctuate with the fiscal calendars of our customers. Transactional revenue for our Education customers is strongest in August, September, October, January and February, at the start of each semester, and generally weakens throughout the semester, with little revenue in the summer months of June and July. Operating expenses show less seasonal fluctuation, with the result that net income is subject to the same seasonal factors as our revenues. The growth in our business may have partially overshadowed seasonal trends to date, and seasonal impacts on our business may be more pronounced in the future. Volatility in our key operating metrics or their rates of growth could have a negative impact on our financial results and investor perceptions of our business prospects.

We are the subject of various claims and legal proceedings and may become the subject of claims, litigation or investigations which could have a material adverse effect on our business, financial condition or results of operations.

In the ordinary course of business, we are the subject of various claims and legal proceedings and may become the subject of claims, litigation or investigations, including commercial disputes and employee claims, such as claims of age discrimination, sexual harassment, gender discrimination, immigration violations or other local, state and federal labor law violations, and from time to time may be involved in governmental or regulatory investigations or similar matters arising out of our current or future business. Any claims asserted against us or our management, regardless of merit or eventual outcome, could harm our reputation or the reputation of our management and have an adverse impact on our relationship with our customers and other third parties and could lead to additional related claims. In light of the potential cost and uncertainty involved in litigation, we have in the past and may in the future settle matters even when we believe we have a meritorious defense. Certain claims may seek injunctive relief, which could disrupt the ordinary conduct of our business and operations or increase our cost of doing business. Our insurance or indemnities may not fully cover all claims that may be asserted against us. Furthermore, there is no guarantee that we will be successful in defending ourselves in pending or future litigation or similar matters under various laws. Any judgments or settlements in any pending litigation or future claims, litigation or investigation could have a material adverse effect on our business, financial condition and results of operations.

We are exposed to fluctuations in foreign currency exchange rates, which could negatively affect our financial condition and operating results.

Our contracts are primarily denominated in U.S. dollars, and therefore, substantially all of our revenue is not subject to foreign currency risk. However, there has been, and may continue to be, significant volatility in global stock markets and foreign currency exchange rates that result in the strengthening of the U.S. dollar against foreign currencies in which we conduct business. The strengthening of the U.S. dollar increases the real cost of our products to our end-customers outside of the United States and may lead to reduced demand for our services. If the U.S. dollar continues to strengthen, this could adversely affect our financial condition and operating results. Our operating expenses incurred outside the United States and denominated in foreign currencies are increasing and are subject to fluctuations due to changes in foreign currency exchange rates. If we are not able to successfully hedge against the risks associated with foreign currency fluctuations, our financial condition and operating results could be adversely affected.

Our international operations subject us to additional risks which could have an adverse effect on our business, operating results, and financial condition.

We employ resources in India, to support our onshore operations. Countries outside of the United States may be subject to relatively higher degrees of political and social instability and may lack the infrastructure to withstand political unrest or natural disasters. The occurrence of natural disasters, pandemics, or political or economic instability in these countries could interfere with work performed by these labor sources or could result in our having to replace or reduce these labor sources. If countries in which we operate experience civil or political unrest or acts of terrorism, our operations in such countries could be materially impaired. Our vendors in other countries could potentially shut down suddenly for any reason, including financial problems or personnel issues. Such disruptions could decrease efficiency, increase our costs and have an adverse effect on our business or results of operations.

Further, many foreign data privacy regulations (including India’s Digital Personal Data Protection Act) can be more stringent than those in the United States. These laws and regulations are rapidly evolving and changing and could have an adverse effect on our operations. Our obligations and requirements under these laws and regulations are subject to uncertainty in how they may be interpreted by government authorities and regulators. The costs of compliance with, and the other burdens imposed by, these and other laws or regulatory actions may increase our operational costs, affect our customers’ willingness to permit us to use and store personal data, prevent us from selling our products or services, and/or affect our ability to invest in or jointly develop products. Failure to comply with these laws may result in governmental enforcement actions, private claims, including class action lawsuits, and damage to our reputation. We may also face audits or investigations by one or more foreign government agencies relating to our compliance with these regulations.

Risks Related to Regulation

We are subject to extensive laws and government regulation, the costs of compliance with which can be significant, and our actual or perceived failure to comply with such obligations may subject us to penalties and otherwise have an unfavorable impact on our business, financial condition and results of operations.

We are subject to numerous federal and state laws and regulations that affect the electronic payments industry and the other industries in which we provide services. Regulation of our industry has increased significantly in recent years and is constantly evolving. We are also subject to other laws and regulations, including those addressing U.S. financial services, consumer protection, escheat and privacy and information security, among other subjects. Changes to statutes, regulations or industry standards, including interpretation and implementation of statutes, regulations or standards, could increase our cost of doing business or affect the competitive balance. Failure to comply with laws and regulations may have an adverse effect on our business, including the limitation, suspension or termination of services provided to, or by, third parties, and the imposition of other penalties or fines. To the extent these laws and regulations negatively impact the business, operations or financial condition of our customers, our business and results of operations could be materially and adversely affected because, among other matters, our customers could have less capacity to purchase products and services from us, could decide to avoid or abandon certain lines of business, or could seek to pass on increased costs to us by negotiating price reductions. In addition, we could be required to invest a significant amount of time and resources in response to new or changes to existing laws, regulations or oversight, or to modify the manner in which we contract with or provide products and services to our customers; and those laws and regulations could directly or indirectly limit how much we can charge for our services. We may not be able to update our existing products and services, or develop new ones, to satisfy our customers’ needs. Any of these events, if realized, could have a material adverse effect on our business, results of operations and financial condition.

Various laws and regulations, including those in other industries in which we provide services, even if such laws and regulations are not directed at us, may require us to make significant efforts to change our products and services and may require that we incur additional compliance costs and change how we price our products and services to our customers . Implementing new compliance risk mitigation strategies efforts can be significant with the complexity of regulatory requirements, and we are devoting and will continue to devote significant resources to address compliance requirements. Furthermore, regulatory actions may cause changes in business practices by us and other industry participants which could affect how we market, price and distribute our products and services, and which could materially adversely affect our business, financial condition and results of operations. In addition, even an inadvertent failure to comply with laws and regulations, as well as rapidly evolving social expectations of corporate fairness, could damage our business or our reputation.

Compliance with the Dodd-Frank Act and other federal and state regulations applicable to our business may increase our compliance costs, limit our revenues and otherwise negatively affect our business.

Since the enactment of the Dodd-Frank Act, there have been substantial reforms to the supervision and operation of the financial services industry, including numerous new regulations that have imposed additional compliance costs and, in some cases, limited revenue sources for us and our financial institution partners and customers. Among other things, the Dodd-Frank Act established the CFPB, which is empowered to conduct rule-making and supervision related to, and enforcement of, federal consumer financial protection laws. The CFPB has issued guidance that applies to “supervised service providers,” which the CFPB has defined to include service providers, like us, to CFPB supervised banks and nonbanks.

In that regard the CFPB July 25, 2024 report entitled The Cost of Electronic Payments in K-12 Schools, the report included discussion on the CFPB’s Fall 2023 edition of their Supervisory Highlights report and a 2014 USDA Policy Memorandum regarding school lunch fees. The CFPB report concluded that certain payment processing practices utilized by the Company and other participants in our industry may violate consumer financial protection laws.

The appearance of being involved in unfair trade practices and violating consumer protection laws when offering payment processing services to our customers could harm our reputation with our customers. Further,

compliance with emerging sector-specific regulations may negatively impact our business, financial condition and results of operations by requiring us to alter our fee structure or payment processing practices.

The CFPB's focus on these payment processing practices may also lead to litigation against the Company. Other companies in our industry that serve the public school sector have been the target of litigation related to the CFPB's increased focus on certain payment processing company practices as potentially volatile of consumer financial laws and as unfair trade practices. As sector-specific laws, governmental rules and regulations develop to implement restrictions on payment processing services within certain sectors, we could become the subject of similar litigation, which could adversely impact our reputation, business and financial results.

