Item 1. Business
Unless the context otherwise requires, references to “we”, “us”, “our”, "Paya", "Paya Holdings", or “the Company” refer to Paya Holdings Inc. and its consolidated subsidiaries.
Overview
We are a leading independent integrated payments and commerce platform providing card, Automated Clearing House ("ACH"), and check payment processing solutions via software to middle-market businesses in the United States. Our solutions integrate with our customers’ core business software to enable payments acceptance, reconcile invoice detail, and post payment information to their core accounting systems. In this manner, we enable our customers to collect revenue from their consumer ("B2C") and business ("B2B") customers with a seamless experience and high-level of security across payment types. Given the focus on B2B and consumer bill payments integrated into software, as of December 31, 2022, approximately 85% of our payment card volume is card-not-present and on average, our customers accept approximately $500,000 of credit and debit card volume per year.
We concentrate on strategic vertical markets defined by strong secular growth and low penetration of electronic payments that are non-cyclical in nature such as B2B goods & services, healthcare, faith-based & non-profit, government & utilities, and education. Our technology, distribution, and support are tailored to the specific and complex payment needs of customers in these verticals. We have deep expertise of industry-specific considerations and believe this makes us a leading provider of integrated payment solutions in these markets with a sustainable competitive advantage.
In these strategic verticals, we deliver our payment solutions through front-end Customer Relationship Management ("CRM") and back-end accounting independent software vendors (“ISVs”) who sell or refer our integrated payments bundled with their proprietary software solutions to their customers. We enter into contracts with these ISVs where they deliver new customers to us in exchange for a portion of transaction revenue those customers generate. We refer to these ISVs as "partners" and the customers they bring to us as "customers." Our partners choose Paya because of our easy to use and feature rich technology platform, vertical expertise, and commitment to customer service. To our partners, embedding payments in their software increases customer life-time value and generates a new revenue stream through a share of Paya’s payments revenue.
Our payment technology is centered around Paya Connect, a proprietary, API-driven and service-oriented payments platform which integrates with our customers’ front-end CRM and back-end accounting software and acts as a universal gateway which connects to multiple card processors as well as Paya’s proprietary ACH processing platform. Paya Connect also serves as the foundation for modular value-added solutions including digital boarding, flexible funding, e-invoicing, auto-billing and recurring payments, tokenized and secure transactions, and robust customer and partner reporting, which are differentiators in our key end markets. Further, Paya Connect’s architecture allows us to easily add incremental value-added services into our ecosystem through API integration.
We have built industry-leading scale with a highly diverse customer portfolio. As of December 31, 2022, we served approximately 100,000 businesses, representing over $49 billion in card and ACH payment volume for the year ended December 31, 2022. Our customer portfolio is highly diversified with no single customer representing more than 1% of payment revenue for the year ended December 31, 2022. Average transaction size was approximately $300 inclusive of all card and ACH payment transactions in 2022.
We derive most of our revenue from fees paid by our customers which principally include a processing fee that is charged as a percentage of total payment volume, as well as fixed interchange fees and convenience-based fees. In some cases, including card processing in our government and utilities end-market and in ACH and check processing, fees are charged in the form of a fixed fee per transaction. Our revenue is re-occurring in nature because of the consistency of B2B and consumer bill payments, the mission-critical and embedded nature of the solutions we provide, and the high switching costs associated with these solutions due to complex levels of integration. We also
benefit from a high degree of operating leverage given the combination of our highly scalable payments platform and low customer acquisition costs resulting from our partner-centric model.
Segments
We have two reportable segments, Integrated Solutions and Payment Services.
Integrated Solutions
Our Integrated Solutions segment represents the delivery of our credit and debit card payment solutions, and to a lesser extent, ACH processing solutions to customers via integrations with software partners across our strategic vertical markets. Our Integrated Solutions partners include vertical focused front-end CRM software providers as well as back-end Enterprise Resource Planning ("ERP") and accounting solutions. Integrated Solutions represented 64.2% of revenue for the year ending December 31, 2022.
Payment Services
The Payment Services segment represents the delivery of card payment processing solutions to our customers through resellers, as well as ACH, check, and gift card processing. Card payment processing solutions in this segment utilize Paya’s core technology infrastructure and do not typically originate through a software integration. ACH, check, and gift card processing may or may not be integrated with third-party software, however, Paya focuses on strategically cross selling these products with new software partners. Payment Services represented 35.8% of revenue for the year ending December 31, 2022.
Business Developments; Merger of Paya with Nuvei Corporation
On January 9, 2023, Paya announced the execution of an Agreement and Plan of Merger (the “Merger Agreement”) with Nuvei Corporation, a corporation incorporated pursuant to the laws of Canada (“Parent”), and Pinnacle Merger Sub, Inc., a Delaware corporation and wholly owned subsidiary of Parent (“Purchaser”).
Pursuant to the Merger Agreement, and upon the terms and subject to the conditions thereof, Purchaser agreed to commence a tender offer (the “Offer”), to purchase all of the shares of common stock of the Company issued and outstanding at a price of $9.75 per share (the “Offer Price”), in cash, without interest thereon (but subject to applicable withholding). Pursuant to the Merger Agreement, and upon the terms and subject to the conditions thereof, Paya will merge with and into the Purchaser, with Paya continuing as the surviving corporation and a wholly owned subsidiary of Parent (the “Merger”). If the Merger is consummated, the Company’s common stock will be delisted from the Nasdaq Capital Market ("Nasdaq") and the duty to file reports will be suspended under Section 13 and 15(d) of the Exchange Act.
On January 24, 2023, Purchaser commenced the Offer by filing with the U.S. Securities and Exchange Commission ("SEC") and mailing to the Company’s stockholders a Tender Offer Statement on Schedule TO. The Company concurrently filed with the SEC and mailed to stockholders a Solicitation/Recommendation Statement on Schedule 14D-9, which recommended that the Company’s stockholders tender their shares to Purchaser pursuant to the Offer. The Offer will initially remain open for a minimum of 20 business days from the date of commencement of the Offer. The Merger Agreement includes customary termination provisions for both the Company and Parent, and provides that, in connection with the termination of the Merger Agreement under specified circumstances, including termination by the Company to accept and enter into an agreement with respect to a Superior Proposal (as defined in the Merger Agreement), the Company will pay Parent a termination fee of approximately $38 million. The parties to the Merger Agreement are also entitled to specifically enforce the terms and provisions of the Merger Agreement.
The Merger Agreement provides, among other things, that upon the terms and subject to the conditions set forth in the Merger Agreement, at the effective time of the Merger, each share of the Company’s common stock that is not (a) validly tendered and irrevocably accepted for purchase pursuant to the Offer, (b) held by a stockholder who is entitled to demand appraisal and who has properly and validly exercised appraisal rights in accordance with, and
who has complied with, applicable law, or (c) held by Parent, Purchaser, or any other direct or indirect wholly owned subsidiary of Parent, will be thereupon converted into the right to receive cash in an amount equal to the Offer Price, on the terms and subject to the conditions set forth in the Merger Agreement. The proposed Merger is expected to close during the first quarter of 2023.
Strategic Vertical Markets
We are a leading provider of integrated payment solutions in attractive vertical markets where we have a sustainable competitive advantage. Our technology solutions are tailored to the specific, complex needs of customers in these verticals, and we have deep expertise of industry-specific considerations. Strategic vertical markets include:
B2B Goods & Services
We have a leading presence in the B2B goods and services end market given our beginnings as part of Sage and deep expertise in accounting software integrations. We offer integrations into back-end ERP and accounting solutions, including Sage Intacct, X3, 50, 100, 300, and 500, as well as Acumatica and Intuit Quickbooks. In this vertical, we leverage value-added resellers as distribution, in addition to receiving referrals directly from our software partners. We also integrate with ISVs that focus on sub-verticals such as manufacturing and construction. This end market is characterized by under-penetration of electronic payments and high retention due to the required levels of integration.
Healthcare
Our healthcare portfolio is primarily comprised of ambulatory providers and healthcare practices that we serve through ISV partners. Our differentiated solutions in this end market include flexible funding, pre-authorization, and reporting capabilities, acceptance of health savings account ("HSA") & flexible spending account ("FSA") cards, and multi-layer location management. While our existing customers focus on these sub-verticals, our core capabilities are broadly applicable to software providers focused on specialty medicine. The healthcare end market is characterized by underlying secular growth and complex payment functionality needs that serve as a barrier to entry for competitors.
Faith-based, Education & Non-profit
Our faith-based and non-profit customers, which utilize our payments technology for donation collection and fundraising, have unique feature requirements including recurring billing, event management, and integrated e-Commerce. In this end market, we utilize both ISV partner and direct distribution models. Our direct distribution model was acquired as part of our acquisition of Stewardship, which delivers payment processing solutions via a proprietary donation management software platform. The non-profit market is characterized by late adoption of electronic payments, with adoption accelerating in recent years due to advances in payment technology.
The education vertical represents a growth area for us, with increasingly strong relationships with education-specific ISVs that deliver tuition collection tools, cafeteria and school store management software, and other administrative solutions. Education is generally non-cyclical and benefits from attractive levels of electronic payment adoption and the need for flexible settlement solutions.
Government & Utilities
Like the faith-based and non-profit vertical, our government and utilities portfolio consists of both ISV partner and direct distribution models. Our direct distribution model was developed through our acquisition of First Billing Services and further enhanced through our acquisition of The Payment Group, LLC ("TPG" or "The Payment Group"), which provides e-billing and payment portal software. Since acquisition, we have also found success selling First Billing’s software through partnerships in this vertical. Electronic payment methods in this end market are significantly underpenetrated, providing attractive underlying customer growth and high retention, while also benefiting from low cyclicality given the nature of these services. TPG provides municipalities and
courts with a completely automated payment system for receiving payments online and processing them instantly. New competitor entry into this vertical is challenging given the importance of track-record and reference clients servicing government and municipal entities effectively.
Paya End Market Revenue Composition by Vertical as of December 31, 2022:
(1) Includes both card and ACH.