In addition, federal and state agencies have recently proposed or enacted cybersecurity regulations, such as the Cybersecurity Requirements for Financial Services Companies issued by the New York State Department of Financial Services and the Cyber Security Resource Guide for Financial Institutions issued November 2022 by the Federal Financial Institutions Examination Council replacing the 2018 Cyber Security Resource Guide. Cybersecurity regulations and guidance are applicable to large bank holding companies and their subsidiaries, as well as to service providers to those organizations. Any new rules and regulations implemented by the CFPB, state or other authorities or in connection with the Dodd-Frank Act could, among other things, slow our ability to adapt to a rapidly changing industry, require us to make significant additional investments to comply with them, redirect time and resources to compliance obligations, modify our products or services or the manner in which they are provided, or limit or change the amount or types of revenue we are able to generate.

In particular, the Dodd-Frank Act regulates and limits debit card fees charged by certain card issuers and allows businesses and organizations to set minimum dollar amounts for the acceptance of credit cards. Specifically, under the commonly known “Durbin Amendment” to the Dodd-Frank Act, the interchange fees that certain issuers charge businesses and organizations for debit transactions are regulated by the Federal Reserve and must be “reasonable and proportional” to the cost incurred by the issuer in authorizing, clearing and settling the transactions. Rules released by the Federal Reserve in July 2011 to implement the Durbin Amendment mandate a cap on debit transaction interchange fees for card issuers with assets of $10 billion or greater. Effective October 1, 2012, debit card issuers are permitted a fraud-prevention adjustment. Since October 2011, a payment network may not prohibit a card issuer from contracting with any other payment network for the processing of electronic debit transactions involving the card issuer’s debit cards, and card issuers and payment networks may not inhibit the ability of businesses and organizations to direct the routing of debit card transactions over any payment networks that can process the transactions.

Rules implementing the Dodd-Frank Act also contain certain prohibitions on payment network exclusivity and merchant routing restrictions. These restrictions could negatively affect the number of debit transactions processed, and prices charged per transaction, which would negatively affect our business.

If we violate the Family Educational Rights and Privacy Act ("FERPA") or Protection of Pupil Rights Amendment ("PPRA"), it could result in a material breach of contract with one or more of our customers in our Education sub-vertical and could harm our reputation. Further, if we disclose student information in violation of FERPA or PPRA, our access to student information could be suspended.

Our systems and solutions must also comply, in certain circumstances, with FERPA and PPRA, as well as with rapidly emerging state student data privacy laws that require schools to protect student data and to adopt privacy policies which can significantly vary from one state to another. FERPA generally prohibits an educational institution from disclosing personally identifiable information from a student’s education records without a parent’s consent unless certain statutory exceptions apply. Our school customers and their students disclose to us, and we may store, certain information that originates from or comprises a student education record under FERPA. PPRA puts limits on “survey, analysis or evaluations” that may come into play when schools employ internet-based educational services. Schools are required to develop policies that address, among other things, the collection, disclosure or use of personal information collected from students for the purpose of marketing or selling that information, and can place restrictions on third parties’ use of that data. As an entity that provides services to educational institutions, we are indirectly subject to FERPA’s and PPRA’s privacy requirements, and we may not transfer or otherwise disclose or use any personally identifiable information from a student record to another party other than on a basis and in a manner permitted under the statutes. If we violate FERPA or PPRA, it could result in a material breach of contract with one or more of our customers and could reduce our revenues or harm our reputation. Further, if we disclose student information in violation of FERPA or PPRA, our access to student information could be suspended, thus inhibiting our business operations.

Actual or perceived failures to comply with applicable privacy and security laws and regulations could result in a material breach of contract with one or more of our customers in our Healthcare vertical, harm our reputation and subject us to substantial civil and criminal penalties under laws such as HIPAA and state privacy and security laws.

The data protection landscape is rapidly evolving, and we are or may become subject to numerous federal and state laws and regulations governing the collection, use, disclosure, retention, and security of health-related and other personal information. The cost of compliance with the laws and regulations is high and is likely to increase in the future. Any failure or perceived failure by us to comply with applicable data privacy and security laws or regulations, our internal policies and procedures or our contracts governing our processing of personal information could result in negative publicity, government investigations and enforcement actions, claims by third parties and damage to our reputation, any of which could have an adverse effect on our operations, financial performance and business.

For example, the HIPAA privacy and security regulations extensively regulate the use and disclosure of PHI and require business associates such as our company to implement administrative, physical and technical safeguards to protect the security of such information. In the event OCR finds that we have failed to comply with applicable HIPAA privacy and security standards, we could face civil and criminal penalties. OCR has become an increasingly active regulator and has signaled its intention to continue this trend. OCR has the discretion to impose penalties without being required to attempt to resolve violations through informal means. Further, OCR may require companies to enter into resolution agreements and corrective action plans that impose ongoing compliance requirements. OCR enforcement activity can result in financial liability and reputational harm, and responses to such enforcement activity can consume significant internal resources. In addition to enforcement by OCR, state attorneys general are authorized to bring civil actions under either HIPAA or similar state laws, seeking either injunctions or damages in response to violations that threaten the privacy of state residents. Although we have implemented and maintain policies, processes and a compliance program infrastructure to assist us in complying with these laws and regulations and our contractual obligations, we cannot provide assurance regarding how these laws and regulations will be interpreted, enforced or applied to our Healthcare vertical operations.

If we violate the federal Anti-Kickback Statue, Civil Monetary Penalties Law, the False Claims Act, the Cures Act or other federal or state laws and regulations applicable to healthcare services, it could result in a material breach of contract with one or more of our customers in our Healthcare vertical, harm our reputation and subject us to substantial civil and criminal penalties.

We strive to comply with healthcare laws, regulations and other requirements applicable to us directly and to our customers and contractors, but there can be no assurance that our operations will not be challenged or impacted by enforcement initiatives. We have been, and in the future may become, involved in governmental investigations, audits, reviews and assessments. Even an unsuccessful challenge by regulatory and other authorities or private whistleblowers could be expensive and time-consuming, could result in loss of business, exposure to adverse publicity and injury to our reputation and could adversely affect our ability to retain and attract customers.

Healthcare laws, regulations and other requirements impacting our Healthcare vertical operations include the following:

Anti-Kickback Laws. A number of federal and state laws govern patient referrals, financial relationships with physicians and other referral sources and inducements to providers and patients, including restrictions contained in amendments to the Social Security Act, commonly known as the federal Anti-Kickback Statue ("AKS"). Activities that comply with a safe harbor are deemed protected from prosecution under the AKS. Certain of our contracts and other arrangements may not meet an exception or a safe harbor. Failure to qualify for safe harbor protection does not mean the arrangement necessarily violates the AKS, but it may subject the arrangement to greater government scrutiny. We cannot provide assurance that practices outside of a safe harbor will not be found to violate the AKS.

The OIG has a longstanding concern that percentage-based billing arrangements may increase the risk of improper billing practices. The OIG recommends that medical billing companies develop and implement comprehensive compliance programs to mitigate this risk. In addition, certain states have adopted laws or regulations forbidding splitting of fees with non-physicians, which may be interpreted to prevent business service providers, including medical billing providers, from using a percentage-based billing arrangement. While we have developed and implemented a comprehensive billing compliance program that we believe is consistent with federal guidance, our failure to ensure compliance with controlling legal requirements, accurately anticipate the application of these laws and regulations to our business and contracting model, or comply with regulatory requirements, could create liability for us, result in adverse publicity and negatively affect our business.

Violation of the AKS is a felony, and penalties may include imprisonment, criminal fines and substantial civil monetary penalties. In addition, submission of a claim for items or services generated in violation of the AKS may be subject to additional penalties under the federal False Claims Act ("FCA") as a false or fraudulent claim.

False or Fraudulent Claim Laws; Medical Billing and Coding. Medical billing, coding and collection activities are governed by numerous federal and state civil and criminal laws, regulations and sub-regulatory guidance. Our Healthcare vertical may be subject to, or contractually required to comply with, numerous federal and state laws that prohibit false or fraudulent claims including but not limited to the federal FCA, the CMP Law and state equivalents. For example, errors or the unintended consequences of data manipulations by us or our systems with respect to the entry, formatting, preparation or transmission of claims, coding, audit, eligibility and other information, may result in allegations of false or fraudulent claims.