Partner-centric Distribution
Paya’s overall strategy is built with our partner-centric distribution model in mind, including our technology roadmap, customer service capabilities, and sales focus. This results in an attractive integrated experience of software and payments for the customers of our partners. Our approach allows us to flexibly and scalably address multiple attractive verticals at once and invest in technology rather than a “feet on the street” direct salesforce.
To understand our strategy requires a better understanding of our partners. We serve independent software vendors ranging from front-end CRM applications to back-end accounting solutions. These partners are typically differentiated in their vertical markets and serve a sophisticated, middle-market business customer, who in turn uses the software to sell their goods and services B2B or B2C. Paya’s core function is allowing these businesses to accept payments from their customers in a way that improves customer experience and automates the invoice to payment reconciliation.
The first pillar of our sales strategy is to sign new partnerships in our core markets. Our go-to-market organization utilizes a solutions-oriented approach that focuses on understanding our software partners’ payments needs and helping them craft solutions that differentiate themselves in a specific marketplace. We believe that successfully embedding payments in our partners' software greatly enhances their customer retention and provides them a substantial new revenue stream in excess of the typical monthly subscription.
In addition to signing new partnerships, we also focus on increasing the penetration of our offerings among the installed base of our existing partners. We do this effectively by selling our Paya Connect functionality to an installed base that may not be fully utilizing integrated payment capabilities.
We go to market via two primary partner channels: ISVs and value-added resellers. While we have existing independent sales organizations ("ISO") partners that focus primarily on reselling payments, technological advances have driven growth of the ISV and value-added reseller ("VAR") channels, which are in turn displacing the ISO channel and growing far more rapidly.
•Integrated Software Vendors. Our ISV partners strive for business growth, relying on our comprehensive, secure payments solutions to support their vertical-specific needs. We work with these software companies to provide a future-proof payments platform to their client base, constantly innovating to provide new payment functionality and maintaining compliance with evolving industry standards and regulations. Integrating their business management software seamlessly into our platform creates higher lifetime customer value and provides a more complete end-to-end experience.
Our integrations ensure seamless delivery of our full suite of payment processing capabilities to our customers. These integrations are also a critical part of our marketing strategy, as we work with partners to actively promote our preferred relationship and the advantages of an integrated payment solution to their existing base of customers.
Finally, these ISVs typically focus on a specific vertical or sub-vertical market and chose Paya because the payment functionality and support we offer is tailored to the specific needs of their given vertical.
•Value-Added Resellers. We work with VARs that bundle our suite of features and services with an existing software product and resell the package as an integrated or complete turn-key solution. This is a key channel for our B2B vertical given the prevalence of the value-added reseller distribution model among ERP and accounting software providers.
•Direct Sales. Although our sales force is primarily focused on winning channel partners, we have a direct sales force that brings our proprietary software solutions with embedded payments directly to customers in the government & utilities and faith-based & non-profit end markets.
•Independent Sales Organizations. We partner with ISOs in our Payment Services segment that have their own distribution capabilities and technologies. We provide them with the products and tools we believe are necessary to acquire new customers and grow their adoption of electronic payments. In addition to payment functionality, we deliver valuable back-office support, training, and the tools necessary for independent sales organizations to manage their business.
•ACH Sales. For our ACH product, we deploy a go-to-market model leveraging ISOs and third-party resellers combined with cross-selling to our integrated partnerships to expand distribution of our capabilities. These efforts are represented in our Payment Services segment.
Products, Solutions and Technology
We provide a robust suite of proprietary technology solutions tailored to address the evolving needs of our sophisticated partners and customers. Our offerings are developed with vertical specific needs in-mind and are designed to support the end-to-end payments requirements of tech-savvy, middle market businesses. Our solutions are highly scalable, built for exceptional up-time, sustain high transaction volume, and offer a multi-channel, payment method agnostic experience.
Organization
We have significantly invested in our information technology ("IT") and product teams and capabilities. Our product management team employs a customer-centric approach. This team maintains a close connection with the sales force, a strong understanding of customer feature requirement needs in the pipeline, and a continuous assessment of market trends. The team of product management professionals is supported by an agile IT development organization and robust on-shore and off-shore development support focused on building payments applications and additional value-added services into integrated solutions. Our technology infrastructure team is focused on maintaining the integrity and security of client data and ensuring best-in-class cyber security technology is deployed.
Operations
Paya’s operations division is focused on delivering commercially differentiated customer and partner support to the integrated payments ecosystem. We achieve this goal by deploying a comprehensive set of user engagement tools to facilitate continued service excellence. These include a cloud-based telephony infrastructure and CRM system with a robust ticketing module, case management, chat bots, a customer accessible knowledgebase, and targeted call routing for premium service. The operations team represents a significant competitive advantage in core markets due to (1) large acquirers lacking service and implementation efforts tailored for the middle market
and (2) software providers lacking payments expertise and scale to deliver the dedicated customer support that we offer.
Business Operations
•Advanced Client Solutions: Technical personnel with advanced payment knowledge and deep-rooted expertise in our integrations and solutions help partners and customers identify the right solutions during the sales process and throughout the lifetime of the relationship as they add new products and functionality.
•Implementation: White-glove onboarding for integration partners and large ERP end customers when needed; ensuring rapid activation for all new partners and customers to maximize the revenue opportunity for all parties.
•Partner Support and Premier Accounts: Dedicated team provides personalized service to top 40 partners and 400+ premier customers.
•Card and ACH Customer Care: Experienced front-line end-customer support teams that provide phone, ticket, chat and email support to customers for all payments related questions, including integrated solutions, ACH services and card processing.
•Government & Utilities Operations: Vertical specific implementation, relationship management, and customer support resources focused on serving municipal clients and government focused software partners.
Technology Operations
•Product Development: Our product development function manages the deployment and expansion of our payments product suite, primarily consisting of Paya Connect. Our developers work closely with our product managers to ensure they are actively addressing client demands and understanding trends in specific customer needs.
•Technology Infrastructure: Our technology infrastructure function ensures that systems are reliable, secure and fully operational while meeting industry and PCI-DSS security standards.
Security, Disaster Recovery and Back-up Systems
Paya has a robust technology security framework to manage and protect the large amount of information we store relating to customer transaction history and payment card information. We encrypt card information and customer data that is stored in our databases. Paya continues to deploy strong commercially acquired encryption methods. We have relationships with several third-party security technology vendors to disrupt threats including email threat protection (anti-phishing), endpoint security (anti-virus), network next-gen security, and firewalls. In addition to these measures, Paya has an external Security Operations Center which monitors for malicious activity 24 hours a day, 7 days a week. This team is responsible for detecting intrusions, malware, and other events that could jeopardize data integrity, availability, and confidentiality. Upon detection, they work with Paya to protect against and contain the risk. We also leverage vendors for internal and external penetration testing, and for forensic incident response. Our security processes and procedures have been evaluated and validated by several third-party compliance tests:
•Payment Card Industry Data Security Standard (“PCI-DSS”)
•Payment Application Data Security Standard (“PA-DSS”)
•National Automated Clearing House Association (“NACHA”)
•NIST Cybersecurity Framework
•Third party cyber assessments
In the summer of 2019, we completed a total platform modernization and infrastructure refresh. This included the relocation and upgrade of our physical infrastructure to a Tier 1 hardened location. In doing so, we significantly improved the performance of our platforms, raised our availability numbers, more efficiently satisfied current compliance mandates, and reduced our licensing profile. Within this new operating construct, we now have multiple levels of redundancy covering network, servers, storage, and applications via virtualization. We also modernized the network infrastructure of all our office locations and installed multiple redundant network paths, including last mile ISP and Telco. Our infrastructure roadmap includes further expansion into off premise Cloud infrastructure, leveraging Amazon Web Services ("AWS") and continuous dual location processing, removing the occurrence of service interruptions during scheduled maintenance periods. This will also dramatically reduce physical site risk.
Third Party Processors and Sponsor Banks
In the course of facilitating credit and debit card processing services, we rely on third parties to provide authorization, settlement and funding services in connection with our customers’ transactions. These institutions include third-party processors (such as Global Payments, FIS and Fiserv) and sponsor banks, who facilitate our access to the payment networks, such as Visa, Mastercard, and Discover. The processors and sponsor banks in turn have agreements with the payment networks, which permit them to route transaction information through their networks in exchange for fees.
For much of our credit and debit card payment volume, we engage Global Payments. Global Payments handles approximately two-thirds of our payment volume, providing authorization and settlement services to Paya, which include communicating with the credit card networks and providing funding instructions to the sponsor bank to facilitate the cash clearing process. Once a business accepts a payment transaction, Global Payments records the sale amount, type of transaction, location at which the transaction was processed, and other relevant information. We have built an entire value-added ecosystem around the transaction and control these aspects internally.
BMO Harris and Chesapeake Bank are our sponsor banks for debit and credit card transactions. Sponsor banks provide cash collection, and funding services for our card processing customers. Additionally, we adhere to the underwriting guidelines provided by our sponsor banks. Because we are not a “member bank” as defined by Visa and Mastercard, in order to process and settle these card transactions for our customers, we have entered into sponsorship agreements with member banks. Visa and Mastercard rules restrict us from performing funds settlement or accessing customer settlement funds.
Our sponsorship agreement enables us to route Visa and Mastercard transactions under the member bank’s control and under the member bank’s identification numbers to clear credit and signature debit card transactions through Visa and Mastercard.
Our sponsorship agreements with the member banks require, among other things, that we abide by the bylaws and regulations of the Visa and Mastercard networks. As of December 31, 2022, we have not been notified of any such issues by our sponsor banks, Visa or Mastercard.
In addition to bankcard processing, we process EFT transactions through the ACH network. We process ACH transactions, which require requesting customer-processed funds from the bank each day, receiving the funds, and then repaying those funds to the customer. We primary perform this service using the Enterprise ACH system (“eACH”) and the eMagnus system, our proprietary database and transaction processing system. eMagnus automatically calculates splits with our customers and determines the pay-out schedule. Owning the ACH processing engine represents a key differentiator for us as we control the end-to-end user experience and provide a payment-method agnostic experience to our partners. We have longstanding relationships with multiple originating depository financial institutions ("ODFIs"), including Wells Fargo, Fifth Third Bank, and America's
Christian Credit Union ("ACCU"). ODFIs interface between the Board of Governors of the Federal Reserve System (the "Federal Reserve”) and ACH processors to facilitate payment flows.