False or fraudulent claims under the FCA and other laws include, but are not limited to, billing for services not rendered, making or causing to be made or used a false record or statement that is material to a false claim, failing to report and refund known overpayments within 60 days of identifying the overpayment, misrepresenting actual services rendered, improper coding and billing for medically unnecessary items or services. Submission of a claim for an item or service generated in violation of the AKS constitutes a false or fraudulent claim. In addition, the FCA prohibits the knowing submission of false claims or statements to the federal government, including to Medicare and Medicaid programs. Although simple negligence will not give rise to liability under the FCA, "knowingly" submitting a false claim may result in liability. When an entity is determined to have violated the FCA,

the government may impose substantial civil fines and penalties for each false claim, plus treble damages, and exclude the entity from participation in federal healthcare programs. Private parties are able to bring qui tam, or whistleblower, lawsuits on behalf of the government in connection with alleged false claims submitted to the government, and these private parties are entitled to share in any amounts recovered by the government. Several states, including states in which we operate, have adopted their own false claims provisions and their own whistleblower provisions whereby a private individual may file a civil lawsuit in state court.

Some fraud and abuse laws, such as the CMP Law, require a lower burden of proof than other fraud, waste and abuse laws. Federal and state authorities increasingly assert liability under the CMP Law, especially where they believe they cannot meet the higher burden of proof requirements under the various criminal healthcare fraud provisions. Current penalties under the CMP Law are significant and may result in penalties of up to three times the amount claimed or received. Civil monetary penalties, including those imposed under the AKS, FCA, and CMP Law are updated annually based on changes to the consumer price index.

Although we believe our processes are consistent with applicable reimbursement rules and industry practice, a court, government authority or whistleblower could challenge these processes. In addition, we cannot guarantee that federal and state authorities will regard any billing and coding errors we process or make as inadvertent or will not hold us responsible for any compliance issues related to claims, reports and other information we handle on behalf of our customers. We cannot predict the impact of any enforcement actions under the various false claims and fraud, waste and abuse laws applicable to our operations. Even an unsuccessful challenge of our practices could cause us to incur adverse publicity and significant legal and related costs.

The laws and regulations in this area are both broad and vague and judicial interpretation can be inconsistent. We review our practices with regulatory experts in an effort to comply with all applicable laws and regulatory requirements. However, we are unable to predict how laws and regulations will be interpreted or the full extent of their application, particularly to services that are not directly billed to or reimbursed by federal healthcare programs, such as transaction processing services. Any of these could result in a material adverse impact on our business, results of operations or financial condition. Even an unsuccessful challenge of our activities could result in adverse publicity and could require a costly response.

Standards regarding electronic exchange of information and interoperability are subject to regular revision and updates, and we are required to modify and enhance products and services accordingly. Civil monetary penalties for information blocking by HIT developers are substantial, up to $1 million per violation. The HIT Standards and Certification Criteria Final Rule imposes new criteria related to EHI export and standardized APIs for patient services, and HIT developers of certified HIT need to ensure that their products and services meet the requisite technical standards by the relevant deadlines and continue to evolve as developers and other stakeholders release revised versions of these standards. Additionally, HIT developers that participate in the ONC Health IT Certification Program, like us, must make various certifications regarding their HIT and attest to compliance with applicable conditions of certification, including those related to information blocking.

These rules apply to certain services we offer, and customers may insist that we develop additional solutions that comply with these various interoperability requirements, which could subject us to additional costs. We currently have and likely will continue to have certain solutions certified by ONC, which could further increase development costs and delay customer sales and implementations. We also may incur costs in periods prior to the corresponding recognition of revenue. To the extent current regulations are subsequently changed or

supplemented, or for other reasons beyond our control, customers may postpone or cancel their decisions to purchase or implement such solutions.

Exclusion from participation in government healthcare programs. The OIG may or must exclude individuals and entities involved in misconduct related to federal healthcare programs, such as Medicare and Medicaid, from participation in those programs. Federal law prohibits federal healthcare programs from paying for items or services furnished, ordered, or prescribed by an individual or entity excluded from participation. The prohibition against federal program payment extends to payment for administrative and management services not directly related to patient care. Civil penalties may be imposed against providers and entities that employ or enter into contracts with excluded individuals to provide items or services to federal healthcare program beneficiaries. We have implemented compliance policies and procedures to screen for excluded individuals. However, if we employ or contract with an excluded individual or entity, we could face significant consequences such as exclusion from participation in federal healthcare programs, civil monetary penalties, and treble damages. In addition, we could be liable under our customer contracts, if we are excluded by the OIG or employ or contract with an excluded individual or entity.

Recent and future developments in the healthcare industry, particularly those related to HIT, could have a material adverse impact on our business, results of operations or financial condition.

A material portion of our revenue is derived from the healthcare industry, which is highly regulated and subject to changing political, legislative, regulatory and other influences.

There are numerous federal, state and private initiatives seeking to increase the use of HIT as a means of improving care and reducing costs. For example, HITECH and the Cures Act promote the use of EHR technology, interoperability and the efficient exchange of EHI. These statutes are implemented mainly through HIPAA, CMS’s Promoting Interoperability Program, and ONC’s Information Blocking Rule and HIT Standards and Certification Criteria Final Rule.

These and other initiatives may result in additional legal or regulatory requirements, the cost of compliance with which may be significant; encourage more companies to enter our markets, provide advantages to our competitors; and/or result in the development of competitive technology solutions. Any such initiatives also may result in a reduction of expenditures by existing or potential customers, which could have a material adverse impact on our business, results of operations or financial condition.

In addition, other general reductions in expenditures by healthcare industry constituents could result from, among other things, government regulation or private initiatives that affect the manner in which providers interact with patients, payers or other healthcare industry constituents, including changes in pricing or means of delivery of healthcare solutions. In addition, cost containment efforts at the federal and state levels may affect industry expenditures. For example, the Budget Control Act of 2011 requires automatic spending reductions to reduce the federal deficit. CMS began imposing a 2% reduction on payments of Medicare claims in 2013. These reductions have been extended through the first six months of 2032. In addition, the American Rescue Plan Act of 2021 increased the federal budget deficit in a manner that triggered an additional statutorily mandated sequestration. As a result, an additional payment reduction of up to 4% was required to take effect in January 2022. However, Congress has delayed implementation of this payment reduction until 2025. We anticipate that the federal deficit will continue to place pressure on government healthcare programs.

Even if general expenditures by healthcare industry constituents remain the same or increase, other developments in the healthcare industry may reduce spending on healthcare IT and services or in some or all of the specific markets we serve or are planning to serve. In addition, our customers’ expectations regarding pending or potential healthcare industry developments also may affect their budgeting processes and spending plans with respect to the types of solutions we provide. For example, use of our solutions could be affected by:

•changes in the billing patterns of providers;

•the design of health insurance plans; and

•the contracting methods payers use in their relationships with providers.

The healthcare industry has changed significantly in recent years, and we expect that significant changes will continue to occur. The timing and impact of developments in the healthcare industry are difficult to predict. We cannot be sure that the markets for our solutions will continue to exist at their current levels or will not change in ways that adversely affect us, or that we will have adequate technical, financial and marketing resources to react to changes in those markets.

We may be a party to regulatory and other proceedings that could result in unexpected adverse outcomes.

From time to time, we have been, are and may in the future be, a party to legal and regulatory proceedings, including investigations, audits, and other reviews. There are an increasing number of investigations and proceedings in the healthcare industry that seek recovery under HIPAA, AKS, the FCA, the CMP, state laws and other statutes and regulations applicable to our business as described in more detail above. Such proceedings can result in verdicts, injunctive relief or other sanctions that may affect how we operate our business and/or have an adverse effect on our financial condition. Assessing and predicting the outcome of these matters involves substantial uncertainties. Unexpected outcomes in these legal proceedings, or changes in management’s evaluations or predictions and accompanying changes in established reserves, could have a material adverse impact on our business, results of operations or financial condition. Litigation is costly, time-consuming and disruptive to normal business operations. In addition, the defense of these matters could result in continued diversion of our management’s time and attention away from business operations, which could also harm our business. Even if these matters are resolved in our favor, the uncertainty and expense associated with unresolved legal proceedings could harm our business and reputation.

We must comply with laws and regulations prohibiting unfair or deceptive acts or practices, and any failure to do so could materially and adversely affect our business.