Customers
Customer and Transaction Risk Management
We maintain a complete underwriting and risk monitoring management infrastructure with a dedicated team of underwriters, credit analysts, and risk and compliance management leads. Given that our core end markets are primarily focused on B2B and less focused on B2C and retail e-Commerce, we experience low levels of fraud and chargeback risk. Card brand networks generally allow chargebacks up to four months after the later of the date the transaction is processed or the delivery of the product or service to the cardholder. If the business incurring the chargeback is unable to fund the refund to the card issuing bank, we are required to do so. For the year ended December 31, 2022, Bad Debt Expense was $1.7 million.
Despite the low risk profile, we believe our security and risk offerings are differentiators in the marketplace. We utilize a comprehensive risk framework profile, which is essential in delivering low loss rates while maximizing approval rates and customer satisfaction. As such, our underwriting criteria is tailored towards our end markets and related business models. For example, we deploy vertical-specific monitoring relating to large ticket sizes and monthly patterns of utility and non-profit businesses.
Customer Underwriting
Our credit underwriting criteria consists of evaluating the nature of the business, end market, volume history, length of time between payment and delivery of goods or services, pricing, proposed transaction levels, and overall financial condition of the applicant. We may require cash or non-cash collateral as a condition for processing approval. These processes are documented and used for ongoing monitoring as the customer begins processing. Based on experience level, our underwriting staff is given various levels of autonomy to adjust transaction or volume thresholds, establish funding delays, establish daily discount funding and call-or-return collateral. These levels are originally set, reviewed, and signed off on by management. Our sponsor banks evaluate our customer underwriting policies and procedures to ensure compliance with card brand rules and regulations.
Risk Management/Transaction Monitoring
We take a sophisticated approach to risk management that involves intra-day reporting and monitoring of customer-level transaction activity to evaluate potential for credit and fraud risk. The risk management team reviews all unusual activity, which may include ticket size, rolling volume levels, refund and chargeback levels as well as authorization history. Risk management tools and reporting are reviewed daily to suspend unusual processing activity if sufficient abnormalities are observed. Accounts with suspended funds are investigated daily and the risk management team decides if any transactions should be held for further review. We believe this allows us to minimize credit and fraud risk by providing time to formally review the processing with our customer, the cardholders and the issuing banks.
Investigation and Loss Prevention
If a customer exceeds the thresholds established by our underwriting process, or if ongoing risk management processes identify suspicious activity or a potential breach of card brand rules and regulations or the terms of our customer agreement, we utilize a robust documentation and review process. The review will include the actions taken to reduce our exposure to loss and the exposure of our customer, which can start with requesting additional information and can be escalated to withholding or diverting funds, verifying delivery of merchandise or even deactivating the customer account. The financial condition of the business may also be considered during these investigations.
Collateral
As a condition for processing approval, we may require some customers to post collateral including certificates of deposits, letters of credit, cash, upfront or rolling reserves. This collateral is held in order to offset potential credit losses or risk liability that we may incur during the life of the relationship.
Competition
We compete with a variety of merchant acquirers that have different business models, go-to-market strategies and technical capabilities. Many merchant acquirers provide integrated payments solutions and/or related hardware to customers within our existing verticals. Our competition comes from a combination of niche players and horizontal acquirers which differ by individual vertical, including REPAY, i3 Verticals, Stripe, and the acquiring arms of FIS, FISERV and Global Payments. Our competitors also include banks, credit card providers, technology and ecommerce companies.
We believe the most significant competitive factors in the markets in which we compete are the following: (1) product offering, including depth of integration capabilities and ability to deliver differentiated value-added solutions; (2) customer service, including integration, transaction, and technology support for payors, customers, and software integration partners; (3) processing and technology reliability, and (4) transaction economics, including fees charged to customers and commission payouts to software integration partners.
Regulatory Compliance
Government Regulation and Payment Network Rules
We operate in an increasingly complex legal and regulatory environment. Our business and the products and services that we offer may be subject to a variety of federal, state and local laws and regulations, and the rules and standards of the card brand networks that we utilize to provide our electronic payment services, as more fully described below.
Dodd-Frank Act
The Dodd-Frank Act of 2010, and the related rules and regulations have resulted in significant changes to the regulation of the financial services industry. Merchants are permitted to set minimum dollar amounts for the acceptance of credit cards and to offer discounts or incentives to entice consumers to pay with cash, checks, debit cards or credit cards, as the merchant prefers. There are certain prohibitions on card brand network exclusivity and merchant routing restrictions of debit card transactions. Additionally, the Durbin Amendment to the Dodd-Frank Act provides that the interchange fees that certain issuers charge merchants for debit transactions will be regulated by the Federal Reserve and must be “reasonable and proportional” to the cost incurred by the issuer in authorizing, clearing and settling the transactions. Rules released by the Federal Reserve in July 2011 to implement the Durbin Amendment mandate a cap on debit transaction interchange fees for issuers with assets of $10 billion or greater.
The Dodd-Frank Act also created the Consumer Financial Protection Bureau (the “CFPB”), which has assumed responsibility for most federal consumer protection laws, and the Financial Stability Oversight Council, which has the authority to determine whether any non-bank financial company, such as us, should be supervised by the Federal Reserve because it is systemically important to the U.S. financial system. Any new rules or regulations implemented by the CFPB or the Financial Stability Oversight Council or in connection with the Dodd-Frank Act that are applicable to us, or any changes that are adverse to us resulting from litigation brought by third parties challenging such rules and regulations, could increase our cost of doing business or limit permissible activities.
Privacy and Information Security Regulations
We provide services that may be subject to privacy laws and regulations of a number of jurisdictions. Relevant federal privacy laws may include the Gramm-Leach-Bliley Act of 1999, which applies directly to a broad range of
financial institutions and indirectly, or in some instances directly, to companies that provide services to financial institutions, as a number of recent and novel state laws, including the California Consumer Privacy Act of 2018 (the "CCPA"), the California Privacy Rights Act (the "CPRA"), which went into effect in January 2023, and similar laws enacted in Connecticut, Colorado, Utah and Virginia, which go into effect at various times in 2023. These laws and regulations restrict the collection, processing, storage, use and disclosure of personal information, require notice to individuals of privacy practices and provide individuals with certain rights to prevent the use and disclosure of certain nonpublic or otherwise legally protected information. These laws also impose requirements for safeguarding and proper destruction of personal information through the issuance of data security standards or guidelines. Our business may also be subject to the Fair Credit Reporting Act ("FCRA") and the Fair and Accurate Credit Transactions Act of 2003 ("FACTA"), which regulate the use and reporting of consumer credit information and also impose disclosure requirements on entities who take adverse action based on information obtained from credit reporting agencies. In addition, there are state laws restricting the ability to collect and utilize certain types of personal information such as Social Security and driver’s license numbers and imposing secure disposal requirements for personal data. Certain state laws mandate businesses to implement reasonable data security measures. States are increasingly legislating data protection requirements for a broader list of personal data, such as biometric data, and are strengthening protections for students’ personal information. All fifty states, Puerto Rico, and the U.S. Virgin Islands have now enacted data breach notification laws requiring businesses that experience a security breach of their computer databases that contain personal information to notify affected individuals, consumer reporting agencies and governmental agencies that possess data.
Each privacy law and regulation that applies to us could increase our cost of doing business or limit permissible activities.
Anti-Money Laundering and Counter-Terrorism Regulation
Our business is subject to U.S. federal anti-money laundering laws and regulations, including the Bank Secrecy Act of 1970, as amended by the USA PATRIOT Act of 2001, which we refer to collectively as the “BSA.” The BSA, among other things, requires money services businesses to develop and implement risk-based anti-money laundering programs, report large cash transactions and suspicious activity and maintain transaction records. We are also subject to certain economic and trade sanctions programs that are administered by the Office of Foreign Assets Control (“OFAC”) that prohibit or restrict transactions to or from (or transactions dealing with) specified countries, their governments and, in certain circumstances, their nationals, such as those who might be narcotics traffickers and terrorists or terrorist organizations. Similar anti-money laundering, counter terrorist financing and proceeds of crime laws apply to movements of currency and payments through electronic transactions and to dealings with persons specified on lists maintained by organizations similar to OFAC in several other countries and which may impose specific data retention obligations or prohibitions on intermediaries in the payment process. We have developed and continue to enhance compliance programs and policies to monitor and address related legal and regulatory requirements and developments.
Unfair or Deceptive Acts or Practices
We and many of our customers are subject to Section 5 of the Federal Trade Commission Act prohibiting unfair or deceptive acts or practices. In addition, laws prohibiting these activities and other laws, rules and or regulations, including the Telemarketing Sales Act, may directly impact the activities of certain of our clients, and in some cases may subject us, as the customer's payment processor or provider of certain services, to investigations, fees, fines and disgorgement of funds if we are deemed to have aided and abetted or otherwise provided the means and instrumentalities to facilitate the illegal or improper activities of the customer through our services. Various federal and state regulatory enforcement agencies, including the Federal Trade Commission and the states attorneys general, have authority to take action against non-banks that engage in unfair or deceptive acts or practices or violate other laws, rules and regulations and to the extent we are processing payments or providing services for a customer that may be in violation of laws, rules and regulations, we may be subject to enforcement actions and as a result may incur losses and liabilities that may impact our business.
In addition, the CFPB has recently attempted to extend certain provisions of the Dodd-Frank Act that prevent the employment of unfair, deceptive or abusive acts or practices (“UDAAP”) to payment processors. Though there is
still litigation involving whether payment processing companies are subject to these requirements (and the extent of their application), these requirements may apply or be applicable in the future. UDAAPs could involve omissions or misrepresentations of important information to consumers or practices that take advantage of vulnerable consumers, such as elderly or low-income consumers.