These rules may subject us, as the electronic payment processor or provider of certain services, to investigations, fees, fines and disgorgement of funds if we are deemed to have improperly aided and abetted or otherwise provided the means and instrumentalities to facilitate the illegal or improper activities of the customer through our services. Various federal and state regulatory enforcement agencies including the Federal Trade Commission and state attorneys general have authority to take action against non-banks that engage in UDAAP, or violate other laws, rules and regulations. To the extent we are processing payments or providing products and services for a customer that may be in violation of laws, rules and regulations, we may be subject to enforcement actions and as a result may incur losses and liabilities that may adversely affect our business.

We could be adversely affected by violations of the FCPA and similar anti-bribery laws of other countries in which we provide services or have employees.

Because of our international operations we could be adversely affected by violations of the US Foreign Corrupt Practices Act (the “FCPA”) and similar anti-bribery laws of other countries in which we provide services or have employees. The FCPA and similar anti-bribery laws generally prohibit companies and their intermediaries from making improper payments to government officials or other third parties for the purpose of obtaining or retaining business or gaining any business advantage. While our policies mandate compliance with these anti-bribery laws, we cannot provide assurance that our internal control policies and procedures always protect us from reckless or criminal acts committed by our employees, contractors or agents.

Numerous other federal laws affect our business, and any failure to comply with those laws could harm our business.

Our payment facilitator solutions present certain regulatory challenges, principally those relating to money transmitter issues. There can be no assurance that these structural arrangements will remain effective as money transmitter laws continue to evolve or that the applicable regulatory bodies, particularly state agencies, will view our payment facilitator activities as compliant.

We could be liable if our practices under the FCRA do not comply with the FCRA or regulations under it.

The Housing Assistance Tax Act of 2008 included an amendment to the Internal Revenue Code of 1986, as amended (the “Code”), that requires information returns to be made for each calendar year by payment processing entities and third-party settlement organizations with respect to payments made in settlement of electronic payment transactions and third-party payment network transactions occurring in that calendar year. Reportable transactions are also subject to backup withholding requirements. We could be liable for penalties if our information returns are not in compliance with these regulations.

Depending on how our products and services evolve, we may be subject to a variety of additional laws and regulations, including those governing money transmission, gift cards and other prepaid access instruments, electronic funds transfers, anti-money laundering, counter-terrorist financing, restrictions on foreign assets, banking and lending, U.S. Safe Harbor regulations, and import and export restrictions. Additionally, we are contractually required to comply with certain anti-money laundering regulations in connection with our payment processing activities. These regulations are generally governed by the Financial Crimes Enforcement Network ("FinCEN") and the Office of Foreign Assets Control ("OFAC"). Our efforts to comply with these laws and regulations could be costly and result in diversion of management time and effort and may still not guarantee compliance. Regulators continue to increase their scrutiny of compliance with these obligations, which may require us to further revise or expand our compliance program, including the procedures we use to verify the identity of our customers, and to monitor transactions. If we are found to be in violation of any such legal or regulatory requirements, we may be subject to monetary fines or other penalties such as a cease and desist order, or we may be required to make product changes, any of which could have an adverse effect on our business and financial results.

Changes in tax laws or their interpretations, or becoming subject to additional U.S., state or local taxes that cannot be passed through to our customers, could negatively affect our business, financial condition and results of operations.

We are subject to extensive tax liabilities, including federal and state and transactional taxes such as excise, sales/use, payroll, franchise, withholding, and ad valorem taxes. Changes in tax laws or their interpretations could increase our tax burden and decrease the amount of revenues we receive, the value of any tax loss carryforwards and tax credits recorded on our balance sheet and the amount of our cash flow, and have a material adverse impact on our business, financial condition and results of operations. Some of our tax liabilities are subject to periodic audits by the respective taxing authority which could increase our tax liabilities. Furthermore, companies in the payment processing industry, including us, may become subject to incremental taxation in various tax jurisdictions. Taxing jurisdictions have not yet adopted uniform positions on this topic. If we are required to pay additional taxes and are unable to pass the tax expense through to our customers, our costs would increase and our net income would be reduced, which could have a material adverse effect on our business, financial condition and results of operations.

Changing laws and governmental rules and regulations designed to protect or limit access to or use of personal information could adversely affect our ability to effectively provide our products and services, and actual or perceived failure to comply with such legal and regulatory obligations may negatively impact our business, financial condition and results of operations.

Our operations are subject to certain provisions of these laws. The U.S. Children’s Online Privacy Protection Act also regulates the collection of information by operators of websites and other electronic solutions that are directed to children under 13 years of age. These laws and regulations restrict the collection, processing, storage, use and disclosure of personal information, require notice to individuals of privacy practices and provide individuals with certain rights to prevent the use and disclosure of protected information. They also impose requirements for safeguarding and proper destruction of personal information through the issuance of data security standards or guidelines. In addition, there are state laws and regulations restricting the ability to collect and utilize certain types of information such as Social Security and driver’s license numbers. Certain states impose similar privacy obligations as well as obligations to provide notification of security breaches of computer databases that contain personal information to affected individuals, state officers and consumer reporting agencies and businesses and governmental agencies that own data.

These contracts may require periodic audits by independent companies regarding our compliance with applicable standards. Our ability to maintain compliance with these standards and satisfy these audits will affect our ability to attract, grow and maintain business in the future. If we fail to comply with the laws and regulations relating to data privacy and information security, we could be exposed to legal claims and actions or to regulatory enforcement proceedings.

Legal requirements relating to the collection, storage, handling and transfer of personal data continue to evolve at both the federal and state level. For example, the CFPB finalized a rule which goes into effect January 17, 2025, that requires certain data providers to make covered data regarding covered financial products and services available to consumers and authorized third parties in an electronic form, subject to a number of requirements.

Many states have introduced or passed comprehensive consumer privacy laws, including California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah and Virginia, that may impose varying standards and requirements on our data collection use and processing activities. These laws require companies (regardless of their location) that process personal information of residents of those states make certain disclosures to consumers about data practices, grant consumers specific rights to their data, and allow consumers to opt out of certain data sharing activities. Additionally, the Federal Trade Commission and many state attorneys general are interpreting federal and state consumer protection laws to impose standards for the online collection, use, dissemination and security of data.

Government regulators, industry groups and class action attorneys are increasingly scrutinizing how companies collect, process, use, store, share and transmit personal data. Regulators and courts may expand interpretations of existing laws, thereby further impacting our business. If more restrictive privacy laws or rules and/or inconsistent legal requirements are adopted by authorities in the future on the federal or state level, or regulators' enforcement priorities shift, our compliance costs may increase and our ability to perform due diligence on, and monitor the risk of, our current and potential customers may decrease, which could create liability for us. Many consumer privacy laws provide for civil penalties for violations, and the CCPA and CPRA provide for a private right of action for data breaches that may increase data breach litigation. We may also be exposed to litigation, regulatory fines, penalties or other sanctions if the personal, confidential or proprietary information of our customers is mishandled or misused by any of our suppliers, counterparties or other third parties, or if such third-parties do not have appropriate controls in place to protect such personal, confidential or proprietary information. Further, many foreign data privacy regulations (including India’s Digital Personal Data Protection Act) can be more stringent than those in the United States. These laws and regulations are rapidly evolving and changing and could have an adverse effect on our operations. Our obligations and requirements under these laws and regulations are subject to uncertainty in how they may be interpreted by government authorities and regulators. The costs of compliance with, and the other burdens imposed by, these and other laws or regulatory actions may increase our operational costs, affect our customers’ willingness to permit us to use and store personal data, prevent us from selling our products or services, and/or affect our ability to invest in or jointly develop products. Failure to comply with these laws may result in governmental enforcement actions, private claims, including class action lawsuits, and damage to our reputation. We may also face audits or investigations by one or more domestic or foreign government agencies relating to our compliance with these regulations.

Additionally, if we suffer a data breach, other privacy or cybersecurity regulatory compliance failures or are subject to fines, sanctions or proceedings as a result of actual or perceived compliance failures, or any similar event causing reputational harm, our opportunities for growth may be curtailed, and our potential liability for security breaches may increase, all of which could have a material adverse effect on our business, financial condition and results of operations.