Payment Network Rules and Standards
Payment networks establish their own rules and standards that allocate liabilities and responsibilities among the payment networks and their participants. These rules and standards, including the PCI-DSS, govern a variety of areas including the use of cards, the security features of cards, security standards for processing, data security and allocation of liability for certain acts or omissions including liability in the event of a data breach. The payment networks may change these rules and standards from time to time as they may determine in their sole discretion and with or without advance notice to their participants. These changes may be made for any number of reasons, including as a result of changes in the regulatory environment, to maintain or attract new participants, or to serve the strategic initiatives of the networks and may impose additional costs and expenses on or be disadvantageous to certain participants. Participants are subject to audit by the payment networks to ensure compliance with applicable rules and standards. The networks may fine, penalize or suspend the registration of participants for certain acts or omissions or the failure of the participants to comply with applicable rules and standards.
To provide our electronic payment services, we must be registered as a service provider with each of the payment networks. Because we are not a bank, we are not eligible for primary membership in certain payment networks, including Visa and Mastercard, and are therefore unable to directly access these networks. The operating regulations of certain payment networks, including Visa and Mastercard, require us to be sponsored by a member bank as a service provider. We are registered with certain payment networks, including Visa and Mastercard, through various sponsor banks. The agreements with our bank sponsors give them substantial discretion in approving certain aspects of our business practices including our solicitation, application and qualification procedures for clients and the terms of our agreements with clients. We are also subject to network operating rules and guidelines promulgated by NACHA relating to payment transactions we process using the ACH Network. Like the card networks, NACHA may update its operating rules and guidelines at any time, and we will be subject to these changes. These operating rules and guidelines allocate responsibility and liabilities to the various participants in the payment network. Recently, NACHA has focused upon data security and privacy responsibilities. We are subject to audit by our partner financial institutions for compliance with the rules and guidelines. Our sponsor financial institutions have substantial discretion in approving certain aspects of our business practices, including the terms of our agreements with our ACH processing clients.
Money Transmitter Regulation
We may be subject to various U.S. federal, state, and foreign laws and regulations governing money transmission and the issuance and sale of payment instruments, including some of the prepaid products we may sell. In the future, we may be subject to money transmitter regulation and may be required to obtain additional licenses and registrations which we may not be able to obtain.
In the United States, most states license money transmitters and issuers of payment instruments. These states not only regulate and control money transmitters, but they also license entities engaged in the transmission of funds. Many states exercise authority over the operations of our services related to money transmission and payment instruments and, as part of this authority, subject us to periodic examinations. Many states require, among other things, that proceeds from money transmission activity and payment instrument sales be invested in high-quality marketable securities before the settlement of the transactions or otherwise restrict the use and safekeeping of such funds. Such licensing laws also may cover matters such as regulatory approval of consumer forms, consumer disclosures and the filing of periodic reports by the licensee and require the licensee to demonstrate and maintain specified levels of net worth. Many states also require money transmitters, issuers of payment instruments, and their agents to comply with federal and/or state anti-money laundering laws and regulations.
Stored Value Services
Stored value cards, store gift cards and electronic gift certificates are subject to various federal and state laws and regulations, which may include laws and regulations related to consumer and data protection, licensing, consumer disclosures, escheat, anti-money laundering, banking, trade practices and competition and wage and employment. The customers who utilize the gift card processing products and services that we may sell may be subject to these laws and regulations. In the future, if we seek to expand these stored value card products and services, or as a result of regulatory changes, we may be subject to additional regulation and may be required to obtain additional licenses and registrations which we may not be able to obtain.
The Credit Card Accountability Responsibility and Disclosure Act of 2009 (the “Card Act”) together with the Federal Reserve’s amended Regulation E, set forth the requirements with respect to general use prepaid gift cards, store gift cards and electronic certificates. These include certain prohibited features and revised disclosure obligations. Prepaid services may also be subject to the rules and regulations of Visa, Mastercard, Discover and American Express and other payment networks with which our clients and the card issuers do business. The customers who utilize the gift card processing products and services that we may sell are responsible for compliance with all applicable rules and requirements relating to their gift product program.
Additionally, the Financial Crimes Enforcement Network of the U.S. Department of the Treasury, or “FinCEN”, issued a final rule in July 2011 regarding the applicability of the BSA’s regulations to “prepaid access” products and services. This rulemaking clarified the anti-money laundering obligations for entities engaged in the provision and sale of prepaid services, such as prepaid gift cards. We are not registered with FinCEN based on our determination that our current products and services do not constitute a “prepaid program” as defined in the BSA and we are not a “provider” of prepaid access. We may in the future need to register with FinCEN as a “money services business-provider of prepaid access” in accordance with the rule based on changes to our products or services.
Other Regulation
We are subject to U.S. federal and state unclaimed or abandoned property (escheat) laws which require us to turn over to certain government authorities the property of others we hold that has been unclaimed for a specified period of time such as account balances that are due to a distribution partner or client following discontinuation of its relationship with us. The Housing Assistance Tax Act of 2008 requires certain merchant acquiring entities and third-party settlement organizations to provide information returns for each calendar year with respect to payments made in settlement of electronic payment transactions and third-party payment network transactions occurring in that calendar year. Reportable transactions are also subject to backup withholding requirements.
The foregoing is not an exhaustive list of the laws and regulations to which we are subject, and the regulatory framework governing our business is changing continuously.
Intellectual Property
Certain of our products and services are based on proprietary software and related payment systems solutions. We rely on a combination of copyright, trademark, and trade secret laws, as well as employee and third-party non-disclosure, confidentiality, and other contractual arrangements to establish, maintain, and enforce our intellectual property rights in our technology, including with respect to our proprietary rights related to our products and services. In addition, we license technology from third parties that is integrated into some of our solutions.
We own several registered trademarks, including Paya, First Billing, FirstCloud, FirstUtility, and Stewardship and we have other pending applications. We also own multiple domain names, including www.paya.com.
Human Capital Management
As of December 31, 2022, we employed approximately 300 employees across five U.S. office locations, with some employees working remotely. We are an Equal Employment Opportunity and Affirmative Action employer. All
aspects of employment including the decision to hire, promote, discipline, or discharge, are based on merit, competence, performance, and business needs. We do not discriminate on the basis of race, color, religion, marital status, age, national origin, ancestry, physical or mental disability, medical condition, pregnancy, genetic information, gender, sexual orientation, gender identity or expression, veteran status, or any other status protected under federal, state, or local law.
Many of our employees are highly skilled in technical areas specific to payment technology and software solutions as well as delivery support, and many have deep knowledge of our core verticals and integrated payments. From time to time, we supplement our workforce with consultants or independent contractors, primarily in the information technology area, through contracted service arrangements.
Our employees are key to our success as a company, and we are committed to attracting, developing and retaining the best talent. We leverage formal and informal programs to identify and attract top talent including social media, career fairs, and professional associations and industry groups. We develop and retain the best talent through various means including performance evaluation and goal setting as well as a robust training and development curriculum. Our online training platform provides a variety of tools and application resources for all team members to build learning experiences and skills.
We provide employees with competitive compensation and benefits consistent with positions, skill levels, experience, knowledge, and geographic location. All employees are eligible for health insurance, paid and unpaid leave, a retirement plan, and life/disability/accident coverage. We also offer a variety of voluntary benefits that allow employees to select the options that meet their needs, including, critical illness coverage, medical and dependent care flexible spending accounts, health saving accounts, paid parental leave, and an employee assistance program.
Our executive management team and People Operations regularly review and update our talent strategy, monitoring a variety of data, including turnover, diversity, and tenure, to design and implement effective reward/recognition, training, development, succession, and benefit programs to meet the needs of our businesses and our employees. The Compensation Committee assists our Board in its oversight of human capital management including, corporate culture, diversity and inclusion, recruiting, retention, attrition, talent management, career development and progression, succession and employee relations.
The success of our business is connected to the well-being of our team members. Accordingly, we are committed to the health, safety and wellness of our team members worldwide.
Other Available Information
Our website address is www.paya.com. We make available on the Investor Relations section of our website, which can be found at investors.paya.com, free of charge, our Annual Reports on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K, Proxy Statements, and Forms 3, 4 and 5, and amendments to those reports, as soon as reasonably practicable after filing such documents with, or furnishing such documents to, the SEC.
Additionally, the SEC maintains an internet site that contains reports, proxy and information statements, and other information regarding issuers that file electronically with the SEC at http://www.sec.gov. We use these mediums, including our website, to communicate with our stockholders and the public about our Company.
The information contained on, or that can be accessed through, the websites referred to above are not incorporated into this Annual Report. Further, our references to the website addresses are intended to be inactive textual references only.
Item 1A. Risk Factors
RISK FACTOR SUMMARY
Our business involves significant risks and uncertainties that make an investment in us speculative and risky. The following is a summary list of the principal risk factors that could materially adversely affect our business, financial condition, liquidity and results of operations. These are not the only risks and uncertainties we face, and you should carefully review and consider the full discussion of our risk factors, which is presented below.
•Uncertainties associated with the Merger with a wholly-owned affiliate of Nuvei Corporation could adversely affect our business, results of operations, stock price and financial condition.
•Failure to complete the Merger could adversely affect our business and the market price of our shares of common stock.
•The Merger Agreement contains provisions that limit our ability to pursue alternatives to the Merger.
•We are subject to certain restrictions on the conduct of our business under the terms of the Merger Agreement.
•Legal proceedings have been commenced against us, our Board of Directors and Nuvei Corporation relating to the Offer and the Merger, which could adversely affect our business, financial condition and operating results.
•Our results could be adversely affected by continued economic uncertainty, an economic slowdown or a recession.
•A substantial portion of our merchants are middle market businesses, which may increase the impact of economic fluctuations and merchant attrition on us.
•The COVID-19 pandemic has had, and may continue to have, a material adverse effect on our business and results of operations.
•The payment processing industry is highly competitive and such competition is likely to increase, which may adversely influence the prices we can charge to merchants for our services and the compensation we must pay to our distribution partners, and as a result, our profit margins.
•Degradation of the quality of the products and services we offer, including support services, could adversely impact our ability to attract and retain merchants and partners. Increases in card network fees and other changes to fee arrangements may result in the loss of merchants or a reduction in our earnings.