These laws and regulations may change rapidly, and it is frequently unclear how they apply to our business. Any failure of our products or services to comply with these laws and regulations could result in substantial civil or criminal liability and could, among other things, adversely affect demand for our services, invalidate all or portions of some of our contracts with our customers and financial institution partners, or require us to change or terminate some portions of our business. Further, reform efforts or changing healthcare regulatory requirements may also render our products or services obsolete or may block us from fully realizing or accomplishing our work or from developing new products or services. This may in turn impose additional costs upon us to adapt to the new operating environment or to further develop or modify our products and services. Such healthcare reforms may also make introduction of new products and service costlier or more time-consuming than we currently anticipate. These changes may also prevent our introduction of new products and services or make the continuation or maintenance of our existing products and services unprofitable or impossible.

We no longer qualify as an emerging growth company ("EGC") as defined in the Jumpstart Our Business Startups Act (the "JOBS Act"). As such, we are subject to certain disclosure and compliance requirements that apply to other public companies but did not previously apply to us due to our status as an EGC. These requirements include, but are not limited to:

•the requirement that our independent registered public accounting firm attest to the effectiveness of our internal control over financial reporting under Section 404(b) of the Sarbanes-Oxley Act of 2002;

•compliance with any requirement that may be adopted by the PCAOB regarding mandatory audit firm rotation or a supplement to the auditor's report providing additional information about the audit and the financial statements, including critical audit matters;

•the requirement that we provide full and more detailed disclosures regarding executive compensation; and

•the requirement that we hold a non-binding advisory vote on executive compensation and obtain stockholder approval of any golden parachute payments not previously approved.

If we are not effective in addressing ESG matters affecting our business our reputation may suffer. Moreover, we may experience increased costs in order to develop and execute upon any such ESG strategies, which could have an adverse impact on our business and financial condition.

In addition, this emphasis on ESG matters has resulted and may result in the adoption of new laws and regulations, including new reporting requirements. If we fail to comply with new laws, regulations or reporting requirements, our reputation and business could be adversely impacted.

Risks Related to Our Indebtedness

Our indebtedness could adversely affect our financial health and competitive position.

A., as administrative agent (“JPMorgan”). The 2023 Senior Secured Credit Facility replaces the Prior Senior Secured Credit Facility (as defined below). The 2023 Senior Secured Credit Facility provides for aggregate commitments of $450 million in the form of a senior secured revolving credit facility (the “Revolver”). Borrowings under the Revolver will be made, at the Borrower’s option, at the Adjusted Term SOFR rate or the base rate, plus, in each case, an applicable margin. The Adjusted Term SOFR rate will be the rate of interest per annum equal to the Term SOFR rate (based upon an interest period of one, three or six months), plus 0.10%, plus an applicable margin of 2.00% to 3.00% (2.00% at September 30, 2024). The Adjusted Term SOFR rate shall not be less than 0% in any event. The base rate is a fluctuating rate of interest per annum equal to the highest of (a) the greater of the federal funds rate or the overnight bank funding rate, plus ½ of 1%, (b) Wall Street Journal prime rate and (c) the Adjusted Term SOFR rate for an interest period of one month, plus 1%, plus an applicable margin of 1.00% to 2.00% (2.00% at September 30, 2024). The base rate shall not be less than 1% in any event. Although we may enter into interest rate swap agreements in the future, we and our subsidiaries are exposed to interest rate increases on the floating portion of our 2023 Senior Secured Credit Facility that are not covered by interest rate swaps, to the extent we have indebtedness outstanding. For additional information about our 2023 Senior Secured Credit Facility, see “Management’s Discussion and Analysis of Financial Condition and Results of Operations — Liquidity and Capital Resources” in Part II, Item 7 of this Annual Report on Form 10-K, and “Quantitative and Qualitative Disclosure About Market Risk” in Part II, Item 7A of this Annual Report on Form 10-K.

On February 18, 2020, i3 Verticals, LLC issued $138.0 million aggregate principal amount of its Exchangeable Notes. As of September 30, 2024, $26.2 million of the original aggregate principal amount of $138.0 million was outstanding.

To service our debt and any additional debt we may incur in the future, we need to generate cash. Our ability to generate cash is subject, to a certain extent, to our ability to successfully execute our business strategy, including acquisition activity, as well as general economic, financial, competitive, regulatory and other factors beyond our control. Although we currently expect that our cash flow from operations, current cash and cash equivalents and available borrowing capacity under the 2023 Senior Secured Credit Facility will be sufficient to fund our operations and planned expenditures and to service our debt obligations for at least the next twelve months, there can be no assurance that our business will be able to generate sufficient cash flow from operations or that future borrowings or other financing will be available to us in an amount sufficient to enable us to service our debt and fund our other liquidity needs. To the extent we are required to use our cash flow from operations or the proceeds of any future financing to service our debt instead of funding working capital, capital expenditures, acquisition activity or other general corporate purposes, we will be less able to plan for, or react to, changes in our business, industry and in the economy generally. This will place us at a competitive disadvantage compared to our competitors that have less debt. There can be no assurance that we will be able to refinance any of our debt on commercially reasonable terms or at all, or that the terms of that debt will allow any of the above alternative measures or that these measures would satisfy our scheduled debt service obligations. If we are unable to generate sufficient cash flow to repay or refinance our debt on favorable terms, it could significantly adversely affect our financial condition and the value of our outstanding debt. Our ability to restructure or refinance our debt will depend on the condition of the capital markets and our financial condition. Any refinancing of our debt could be at higher interest rates and may require us to comply with more onerous covenants, which could further restrict our business operations.

In addition, the 2023 Senior Secured Credit Facility contains, and any agreements evidencing or governing other future debt may contain, certain restrictive covenants that limit our ability, among other things, to engage in certain activities that are in our long-term best interests, including our ability to:

•incur liens on property, assets or revenues;

•incur or assume additional debt or amend our debt and other material agreements;

•declare or make distributions and redeem or repurchase equity interests, including making repurchases of Class A common stock pursuant to our share repurchase program, or issue preferred stock;

•prepay, redeem or repurchase debt;

•make investments;

•enter into any sale-and-leaseback of property;

•engage in certain business activities; and

•engage in mergers and asset sales.

The restrictive covenants in our 2023 Senior Secured Credit Facility also require us to maintain specified financial ratios. While we have not previously breached and are not in breach of any of these covenants, there can be no guarantee that we will not breach these covenants in the future. Our ability to comply with these covenants and restrictions may be affected by events and factors beyond our control. Our failure to comply with any of these covenants or restrictions could result in an event of default under our 2023 Senior Secured Credit Facility. An event of default would permit the lending banks under the facility to take certain actions, including terminating all outstanding commitments and declaring all amounts outstanding under our 2023 Senior Secured Credit Facility to be immediately due and payable, including all outstanding borrowings, accrued and unpaid interest thereon, and all other amounts owing or payable with respect to such borrowings and any terminated commitments. In addition, the lenders would have the right to proceed against the collateral we granted to them, which includes substantially all of our assets.

We may not be able to secure additional financing on favorable terms, or at all, to meet our future capital needs.

In the future, we may require additional capital to respond to business opportunities, challenges, acquisitions or unforeseen circumstances, and may determine to engage in equity or debt financings or enter into credit facilities or refinance existing debt for other reasons. We may not be able to timely secure additional debt or equity financing on favorable terms, or at all. As discussed above, the 2023 Senior Secured Credit Facility contains restrictive covenants that limit our ability to incur additional debt and engage in other capital-raising activities. Any debt financing we obtain in the future could involve covenants that further restrict our capital raising

activities and other financial and operational matters, which may make it more difficult for us to operate our business, obtain additional capital and pursue business opportunities, including potential acquisitions. Furthermore, if we raise additional funds by issuing equity or convertible debt or other equity-linked securities, our then-existing stockholders could suffer significant dilution. If we are unable to obtain adequate financing or financing on terms satisfactory to us, when we require it, our ability to continue to grow or support our business and to respond to business challenges could be significantly limited.

We may not have the ability to raise the funds necessary to settle exchanges of the Exchangeable Notes or to repurchase the Exchangeable Notes upon a fundamental change.