•Reliance on third parties, including our strategic relationship with Sage, and distribution partners that may not serve us exclusively and are subject to attrition and merchants who may be reluctant to switch to a new merchant acquirer, which may adversely affect our growth.
•Unauthorized disclosure of merchant or cardholder data, whether through breach of our computer systems, computer viruses, or otherwise, could expose us to liability, protracted and costly litigation and damage our reputation.
•If the banks that currently provide ACH and wire transfers fail to properly transmit ACH or terminate their relationship with us or limit our ability to process funds or we are not able to increase our ACH capacity with our existing and new banks, our ability to process funds on behalf of our clients and our financial results and liquidity could be adversely affected.
•If we fail to comply with the applicable requirements of card networks and industry self-regulatory organizations, those card networks or organizations could seek to fine us, suspend us, or terminate our
registrations through our bank sponsors or our merchants or sales partners may incur fines or penalties that we cannot collect from them, causing us to bear the cost.
•In order to remain competitive and to continue to increase our revenues and earnings, we must continually update our products and services, a process which could result in increased costs and the loss of revenues, earnings, merchants and distribution partners if the new products and services do not perform as intended or are not accepted in the marketplace.
•We may not be able to continue to expand our share of our existing vertical markets or expand into new vertical markets, which would inhibit our ability to grow and increase our profitability.
•Our ability to grow our business will depend in part on the addition of new partners, and our inability to effectively onboard these new partners could have a material adverse effect on our business, financial condition and results of operations.
•We may not be able to successfully execute our strategy of growth through acquisitions.
•We may not be able to successfully manage our intellectual property and may be subject to infringement claims.
•A substantial portion of our merchants are middle market businesses, which may increase the impact of economic fluctuations and merchant attrition on us.
•Our systems and our third-party providers’ systems may fail due to factors beyond our control, which could interrupt our service, resulting in our inability to process payments, cause us to lose business, increase our costs and expose us to liability.
•Our reliance on other service and technology providers may result in service interruptions for our merchants.
•Fraud by merchants or others could subject us to liability and materially affect our results.
•Our reliance on bank sponsors, which have substantial discretion with respect to certain elements of our business practices to process electronic payment transactions may materially adversely affect our business.
•We incur liability when our merchants refuse or cannot reimburse us for chargebacks resolved in favor of their customers.
•Our risk management policies and procedures may not be fully effective in mitigating our risk exposure in all market environments or against all types of risks.
•Our ability to successfully operate the business depends upon the efforts of certain key personnel and our ability to attract, recruit, retain and develop qualified employees.
•We are subject to extensive government regulation, including the Bank Secrecy Act and limitations on consumer information among others, and any new laws and regulations, industry standards or revisions made to existing laws, regulations or industry standards affecting the electronic payments industry may have an unfavorable impact on our business, financial condition and results of operations.
RISK FACTORS
You should carefully consider these risk factors, together with all of the other information included in this annual report on Form 10-K, including our consolidated financial statements and the related notes thereto, before you decide whether to make an investment in our securities. The risks set out below are not the only risks we face. Additional risks and uncertainties not currently known to us or that we currently deem to be immaterial also may materially adversely affect our business, financial condition and/or operating results. If any of the following events occur, our business, financial condition and results of operations could be materially adversely affected. In such case, the value of our common stock and the trading price of our securities could decline, and you may lose all or part of your investment.
Risks Related to the Proposed Merger
Uncertainties associated with the Merger with a wholly-owned affiliate of Nuvei Corporation could adversely affect our business, results of operations, stock price and financial condition.
On January 8, 2023, we entered into the Merger Agreement with Nuvei Corporation and the Purchaser, a wholly owned subsidiary of Parent. Pursuant to the Merger Agreement, we will merge with and into the Purchaser, with the Company continuing as the surviving corporation and a wholly-owned subsidiary of Parent. If the Merger is consummated, the Company’s common stock will be delisted from Nasdaq and the duty to file reports will be suspended under Section 13 and 15(d) of the Exchange Act. In connection with the Merger, on January 24, 2023, the Purchaser commenced the Offer to purchase any and all issued and outstanding shares of the Company’s common stock at a price of $9.75 per share without interest, to the seller in cash, less any applicable withholding taxes, upon the terms and subject to the conditions described in the Offer to Purchase, dated January 24, 2023.
Completion of the Merger is subject to various closing conditions, including, but not limited to, the Purchaser acquiring, pursuant to the Offer, 50% of the total number of shares of our common stock outstanding plus at least one additional share of our common stock (the “Minimum Condition”). There is no guarantee that all closing conditions will be satisfied (or waived, if permitted by the Merger Agreement and applicable law). Many of the conditions to completion of the Merger are not within our control, and we cannot predict when or if these conditions will be satisfied (or waived, if permitted by the Merger Agreement and applicable law). In addition, the Merger may fail to close for other reasons.
The announcement and pendency of the Merger, as well as any delays in the expected timeframe, could cause disruption in and create uncertainties, which could have an adverse effect on our business, results of operations, stock price and financial condition, regardless of whether the Merger is completed, and could cause us not to realize some or all of the benefits that we expect to achieve if the Merger is successfully completed within its expected timeframe. These risks include, but are not limited to:
•an adverse effect on our relationship with vendors, customers, and employees, including if our vendors, customers or others attempt to negotiate changes in existing business relationships, consider entering into business relationships with parties other than us, delay or defer decisions concerning their business with us, or terminate their existing business relationships with us during the pendency of the Merger;
•a diversion of a significant amount of management time and resources towards the completion of the Merger;
•being subject to certain restrictions on the conduct of our business;
•impacts on the price of our common stock;
•the requirement that we pay a termination fee of approximately $38 million if the Merger Agreement is terminated under certain circumstances;
•developments beyond our control, including, but not limited to, changes in domestic or global economic conditions that may affect the timing or success of the Merger;
•stockholder litigation that could prevent or delay the Merger or otherwise negatively impact our business and operations;
•possibly foregoing certain business opportunities that we might otherwise pursue absent the pending Merger; and
•difficulties attracting and retaining key employees.
Failure to complete the Merger could adversely affect our business and the market price of our shares of common stock.
The closing of the Merger may not occur on the expected timeline or at all. The Merger Agreement contains customary termination provisions for both the Company and Parent, and provides that, in connection with the termination of the Merger Agreement under specified circumstances, including termination by the Company to accept and enter into an agreement with respect to a Superior Proposal (as defined in the Merger Agreement), the Company will pay Parent a termination fee of approximately $38 million. If Paya is required to pay this termination fee, such fee, together with costs incurred to execute the Merger Agreement and pursue the Merger, could have a material adverse effect on Paya’s financial condition and results of operations.
If the Merger Agreement is terminated and the Merger is not consummated, the price of our common stock may decline and you may not recover your investment or receive a price for your shares similar to what has been offered pursuant to the Merger. In addition, the price of our common stock has in the past and may continue to fluctuate substantially in the event that the Merger is not consummated. Factors affecting the trading price of our common stock may include:
•actual or anticipated fluctuations in our quarterly financial results or the quarterly financial results of companies perceived to be similar to it;
•changes in the market’s expectations about our operating results;
•success of competitors;
•our operating results failing to meet market expectations in a particular period;
•changes in financial estimates and recommendations by securities analysts concerning us or the payments industry and market in general;
•operating and stock price performance of other companies that investors deem comparable to us;
•our ability to market new and enhanced products on a timely basis;
•changes in laws and regulations affecting our business;
•commencement of, or involvement in, litigation involving us;
•changes in its capital structure, such as future issuances of securities or the incurrence of additional debt;
•the volume of shares of common stock available for public sale;
•any significant change in our board or management;
•sales of substantial amounts of common stock by our directors, executive officers or significant stockholders or the perception that such sales could occur; and
•general economic and political conditions such as recessions, interest rates, fuel prices, international currency fluctuations and acts of war or terrorism.
Broad market and industry factors may depress the market price of our common stock irrespective of our operating performance. The stock market in general and Nasdaq have experienced price and volume fluctuations that have often been unrelated or disproportionate to the operating performance of the particular companies affected. The trading prices and valuations of these stocks, and of our common stock, may not be predictable. A loss of investor confidence in the market for financial technology stocks or the stocks of other companies which investors perceive to be similar to us could depress its stock price regardless of its business, prospects, financial conditions or results of operations. A decline in the market price of our common stock also could adversely affect our ability to issue additional securities and our ability to obtain additional financing in the future.
The Merger Agreement contains provisions that limit our ability to pursue alternatives to the Merger.
Under the Merger Agreement, we are restricted from soliciting, initiating, proposing or inducing the making, submission or announcement of, or knowingly encouraging, facilitating or assisting alternative acquisition proposals from third parties and/or providing non-public information to third parties in response to any inquiries regarding, or the submission of any proposal or offer that constitutes, or could reasonably be expected to lead to, any Acquisition Proposal (as defined in the Merger Agreement). These provisions could discourage a third party that may have an interest in acquiring all or a significant part of our business from considering or proposing that acquisition, even if such third party were prepared to pay consideration with a higher value than the value of the consideration in the Merger.
We are subject to certain restrictions on the conduct of our business under the terms of the Merger Agreement.
Under the terms of the Merger Agreement, we have agreed to certain restrictions on the operations of our business. We have agreed to limit the conduct of our business to those actions undertaken in the ordinary course of business and to refrain from, among other things, subject to certain specified exceptions (as set forth in the Merger Agreement): incurring debt; entering into, adopting, amending, modifying or terminating any employee plans; increasing the compensation of any director, officer, employee or independent contractor, or hiring or terminating certain employees (other than for “cause”); settling certain pending or threatened legal proceedings; changing our methods, procedures, principles or practices of financial accounting; and incurring certain capital expenditures. Because of these restrictions, we may be prevented from undertaking certain actions with respect to the conduct of our business that we might otherwise have taken if not for the Merger Agreement. Such restrictions could prevent us from pursuing certain business opportunities that arise prior to the effective time of the Merger and are outside the ordinary course of business, and could otherwise adversely affect our business and operations prior to completion of the Merger.
Legal proceedings have been commenced against us, our Board of Directors and Nuvei Corporation relating to the Offer and the Merger, which could adversely affect our business, financial condition and operating results.
Legal proceedings relating to the Offer and the Merger have been commenced against the Company, the Company's Board of Directors and Nuvei Corporation. Such litigation is common in connection with acquisitions of public companies, regardless of any merits related to the underlying acquisition. The outcome of any proceedings filed against the Company is uncertain, and we may not be successful in defending against any such claims. While we are defending against the proceedings commenced against the Company, the Company's Board of Directors and Nuvei Corporation in connection with the Offer and the Merger, the costs of the defense of such actions and other effects of such litigation could have an adverse effect on our business, financial condition and operating results. See Part I, Item 3, Legal Proceedings in this Annual Report for a description of these proceedings.
Risks Relating to Our Business and Operations
Our results could be adversely affected by continued economic uncertainty, an economic slowdown or a recession.
The electronic payments industry depends heavily on the overall level of consumer, commercial and government spending. We are exposed to general economic conditions that affect consumer confidence, consumer spending, consumer discretionary income and changes in consumer purchasing habits. Periods of a slowing economy or recession, or periods of economic uncertainty, have historically been accompanied by a decrease in consumer spending and have negatively impacted our business. In 2022, in response to record levels of inflation, the Federal Reserve raised the federal funds rate and signaled it will continue to increase rates during 2023, with no reductions expected until 2024. Further increases in rates could adversely affect our financial performance by reducing the aggregate dollar volume of transactions made using electronic payments. If our merchants make fewer sales of their products and services using electronic payments, or consumers spend less money through electronic payments, we will have fewer transactions to process at lower dollar amounts, resulting in lower revenue. In addition, as a result of increased interest rates, our interest expense on the $250 million senior secured term loan facility (the "Term Loan") increased in 2022. We utilize derivative instruments to manage risk from fluctuations in interest rates on our Term Loan. As a result, to date, the effects of rising interest rates on our results of operations and financial condition have not been significant. However, there can be no assurance that our interest rates will not continue to increase and that we will be able to mitigate such increases in the future.
In addition, sustained deterioration in general economic conditions or a weakening in the economy could force merchants to close at higher than historical rates, resulting in exposure to potential losses and a decline in the number of transactions that we process. We also have material fixed and semi-fixed costs, including rent, debt service, contractual minimums, and salaries, which could limit our ability to quickly adjust costs and respond to changes in our business and the economy. Furthermore, our ability to generate revenues in specific markets is directly affected by local and regional conditions, and unfavorable regional economic or political conditions, such as those resulting from Russia's invasion of Ukraine. The war in Ukraine has given rise to potential global security issues that may adversely affect international business and economic conditions as well as economic sanctions imposed by the international community that have impacted the global economy. Certain of our customers may be negatively impacted by these events.
A severe or prolonged economic downturn, including a recession or depression, could impact our business, including our revenues and our ability to raise additional capital when needed on favorable terms or at all. We cannot anticipate the impact of the current economic environment on our business and any of the foregoing could materially harm our business. Nevertheless, if economic conditions worsen or a recession occurs, our business, operations and financial results could be materially adversely affected.
A substantial portion of our merchants are middle market businesses, which may increase the impact of economic fluctuations and merchant attrition on us.
We market and sell our solutions to middle market merchants. Middle market merchants are typically more susceptible to the adverse effects of economic fluctuations than larger businesses. We experience attrition in merchants and merchant charge volume in the ordinary course of business resulting from several factors, including business closures, transfers of merchants’ accounts to our competitors and account closures that we initiate due to heightened credit risks relating to, or contract breaches by, a merchant. Adverse changes in the economic environment or business failures of our middle market merchants may have a greater impact on us than on our competitors who do not focus on middle market merchants to the extent that we do. We cannot accurately predict the level of middle market merchant attrition if economic conditions worsen or a recession occurs. If we are unable to establish accounts with new merchants or otherwise increase our payment processing volume to counter the effect of this attrition, our revenues will decline.
The COVID-19 global pandemic has had, and may continue to have, a material adverse effect on our business and results of operations.
Our business could be adversely affected by the effects of health pandemics or epidemics, including the ongoing COVID-19 global pandemic, the evolution of which continues to be uncertain. In 2020 and 2021, many of our customers experienced a decline in transaction volumes as a result of the COVID-19 pandemic compared to pre-pandemic levels. However, given many of our customers leverage our payment technology to accept transactions in a card-not-present environment, their business operations were not impacted dramatically. Further, most of our recurring or contractual transactions are B2B and not tied to consumer discretionary spend and, as such, were not significantly impacted. However, recurring COVID-19 outbreaks around the world such as those most recently occurring in China following the suspension of China's zero-COVID policy, have heightened concerns relating to new and potentially more dangerous virus variants, which, if transmitted around the globe could lead to the re-introduction of precautionary measures similar to, or more strict than, those imposed at the height of the pandemic. A resurgence of COVID-19 or another pandemic or epidemic may reinstate shelter-in place and social distancing policies, as well as broader economic decline, that can have a material impact on our results of operations. As the COVID-19 pandemic continues to evolve, its ultimate impact on our business is subject to change. A severe outbreak of COVID-19 or another pandemic or epidemic can disrupt our business and adversely materially impact our financial results
The payment processing industry is highly competitive and such competition is likely to increase, which may adversely influence the prices we can charge to merchants for our services and the compensation we must pay to our distribution partners, and as a result, our profit margins.
The payment processing industry is highly competitive. We primarily compete in the middle market merchant industry. Competition has continued to increase recently as other providers of payment processing services have established a sizable market share in the middle market. Our primary competitors for middle market merchants include financial institutions and their affiliates and well-established payment processing companies that target middle market merchants directly and through third parties, including REPAY, i3 Verticals, Stripe, and the acquiring arms of FIS, FISERV, and Global Payments. We also compete with many of these same entities for distribution partners. Many of our distribution partners are not exclusive to us but also have relationships with our competitors, such that we must continually expend resources to maintain those distribution partner relationships. Our growth depends on our ability to increase our market share through successful competitive efforts to gain new merchants and distribution partners.
In addition, many financial institutions, subsidiaries of financial institutions or well-established payment processing companies with which we compete, have substantially greater capital, technological, and marketing resources than we have. These factors may allow our competitors to offer better pricing terms to merchants and more attractive compensation to distribution partners, which could result in a loss of our potential or current merchants and distribution partners. This competition may effectively limit the prices we can charge our merchants, cause us to increase the compensation we pay to our distribution partners and require us to control costs aggressively to maintain acceptable profit margins. Our future competitors may also develop or offer services that have price or other advantages over the services we provide.
We are also facing new competition from emerging and non-traditional payment processing companies as well as traditional companies offering alternative electronic payments services and products. Certain of these competitors integrate proprietary software and service solutions with electronic payments services and have significant financial resources and robust networks that could allow them to have access to merchants needing electronic payments services. If these new entrants gain a greater share of total electronic payments transactions, they could impact our ability to retain and grow our relationships with merchants and distribution partners. These new entrants also may compete in ways that minimize or remove the role of traditional payment gateways in the electronic payments process upon which our services are based, which could also limit our ability to retain or grow those relationships. The wide acceptance of internet-based commerce has resulted in a number of alternative payment processing systems in which traditional intermediaries play only minor roles. Use of emerging alternative payment platforms, such as Apple Pay, PayPal, Stripe, Square, Bitcoin or other cryptocurrencies can alter consumer card, ACH and
check payment processing behavior and consequently result in our products and services becoming unnecessary for merchants and partners. Wide acceptance of alternative payments methods could have a material adverse impact on our business.
Consolidation among financial institutions, including the merger of our customers with other entities that are not our customers could materially affect our financial position, results of operation and cash flows.
Consolidation among financial institutions, particularly in the area of credit card operations, and consolidation in the retail industry, is a risk that could negatively affect our existing agreements and future revenues with our merchants and partners. Continued consolidation among financial institutions could increase the bargaining power of our current and future customers and further increase our customer concentration. Consolidation among financial institutions and retail customers and the resulting loss of any significant number of customers by us could have a material adverse effect on our financial position, results of operations and cash flows.
Degradation of the quality of the products and services we offer, including support services, could adversely impact our ability to attract and retain merchants and partners.
Our merchants and partners expect a consistent level of quality in the provision of our products and services, which are a significant element of the value proposition we offer to them. If the reliability or functionality of our products and services is compromised or the quality or support of such products and services is otherwise degraded, we could lose existing merchants and partners and find it harder to attract new merchants and partners. If we are unable to scale our support functions to address the growth of our merchant portfolio and partner network, the quality of our support may decrease, which could also adversely affect our ability to attract and retain merchants and partners.
Failing to successfully implement initiatives to grow or improve our products and services could also adversely impact our business. While we offer redundant back-up capabilities inside of our data center environments, we still have site specific risk related to physical or communication network-based outages. Additionally, we rely on AWS and Azure to operate certain aspects of our service, including providing a distributed computing infrastructure platform for business operations, or what is commonly referred to as a “cloud” computing service. We continue building out full redundancy to prevent downtime in the case of an outage, we currently may encounter disruptions or interference in connection with our use of AWS and Azure. This could have an impact on our operations and consequently, our business would be adversely impacted if our partners and merchants leave due to a downtime or disruption.
Potential distribution partners and merchants may be reluctant to switch to a new merchant acquirer, which may adversely affect our growth.
Many potential distribution partners and merchants worry about potential disadvantages associated with switching payment providers, such as a loss of accustomed functionality, increased costs, and business disruption. For distribution partners, switching to us from another payment provider or integrating with us may constitute a significant undertaking. As a result, many distribution partners and merchants often resist change. There can be no assurance that our strategies for overcoming potential reluctance to change vendors or initiate a relationship with us will be successful, and this resistance may adversely affect our growth and performance results.
Increases in card network fees and other changes to fee arrangements may result in the loss of merchants or a reduction in our earnings.