Holders of our Exchangeable Notes have the right to require us to repurchase their Exchangeable Notes upon the occurrence of a fundamental change at a repurchase price equal to 100% of the principal amount of the Exchangeable Notes to be repurchased, plus accrued and unpaid interest, if any, to, but not including, the fundamental change repurchase date. In addition, unless we elect to deliver solely shares of Class A common stock to settle an exchange of the Exchangeable Notes, we will be required to make cash payments in respect of such Exchangeable Notes being exchanged. However, we may not have enough available cash or be able to obtain financing at the time we are required to make purchases of Exchangeable Notes surrendered therefor or Exchangeable Notes being exchanged. In addition, our ability to repurchase the Exchangeable Notes or to pay cash upon exchanges of the Exchangeable Notes is limited by the agreements governing our existing indebtedness (including the 2023 Senior Secured Credit Facility) and may also be limited by law, by regulatory authority or by agreements that will govern our future indebtedness. Our failure to repurchase Exchangeable Notes at a time when the repurchase is required by the indenture that governs the Exchangeable Notes or to pay cash payable on future exchanges of the Exchangeable Notes if and/or as required by the Indenture would constitute a default under the Indenture. A default under the Indenture or the fundamental change itself could also lead to a default under the agreements governing our other indebtedness (including the 2023 Senior Secured Credit Facility) and agreements governing our future indebtedness. If the repayment of the related indebtedness were to be accelerated after any applicable notice or grace periods, we may not have sufficient funds to repay the indebtedness and repurchase the Exchangeable Notes or make cash payments upon exchanges thereof.

Risks Related to Our Organizational Structure and Our Company

We are a holding company with no operations of our own, and our principal asset is our controlling membership interest in i3 Verticals, LLC. Accordingly, we depend on distributions from i3 Verticals, LLC to pay our taxes and other expenses.

We are a holding company with no operations of our own and currently have no significant assets other than our ownership of common units of i3 Verticals, LLC. We currently have no independent means of generating revenue. Consequently, our ability to obtain operating funds depends upon distributions from i3 Verticals, LLC. Furthermore, i3 Verticals, LLC is treated as a partnership for U.S. federal income tax purposes and, as such, is not itself subject to U.S. federal income tax. Instead, its net taxable income is generally allocated to its members, including us, pro rata according to the number of membership interests each member owns. Accordingly, we incur income taxes on our proportionate share of any net taxable income of i3 Verticals, LLC in addition to expenses related to our operations, and our ability to obtain funds to pay these income taxes currently depends upon distributions from i3 Verticals, LLC., i3 Verticals, LLC and each of the holders, other than i3 Verticals, Inc., of common units in i3 Verticals, LLC (the “Continuing Equity Owners”).

To the extent that we need funds to pay our taxes or other liabilities or to fund our operations, and i3 Verticals, LLC is restricted from making distributions to us under applicable agreements under which it is bound, including its financing agreements, laws or regulations, does not have sufficient cash to make these distributions or is otherwise unable to provide such funds, we may have to borrow funds to meet these obligations and operate our business, and our liquidity and financial condition could be materially adversely affected. To the extent that we are unable to make payments under the Tax Receivable Agreement for any reason, such payments will be deferred and will accrue interest until paid.

The interests of the other Continuing Equity Owners in our business may conflict with the interests of holders of shares of our Class A common stock.

The Continuing Equity Owners, who collectively hold approximately 31% of the combined voting power of our common stock as of November 22, 2024, may receive payments from us under the Tax Receivable Agreement upon a redemption or exchange of their common units in i3 Verticals, LLC, including the issuance of shares of our Class A common stock upon any such redemption or exchange. As a result, the interests of the Continuing Equity Owners may conflict with the interests of holders of shares of our Class A common stock.

Our organizational structure, including the Tax Receivable Agreement, confers certain benefits upon the Continuing Equity Owners that will not benefit the holders of our Class A common stock to the same extent as it will benefit the Continuing Equity Owners. Under the Tax Receivable Agreement, we are entitled to retain (a) 15% of the U.S. federal and state income tax savings we realize as a result of increases in tax basis created by any future redemptions or exchanges of common units held by our equity holders that are parties to the Tax Receivable Agreement for shares of our Class A common stock or cash for the tax years following a redemption or exchange covered by the Tax Receivable Agreement, and (b) all of the U.S. federal and state income tax savings we realize from such redemptions or exchanges for tax periods ending after those covered by the Tax Receivable Agreement. Our ability to realize, and benefit from, these tax savings depends on several assumptions, including that we will earn sufficient taxable income each year during the period over which the deductions arising from any such basis increases and payments are available and that there are no adverse changes in applicable law or regulations. If our actual taxable income were insufficient or there were adverse changes in applicable law or regulations, we may be unable to realize all or a portion of these expected benefits, and our cash flows and stockholders’ equity could be negatively affected.

In certain cases, payments under the Tax Receivable Agreement to the Continuing Equity Owners may be accelerated or significantly exceed the actual benefits we realize in respect of the tax attributes subject to the Tax Receivable Agreement.

The Tax Receivable Agreement provides that upon certain mergers, asset sales, other forms of business combinations or other changes of control or if, at any time, we elect an early termination of the Tax Receivable Agreement, then our obligations, or our successor’s obligations, under the Tax Receivable Agreement to make payments thereunder would be based on certain assumptions, including an assumption that we would have sufficient taxable income to fully use all potential future tax benefits that are subject to the Tax Receivable Agreement.

As a result of the foregoing, (a) we could be required to make payments under the Tax Receivable Agreement that are greater than the specified percentage of the actual benefits we ultimately realize in respect of the tax benefits that are subject to the Tax Receivable Agreement and (b) if we elect to terminate the Tax Receivable Agreement early, we would be required to make an immediate cash payment equal to the present value of the anticipated future tax benefits that are the subject of the Tax Receivable Agreement, which payment may be made significantly in advance of the actual realization, if any, of such future tax benefits. In these situations, our obligations under the Tax Receivable Agreement could have a substantial negative impact on our liquidity and could have the effect of delaying, deferring or preventing certain mergers, asset sales, other forms of business

combinations or other changes of control. There can be no assurance that we will be able to fund or finance our obligations under the Tax Receivable Agreement.

In certain circumstances, i3 Verticals, LLC will be required to make distributions to us and the Continuing Equity Owners, and the distributions that i3 Verticals, LLC will be required to make may be substantial.

Funds used by i3 Verticals, LLC to satisfy its tax distribution obligations may not be available for reinvestment in our business. In particular, in connection with the taxable income associated with the gain on the sale in September 2024 of our Merchant Services Business that is anticipated to be recognized for 2024 federal income tax purposes by the members of i3 Verticals, LLC, a pass-through entity in which the Company held a 70.4% ownership interest as of September 30, 2024, we expect that i3 Verticals, LLC will be required under the terms of its limited liability company agreement to make a tax distribution in the first half of 2025 to the members of i3 Verticals, LLC, including i3 Verticals, Inc., the final amount of which tax distribution has not yet been determined.

Our Board of Directors will determine the appropriate uses for excess cash which is so held by the Company following tax distributions, which may include, among other uses, after giving effect to the payment of obligations under the Tax Receivable Agreement, the recontribution of such cash to i3 Verticals, LLC for use in our business in exchange for common units of i3 Verticals, LLC along with an associated recapitalization of all of the outstanding common units in i3 Verticals, LLC, and/or the payment of a cash dividend on our Class A common stock.

Our failure to maintain effective internal control over financial reporting in accordance with Section 404 of the Sarbanes-Oxley Act could have a significant and adverse effect on our business, financial condition, results of operations and reputation.

We are subject to a requirement, pursuant to Section 404 of the Sarbanes-Oxley Act of 2002 (the “Sarbanes-Oxley Act”), to conduct an annual review and evaluation of our internal control over financial reporting and furnish a report by management on, among other things, our assessment of the effectiveness of our internal control over financial reporting each fiscal year beginning with the year following our first annual report required to be filed with the SEC. Ensuring that we have adequate internal control over financial reporting in place so that we can produce accurate financial statements on a timely basis is a costly and time-consuming effort that must be evaluated frequently. Establishing and maintaining these internal controls is and will continue to be costly and may divert management’s attention.

When evaluating our internal control over financial reporting, we may identify material weaknesses that we may not be able to remediate in time to meet the applicable deadline imposed upon us for compliance with the requirements of Section 404 of the Sarbanes-Oxley Act. In addition, if we fail to achieve and maintain the adequacy of our internal control over financial reporting, as such standards are modified, supplemented or amended from time to time, we may not be able to ensure that we can conclude, on an ongoing basis, that we have effective internal control over financial reporting in accordance with Section 404 of the Sarbanes-Oxley Act. We cannot be certain as to the timing of completion of our evaluation, testing and any remediation actions or the impact of the same on our operations. If we have not adequately implemented or complied with the requirements of Section 404 of the Sarbanes-Oxley Act, we may be subject to sanctions or investigation by regulatory authorities, such as the SEC, or suffer other adverse regulatory consequences, including penalties for violation of Nasdaq rules. As a result, there could be a negative reaction in the financial markets due to a loss of confidence in the reliability of our financial statements. A loss of confidence in the reliability of our financial statements also could occur if we or our independent registered public accounting firm were to report one or more material weaknesses in our internal control over financial reporting. In addition, we may be required to incur costs in improving our internal control system, including the costs of the hiring of additional personnel. Any such action

could negatively affect our business, financial condition, results of operations and cash flows and could also lead to a decline in the price of our Class A common stock.

Certain provisions of Delaware law and anti-takeover provisions in our organizational documents could delay or prevent a change of control.

Certain provisions of Delaware law and our amended and restated certificate of incorporation and amended and restated bylaws may have an anti-takeover effect and may delay, defer, or prevent a merger, acquisition, tender offer, takeover attempt, or other change of control transaction that a stockholder might consider in its best interest, including those attempts that might result in a premium over the market price for the shares held by our stockholders.

These provisions provide for, among other things:

•prohibiting the use of cumulative voting for the election of directors;

•advance notice for nominations of directors by stockholders and for stockholders to include matters to be considered at our annual meetings; and

•certain limitations on convening special stockholder meetings.

In addition, while we have opted out of Section 203 of the Delaware General Corporation Law, or the “DGCL,” our amended and restated certificate of incorporation contains similar provisions providing that we may not engage in certain “business combinations” with any “interested stockholder” for a three-year period following the time that the stockholder became an interested stockholder, unless:

•prior to such time, our board of directors (“Board of Directors”) approved either the business combination or the transaction that resulted in the stockholder becoming an interested stockholder;

•upon consummation of the transaction that resulted in the stockholder becoming an interested stockholder, the interested stockholder owned at least 85% of the votes of our voting stock outstanding at the time the transaction commenced, excluding certain shares; or

•at or subsequent to that time, the business combination is approved by our Board of Directors and by the affirmative vote of holders of at least 66 2/3% of the votes of our outstanding voting stock that is not owned by the interested stockholder.

Generally, a “business combination” includes a merger, asset or stock sale or other transaction resulting in a financial benefit to the interested stockholder. Subject to certain exceptions, an “interested stockholder” is a person who, together with that person’s affiliates and associates, owns, or within the previous three years owned, 15% or more of the votes of our outstanding voting stock. For purposes of this provision, “voting stock” means any class or series of stock entitled to vote generally in the election of directors.

Under certain circumstances, this provision will make it more difficult for a person who would be an “interested stockholder” to effect various business combinations with our company for a three-year period. This provision may encourage companies interested in acquiring our company to negotiate in advance with our Board of Directors because the stockholder approval requirement would be avoided if our Board of Directors approves either the business combination or the transaction that results in the stockholder becoming an interested stockholder. These provisions also may have the effect of preventing changes in our Board of Directors and may make it more difficult to accomplish transactions that stockholders may otherwise deem to be in their best interests.

These provisions in our amended and restated certificate of incorporation and amended and restated bylaws may discourage, delay or prevent a transaction involving a change in control of our company that is in the best interest of our minority stockholders. Even in the absence of a takeover attempt, the existence of these provisions may adversely affect the prevailing market price of our Class A common stock if they are viewed as discouraging future takeover attempts. These provisions could also make it more difficult for stockholders to nominate directors for election to our Board of Directors and take other corporate actions.

We may issue shares of preferred stock in the future, which could make it difficult for another company to acquire us or could otherwise adversely affect holders of our Class A common stock, which could depress the price of our Class A common stock.

Our amended and restated certificate of incorporation authorizes us to issue one or more series of preferred stock. Our Board of Directors has the authority to determine the preferences, limitations and relative rights of the shares of preferred stock and to fix the number of shares constituting any series and the designation of such series, without any further vote or action by our stockholders. Our preferred stock can be issued with voting, liquidation, dividend and other rights superior to the rights of our Class A common stock. The potential issuance of preferred stock may delay or prevent a change in control of us, discourage bids for our Class A common stock at a premium to the market price, and materially and adversely affect the market price and the voting and other rights of the holders of our Class A common stock.

Risks Related to Ownership of Our Class A Common Stock

The Continuing Equity Owners own common units in i3 Verticals, LLC, and the Continuing Equity Owners have the right to redeem their common units in i3 Verticals, LLC pursuant to the terms of the limited liability company agreement of i3 Verticals, LLC (the "LLC Agreement") for shares of Class A common stock or cash.

Subject to certain restrictions contained in the LLC Agreement, the Continuing Equity Owners are entitled to have their common units redeemed from time to time at each of their options (subject in certain circumstances to time-based and service-based vesting requirements and other limitations) for newly-issued shares of our Class A common stock on a one-for-one basis or a cash payment equal to a volume weighted average market price of one share of Class A common stock for each Common Unit redeemed, in each case, in accordance with the terms of the LLC Agreement. At our election, however, we may effect a direct exchange by i3 Verticals, Inc. of such Class A common stock or such cash, as applicable, for such common units in lieu of redemption. The Continuing Equity Owners may exercise such redemption right for as long as their common units remain outstanding. We have also entered into a Registration Rights Agreement pursuant to which the shares of Class A common stock issued to certain Continuing Equity Owners upon such redemption and the shares of Class A common stock issued to certain Continuing Equity Owners in connection with the Reorganization Transactions will be eligible for resale registration, subject to certain limitations set forth in the Registration Rights Agreement.

We cannot predict the size of future issuances of our Class A common stock or the effect, if any, that future issuances and sales of shares of our Class A common stock may have on the market price of our Class A common stock. Sales or distributions of substantial amounts of our Class A common stock, including shares issued in connection with an acquisition, or the perception that such sales or distributions could occur, may cause the market price of our Class A common stock to decline.

Holders of our Class A common stock may be diluted by future issuances of preferred stock or additional Class A common stock or common units in connection with our incentive plans, acquisitions or otherwise; future sales of such shares in the public market, or the expectations that such sales may occur, could lower our stock price.

Our amended and restated certificate of incorporation authorizes us to issue shares of our Class A common stock and options, rights, warrants and appreciation rights relating to our Class A common stock for the consideration and on the terms and conditions established by our Board of Directors in its sole discretion. We could issue a significant number of shares of Class A common stock in the future in connection with investments or acquisitions. Any of these issuances could dilute our existing stockholders, and such dilution could be significant. Moreover, such dilution could have a material adverse effect on the market price for the shares of our Class A common stock.

The future issuance of shares of preferred stock with voting rights may adversely affect the voting power of the holders of shares of our Class A common stock, either by diluting the voting power of our Class A common

stock if the preferred stock votes together with the common stock as a single class, or by giving the holders of any such preferred stock the right to block an action on which they have a separate class vote, even if the action were approved by the holders of our shares of our Class A common stock.

The future issuance of shares of preferred stock with dividend or conversion rights, liquidation preferences or other economic terms favorable to the holders of preferred stock could adversely affect the market price for our Class A common stock by making an investment in the Class A common stock less attractive. For example, investors in the Class A common stock may not wish to purchase Class A common stock at a price above the conversion price of a series of convertible preferred stock because the holders of the preferred stock would effectively be entitled to purchase Class A common stock at the lower conversion price, causing economic dilution to the holders of Class A common stock.

Sales of shares of our Class A common stock in connection with the Registration Rights Agreement, or the prospect of any such sales, could materially affect the market price of our Class A common stock and could impair our ability to raise capital through future sales of equity securities.