From time to time, card networks, including Visa and Mastercard, increase the fees that they charge merchant service providers. At their sole discretion, our sponsoring banks have the right to pass any increases in interchange fees on to us. Our sponsoring banks may seek to increase the sponsorship fees they charge us, all of which are based upon the dollar amount of the payment transactions we process. In addition, our back-end payment processors may seek to increase the fees they charge us, which are also based upon the floor amount of the payment transactions we process as well as the number of merchants we support. We could attempt to pass these increases along to our merchants, but this strategy might result in the loss of merchants to our competitors who do not pass along the increases. If competitive practices prevent us from passing along the higher fees to our merchants in the future, we may have to absorb all or a portion of such increases, which may increase our operating costs and reduce our earnings. In addition, in certain of our markets, card issuers pay merchant acquirers fees based on debit card usage in an effort to encourage debit card use. If this practice were discontinued, our revenue and margins in jurisdictions where we receive these fees would be adversely affected.
If we fail to comply with the applicable requirements of card networks and industry self-regulatory organizations, those card networks or organizations could seek to fine us, suspend us, or terminate our registrations through our bank sponsors. If our merchants or sales partners incur fines or penalties that we cannot collect from them, we may have to bear the cost of such fines or penalties.
We do not directly access the payment card networks, such as Visa, MasterCard and Discover, which enable our acceptance of credit cards and debit cards. Instead, we rely on sponsor banks and third-party processors to access such networks and settle transactions, and we must pay fees for such services.
Visa, Mastercard and other card networks set complex and evolving rules and standards with which our sponsor banks, third-party processors and we must comply. The payment networks and their member financial institutions routinely update, generally expand and modify requirements applicable to merchant acquirers, including rules regulating data integrity, third-party relationships (such as those with respect to sponsor banks and ISOs), merchant chargeback standards and PCI-DSS. Under certain circumstances, we are required to report incidents to the card networks within a specified time frame.
The rules of card networks are set by their boards, which include members that are card issuers that directly or indirectly sell processing services to merchants in competition with us. There is a risk that these members could use their influence to enact changes to the card network rules or policies that are detrimental to us. Any changes in network rules or standards that increase the cost of doing business or limit our ability to provide processing services to our merchants will adversely affect the operation of our business.
If we, our bank sponsors or our third-party processors fail to comply with the applicable rules and requirements of the Visa or Mastercard payment networks, Visa or Mastercard could suspend or terminate our registration. Further, our transaction processing capabilities, including settlement processes, could be delayed or otherwise disrupted, and recurring non-compliance could result in the payment networks seeking to fine us, or suspend or terminate our registrations which allow us to process transactions on their networks, making it impossible for us to conduct our business on its current scale. Under certain circumstances specified in the payment network rules, we may be required to submit to periodic audits, self-assessments, or other assessments of our compliance with the PCI-DSS. Such activities may reveal that we have failed to comply with the PCI-DSS. In addition, even if we comply with the PCI-DSS, there is no assurance that we will be protected from a security breach.
The termination of our registration with the payment networks, or any changes in payment network or issuer rules that limit our ability to provide merchant acquiring services, could have an adverse effect on our payment processing volumes, revenues and operating costs. If we are unable to comply with the requirements applicable to our settlement activities, the payment networks may no longer allow us to provide these services, which would require us to spend additional resources to obtain settlement services from a third-party provider. In addition, if we were
precluded from processing Visa and Mastercard electronic payments, we would lose a substantial portion of our revenues.
In addition, if a merchant or sales partner fails to comply with the applicable requirements of the card networks, it could be subject to a variety of fines or penalties that may be levied by those card networks. We may have to bear the cost of such fines or penalties if we are unable to collect them from the applicable merchant or sales partner. The termination of our member registration, any change in our status as a service provider or merchant processor, or any changes in network rules or standards could prevent us from providing processing services relating to the affected card network and could adversely affect our business, financial condition, or results of operations.
We are also subject to the operating rules of NACHA. NACHA is a self-regulatory organization which administers and facilitates private-sector operating rules for ACH payments and defines the roles and responsibilities of financial institutions and other ACH network participants. The NACHA Rules and Operating Guidelines impose obligations on us and our partner financial institutions. These obligations include audit and oversight by the financial institutions and the imposition of mandatory corrective action, including termination, for serious violations. If an audit or self-assessment under PCI-DSS or NACHA identifies any deficiencies that we need to remediate, the remediation efforts may distract our management team and be expensive and time consuming.
Similarly, our ACH sponsor banks have the right to audit our compliance with NACHA’s rules and guidelines and are given wide discretion to approve certain aspects of our business practices and terms of our agreements with ACH customers. Like the payment networks, NACHA may update its operating rules and guidelines at any time, which could require us to take more costly compliance measures or to develop more complex monitoring systems.
There may be a decline in the use of electronic payments as a payment mechanism for consumers or adverse developments with respect to the electronic payments industry in general, which could adversely affect our business, financial condition, and operating results.
Maintaining or increasing our profitability is dependent on consumers and businesses continuing to use credit cards, debit cards and make ACH payments at the same or increasing rate. If consumers do not continue to use these cards or methods of payment for their transactions or if there is a change in the mix of payments between cash and electronic payments which is adverse to us, our profits could decline and we could incur material losses. Regulatory changes may also result in merchants seeking to charge customers additional fees for use of electronic payments which may discourage their use. Additionally, in recent years, increased incidents of security breaches have caused some consumers to lose confidence in the ability of businesses to protect or store their information, causing consumers to discontinue use of electronic payment methods. Security breaches could also result in financial institutions cancelling large numbers of credit and debit cards, or consumers electing to cancel their cards following such an incident. These events could result in reduced use of electronic payments, and therefore, could adversely affect our business, financial condition and operating results.
In order to remain competitive and to continue to increase our revenues and earnings, we must continually update our products and services, a process which could result in increased costs and the loss of revenues, earnings, merchants and distribution partners if the new products and services do not perform as intended or are not accepted in the marketplace.
The electronic payments industry in which we compete is subject to rapid technological changes and is characterized by new technology, product and service introductions, evolving industry standards, regulatory compliance, changing merchant needs and the entrance of non-traditional competitors. We are subject to the risk that our existing products and services become obsolete, and that we are unable to develop new products and services in response to industry demands. Our future success will depend in part on our ability to develop or adapt to technological changes and evolving industry trends. We are continually involved in a number of projects, many of which require investment in non-revenue generating products or services that our distribution partners and merchants expect to be included in our product and service offerings. These projects carry the risks associated with any development effort, including
difficulty in determining market demand and timing for delivery of new products and services, cost overruns, delays in delivery and performance problems.
In addition, new products and offerings may not perform as intended or generate the business or revenue growth expected. Defects in our software and errors or delays in our processing of electronic transactions could result in additional development costs, diversion of technical and other resources from our other development efforts, loss of credibility with current or potential distribution partners and merchants, harm to our reputation, fines imposed by card networks, or exposure to liability claims. Any delay in the delivery of new products or services or the failure to differentiate our products and services could render them less desirable, or possibly even obsolete, to our merchants. Additionally, the market for alternative payment processing products and services is evolving, and it may develop too rapidly or not rapidly enough for us to recover the costs we have incurred in developing new products and services.
We may not be able to continue to expand our share of our existing vertical markets or expand into new vertical markets, which would inhibit our ability to grow and increase our profitability.
Our future growth and profitability depend, in part, upon our continued expansion within the vertical markets in which we currently operate, the emergence of other vertical markets for electronic payments and our integrated solutions, and our ability to penetrate new vertical markets and our current distribution partners’ customer base. As part of our strategy to expand into new vertical markets, we look for acquisition opportunities and partnerships with other businesses that will allow us to increase our market penetration, technological capabilities, product offerings and distribution capabilities. We may not be able to successfully identify suitable acquisition or partnership candidates in the future, and if we do, they may not provide us with the benefits we anticipated.
Our expansion into new vertical markets also depends upon our ability to adapt our existing technology or to develop new technologies to meet the particular needs of each new vertical market. We may not have adequate financial or technological resources to develop effective and secure services or distribution channels that will satisfy the demands of these new vertical markets. Penetrating these new vertical markets may also prove to be more challenging or costly or take longer than we may anticipate. If we fail to expand into new vertical markets and increase our penetration into existing vertical markets, we may not be able to continue to grow our revenues and earnings.
Our ability to grow our business will depend in part on the addition of new partners. Inability to effectively onboard these new partners could have a material adverse effect on our business, financial condition and results of operations.
Our ability to grow our business will depend in part on the addition of new partners, and an inability to effectively onboard these new partners could have a material adverse effect on our business, financial condition and results of operations. We may encounter delays onboarding partners due to economic uncertainty, an economic slowdown or a recession, risks related to the Merger, the continuing effects of COVID-19, issues integrating the partner into Paya Connect, or other unforeseen circumstances. If we do not effectively onboard our new partners, including assisting such partners to quickly resolve any post-onboarding issues and provide effective ongoing support, our reputation could be damaged and our ability to add new partners and our relationships with our existing partners could be adversely affected. Additionally, if we fail to onboard these partners in a timely manner, it could lead to delays in collecting revenues that we may otherwise receive, causing our financial condition and results of operations to be adversely affected.
We may not be able to successfully execute our strategy of growth through acquisitions.
A significant part of our growth strategy is to enter new vertical markets through platform acquisitions of vertically focused integrated payment and software solutions providers and to expand within our existing vertical markets through selective tuck-in acquisitions. Under the terms of the Merger Agreement, from its execution until the Merger is consummated or the Merger Agreement is terminated, without the consent of Parent, we may not acquire any other business, any material equity interest or enter into any joint venture, partnership, strategic alliance, limited liability company or similar arrangement with any third person, other than acquisitions of immaterial assets from
vendors or suppliers under contracts in existence as of the date of the Merger Agreement in the ordinary course of business.
If the Merger is not consummated, we expect to continue to execute our acquisition strategy, however:
•we may not be able to identify suitable acquisition candidates or acquire additional assets on favorable terms;
•we may compete with others to acquire assets, and as competition increases, could result in decreased availability or increased prices for acquisition candidates;
•we may compete with others for select acquisitions and our competition may consist of larger, better-funded organizations with more resources and easier access to capital;
•we may experience difficulty in anticipating the timing and availability of acquisition candidates;
•we may not be able to obtain the necessary financing, on favorable terms or at all, to finance any of our potential acquisitions;
•we may not be able to generate the cash necessary to execute our acquisition strategy; and
•we may be unable to maintain uniform standards, controls, procedures, and policies as we attempt to integrate the acquired businesses, and this may lead to operational inefficiencies.
The occurrence of any of these factors could adversely affect our growth strategy.
Fraud by merchants or others could cause us to incur losses.
We face potential liability for fraudulent electronic payment transactions initiated by merchants or others. Merchant fraud occurs when a merchant opens a fraudulent merchant account and conducts fraudulent transactions or when a merchant, rather than a customer (though sometimes working in collusion with a customer engaged in fraudulent activities), knowingly uses a stolen or counterfeit card or card number to record a false sales transaction, or intentionally fails to deliver the merchandise or services sold in an otherwise valid transaction. Any time a merchant is unable to fund a chargeback, we are responsible for that chargeback.
Additionally, merchant fraud occurs when employees of merchants change the merchant demand deposit accounts to their personal bank account numbers, so that payments are improperly credited to the employee’s personal account. We have established systems and procedures to detect and reduce the impact of merchant fraud, but we cannot be sure that these measures are or will be effective. Failure to effectively manage risk and prevent fraud could increase our chargeback or other liability. In addition, beginning in October 2015, U.S. merchants that cannot process the Eurocard, Mastercard, and Visa standard ("EMV"), chip-based cards are held financially responsible for certain fraudulent transactions conducted using such cards. This has increased the risk to merchants who are not yet EMV-compliant and shifted a substantial amount of fraud to card-not-present transactions, which is the primary environment in which we operate. This increased risk and the shift to card-not-present fraud has resulted in us having to seek increased chargebacks from such merchants. Increases in chargebacks, failure to recover fraud-related losses from our merchants that have not yet complied with EMV standards or other liability could have a material adverse effect on our business, financial condition, and results of operations.
We also have potential liability for losses caused by fraudulent card-based payment transactions. Card fraud occurs when a merchant’s customer uses a stolen card (or a stolen card number in a card-not-present transaction) to purchase merchandise or services. In a card-present transaction, if the merchant swipes or dips the card, receives authorization for the transaction from the issuer and verifies the signature on the back of the card against the paper receipt signed by the customer, the issuer remains liable for any loss. In a card-not-present transaction, even if the merchant receives authorization for the transaction, the merchant is liable for any loss arising from the transaction. Many of the merchants that we serve transact a substantial percentage of their sales in card-not-present transactions
over the Internet or in response to telephone or mail orders, which makes these merchants more vulnerable to fraud than merchants whose transactions are conducted largely in card-present transactions.
Criminals are using increasingly sophisticated methods to engage in illegal activities such as counterfeiting and fraud. For example, bust-out fraud is a first-party fraud scheme where legitimate business credentials are combined with legitimate personal identity credentials and used to open a merchant account. After a period of either no processing or normal processing activity, typically ranging from four to 12 months, and processing minimal volume, the criminal quickly processes a substantial volume from fraudulent cards, receives the corresponding deposits and exits before chargebacks or returns are assessed. Incidents and types of fraud and counterfeiting may increase in the future. Failure to effectively identify and manage risk and prevent fraud could increase our chargeback liability or cause us to incur other liabilities.
We incur liability when our merchants refuse or cannot reimburse us for chargebacks resolved in favor of their customers.
We have potential liability for chargebacks associated with the transactions we process. If a billing dispute between a merchant and a cardholder is not ultimately resolved in favor of the merchant, the disputed transaction is “charged back” to the merchant’s bank and credited or otherwise refunded to the cardholder. The risk of chargebacks is typically greater with those merchants that promise future delivery of goods and services rather than delivering goods or rendering services at the time of payment. If we or our bank sponsors are unable to collect the chargeback from the merchant’s account or reserve account (if applicable), or if the merchant refuses or is financially unable (due to bankruptcy or other reasons) to reimburse the merchant’s bank for the chargeback, we may bear the loss for the amount of the refund paid to the cardholder. Any increase in chargebacks not paid by our merchants could increase our costs and decrease our revenues. Additionally, an ACH transaction could be rejected in certain situations, including instances where we attempt to pull fees out of a bank account with insufficient funds, where an account has been closed, or where the account number is invalid. If an ACH reject occurs, we may bear the loss for the amount not pulled from the applicable account, which could increase our costs and decrease our revenues.
Our risk management policies and procedures may not be fully effective in mitigating our risk exposure in all market environments or against all types of risks.
We operate in a rapidly changing industry. Accordingly, our risk management policies and procedures may not be fully effective to identify, monitor, manage and remediate our risks. Some of our risk evaluation methods depend upon information provided by others and public information regarding markets, merchants or other matters that are otherwise inaccessible by us. In some cases, that information may not be accurate, complete, or current. Additionally, our risk detection system is subject to a high degree of “false positive” risks being detected, which makes it difficult for us to identify real risks in a timely manner. If our policies and procedures are not fully effective or we are not always successful in capturing all risks to which we are or may be exposed, we may suffer harm to our reputation or be subject to litigation or regulatory actions that materially increase our costs and subject us to reputational damage that could limit our ability to grow and cause us to lose existing merchant clients.
The loss of key personnel or of our ability to attract, recruit, retain and develop qualified employees could adversely affect our business, financial condition, and results of operations.
Our success depends upon the continued services of our senior management and other key personnel who have substantial experience in the electronic payments industry and the markets in which we offer our services. Our ability to recruit and retain our senior management, key personnel, and other skilled employees may be affected as a result of the announcement of the Merger. In addition, our success depends in large part upon the reputation within the industry of our senior managers who have, developed relationships with our distribution partners, payment networks and other payment processing and service providers. Further, for us to continue to successfully compete and grow, we must attract, recruit, develop and retain personnel who will provide us with expertise across the entire spectrum of our intellectual capital needs. Our success is also dependent on the skill and experience of our sales force, which we must continuously work to maintain. While we have key personnel who have substantial experience with our operations, we must also develop our personnel to provide succession plans capable of maintaining the
continuity of our operations. The market for qualified personnel is competitive, and we may not succeed in recruiting additional personnel or may fail to effectively replace current personnel who depart with qualified or effective successors, including as a result of the announcement of the Merger. In addition, a sustained labor shortage or increased turnover rates within our employee base could lead to increased costs and could otherwise degrade our ability to efficiently operate our business.
Failure to retain or attract key personnel, including as a result of the announcement of the Merger, could impede our ability to grow and could result in our inability to operate our business profitably. In addition, contractual obligations related to confidentiality, assignment of intellectual property rights, and non-solicitation may be ineffective or unenforceable and departing employees may share our proprietary information with competitors in ways that could adversely impact us, or seek to solicit our distribution partners or merchants or recruit our key personnel to competing businesses.
Risks Relating to Intellectual Property and Information Technology
Unauthorized disclosure of merchant or cardholder data, whether through breach of our computer systems, computer viruses, or otherwise, could expose us to liability, protracted and costly litigation and damage our reputation.
We are responsible for data security for ourselves and for third parties with whom we partner and under the rules and regulations established by the payment networks, such as Visa, MasterCard, Discover and American Express, and debit card networks and by industry regulations and standards that may be promulgated by organizations such as NACHA, which manages the governance of the ACH network. These third parties include merchants, our distribution partners and other third-party service providers and agents. We and other third parties collect, process, store and/or transmit sensitive data, such as names, addresses, social security numbers, credit or debit card numbers and expiration dates, driver’s license numbers and bank account numbers. We have ultimate liability to the payment networks and our bank that sponsors our registration with Visa or MasterCard for our failure or the failure of third parties with whom we contract to protect this data in accordance with PCI-DSS and network requirements. The loss, destruction or unauthorized modification of merchant or cardholder data by us or our contracted third parties could result in significant fines, sanctions and proceedings or actions against us by the payment networks, card issuing banks, governmental entities, consumers, or others.
Threats may derive from human error, fraud, or malice on the part of employees or third parties, or from accidental technological failure. For example, certain of our employees have access to sensitive data that could be used to commit identity theft or fraud. Concerns about security increase when we transmit information electronically because such transmissions can be subject to attack, interception, or loss. Also, computer viruses can be distributed and spread rapidly over the Internet and could infiltrate our systems or those of our contracted third parties. Denial of service or other attacks could be launched against us for a variety of purposes, including interfering with our services or to create a diversion for other malicious activities. These types of actions and attacks and others could disrupt our delivery of services or make them unavailable. Any such actions or attacks against us or our contracted third parties could impugn our reputation, force us to incur significant expenses in remediating the resulting impacts, expose us to uninsured liability, result in the loss of our bank sponsors or our ability to participate in the payment networks, subject us to lawsuits, fines or sanctions, distract our management or increase our costs of doing business.
We and our contracted third parties could be subject to security breaches, cyber-attacks or cyber intrusions or disruptions by hackers, nation-state affiliated actions, and cyber-terrorists. Security breaches, cyber-attacks and cyber intrusions have generally increased as the number, intensity and sophistication of attempted attacks and intrusions from around the world have increased. Our encryption of data and other protective measures may not prevent unauthorized access to or use of sensitive data. A breach of a system may subject us to material losses or liability, including payment network fines, assessments and claims for unauthorized purchases with misappropriated credit, debit or card information, impersonation, or other similar fraud claims. A misuse of such data or a cybersecurity breach could harm our reputation and deter merchants from using electronic payments generally and our services specifically, thus reducing our revenue. In addition, any such misuse or breach could cause us to incur costs to correct the breaches or failures, expose us to uninsured liability, increase our risk of regulatory scrutiny,
subject us to lawsuits, and result in the imposition of material penalties and fines under state and federal laws or by the payment networks. While we maintain insurance coverage that may, subject to policy terms and conditions, cover certain aspects of cyber risks, our insurance coverage may be insufficient to cover all losses. In addition, a significant cybersecurity breach of our systems or communications could result in payment networks prohibiting