In connection with the completion of our IPO, we entered into a Registration Rights Agreement with certain Continuing Equity Owners. Any sales in connection with the Registration Rights Agreement, or the prospect of any such sales, could materially and adversely impact the market price of our Class A common stock and could impair our ability to raise capital through future sales of equity securities.

In the future, we may also issue additional securities if we need to raise capital, including, but not limited to, in connection with acquisitions, which could constitute a material portion of our then-outstanding shares of Class A common stock.

Item 1B. Unresolved Staff Comments

None.

Cybersecurity

Cybersecurity Program

We maintain a cybersecurity program that describes required controls for all Company businesses, with day-to-day management and implementation often conducted independently due to our decentralized operating model. While cybersecurity technologies and implementation may differ based on the needs and risk profile of each individual business, we implement standards at the enterprise level and provide centralized oversight work to ensure alignment and consistency. Our cybersecurity team deploys an array of capabilities to ensure the availability, integrity, and confidentiality of key business systems, supported by centrally monitored cyber tools and managed services.

Our cybersecurity programs operate in service of the following express principles:

•Identify: Intended to ensure that our IT team has a comprehensive understanding of our systems and data environment to effectively manage security risks to key assets, data, and services.

•Protect: Implementing controls and safeguards that allow employees to work securely and with confidence, which are intended to enable the continued delivery of essential business services. Our program follows guidelines from the National Institute of Standards and Technology (NIST), Center for Internet Security (CIS), Cloud Service Alliance (CSA), Payment Card Industry (PCI), HIPAA and applicable privacy regulations.

•Detect: Utilizing both external and internal resources to perform continuous assessments and penetration testing throughout the year on the Company’s key business systems, including an annual review to verify our compliance with the Payment Card Industries Data Security Standards (PCI DSS), We deploy

systems, capabilities, and processes designed to detect cybersecurity events as early as possible to ensure the resilience of our systems and our ability to identify threats.

•Respond & Recover: Equipping the Company with the necessary capabilities to take immediate and effective action against detected threats. Our incident response plan has a structured escalation process for managing and reporting cybersecurity incidents, starting with initial detection and local management review, escalating to enterprise-level teams, and potentially reaching Audit Committee of the Company's Board of Directors, if the incident is deemed material.

•Awareness: Promoting ongoing user awareness and training so that all employees understand their role in managing cybersecurity risks. Mandatory new hire and annual security and privacy training is provided to all employees, including automated monthly phishing campaigns to educate staff on identifying and reporting phishing threats.

•Third Parties: Processes designed to identify and manage cybersecurity risks associated with our use of third-party providers. These include cybersecurity due diligence efforts, targeted risk oversight, monitoring and mitigation efforts and contractual protections, as necessary.

We utilize both external and internal resources to perform assessments and penetration testing throughout the year on the Company’s key business systems, including an annual review to verify our compliance with the Payment Card Industries Data Security Standards (PCI DSS). Additionally, we engage consulting firms and other third parties to conduct evaluations of our security controls, including penetration testing and independent audits, and to advise the Company's Audit Committee, and our management team on cybersecurity matters..

However, despite our security measures, there is no assurance that we, or the third parties with which we interact, will not experience a cybersecurity incident in the future that materially impacts us. For additional information regarding the risks to us associated with cybersecurity incidents and cybersecurity or technological risks, see “Unauthorized disclosure, destruction or modification of data or disruption of our services or other cybersecurity or technological risks, including as a result of a cybersecurity incident, could expose us to liability, protracted and costly litigation and damage our reputation.” included in Part I, Item 1A of this Form 10-K.

We maintain a cybersecurity insurance policy that provides coverage in connection with cybersecurity incidents. However, costs and damages associated with cybersecurity incidents may not be fully insured under our insurance policy, and (to the extent otherwise covered) are subject to applicable deductibles.

Governance

While the Company’s Board of Directors has the ultimate responsibility for risk management, the Board has designated the Audit Committee as being primarily responsible for certain specific categories of risk oversight matters, including the oversight of the Company's privacy, data and cybersecurity risk exposures, such as the steps management has taken to monitor and mitigate such exposures and protect against threats to the Company’s information systems and security. Our cybersecurity risk management processes are integrated into our overall risk management system.

At a management level, the Company’s cybersecurity risk management program is led by our Chief Technology Officer (CTO), who reports to the Company’s President and regularly briefs him on developments that impact the program. Our CTO has an extensive track record of executive leadership in technology and cybersecurity, including overseeing the development and management of enterprise-level cybersecurity programs. With over 30 years of experience in technology, he has held key leadership roles where he successfully implemented IT governance, risk, and compliance frameworks, reducing organizational risk and enhancing operational resilience. Our Senior Vice-President of Technology, Compliance, Security Services (SVP-TCSS) reports to our CTO and leads a team of security professionals. Our SVP-TCSS has expertise in cybersecurity risk management through his more than 20 years of experience in cybersecurity, technology and data privacy roles. In addition, other individuals on our IT security team have cybersecurity experience or certifications relevant to their respective role.

Our incident response plan outlines controls and procedures for cybersecurity incidents. This plan includes a cybersecurity incident command team that to conducts initial assessments of incidents. If an incident meets defined criteria, it is reviewed by senior IT security members. The leadership team evaluates the potential impact and the need for public disclosure, and if necessary, escalates the incident to executive management, the Audit Committee, and/or the Board of Directors.

On a quarterly basis, the Company’s CTO reports to the Audit Committee regarding the Company’s cybersecurity program, including the status of ongoing proactive efforts to improve the Company’s cybersecurity risk profile. The CTO also reports to the Audit Committee on a quarterly basis regarding remediation activities, if any, along with related security metrics, in connection with any areas where cybersecurity threats have been identified.

Recently Filed

Click on a ticker to see risk factors

Ticker *	File Date
CLSK	14 hours ago
ALCO	1 day, 19 hours ago
ALTX	4 days, 9 hours ago
DBMM	4 days, 10 hours ago
TMRC	4 days, 10 hours ago
FLNC	4 days, 11 hours ago
EACO	4 days, 12 hours ago
ESE	4 days, 13 hours ago
SNEX	4 days, 17 hours ago
UNEX	4 days, 20 hours ago
CNBX	4 days, 20 hours ago
CENT	6 days, 10 hours ago
LESL	6 days, 10 hours ago
DSRO	6 days, 10 hours ago
SANM	6 days, 12 hours ago
CFFN	6 days, 13 hours ago
BDX	6 days, 13 hours ago
SPH	6 days, 15 hours ago
MOG-A	6 days, 18 hours ago
ENTA	6 days, 18 hours ago
HOLX	6 days, 19 hours ago
LGYV	6 days, 19 hours ago
LEDS	6 days, 20 hours ago
AZTA	1 week ago
UGI	1 week ago
JJSF	1 week ago
RJF	1 week ago
NJR	1 week ago
ARWR	1 week ago
CASH	1 week ago
BERY	1 week ago
ADI	1 week ago
ABQQ	1 week ago
ABC	1 week ago
WWD	1 week ago
LEXX	1 week ago
SMG	1 week ago
PNNT	1 week, 1 day ago
PFLT	1 week, 1 day ago
AEHA	1 week, 1 day ago
CRNC	1 week, 1 day ago
IIIV	1 week, 1 day ago
BLBD	1 week, 1 day ago
GLDM	1 week, 1 day ago
GLD	1 week, 1 day ago
ROAD	1 week, 1 day ago
J	1 week, 1 day ago
ENRT	1 week, 4 days ago
VVV	1 week, 4 days ago
GEOS	1 week, 4 days ago

OTHER DATASETS

House Trading

Dashboard

Corporate Flights

Dashboard

App Ratings

Dashboard

Strategies

Alerts

Browse Data

Risk Factors Dashboard

View risk factors by ticker

Search filings by term

Risk Factors - IIIV

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Recently Filed

OTHER DATASETS

House Trading

Corporate Flights

App Ratings

TRADE SMARTER

TRADE SMARTER

Strategies

Alerts

Browse Data

Risk Factors Dashboard

View risk factors by ticker

Search filings by term

Risk Factors - IIIV

-New additions in green-Changes in blue-Hover to see similar sentence in last filing

Recently Filed

OTHER DATASETS

House Trading

Corporate Flights

App Ratings

TRADE SMARTER

TRADE SMARTER

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing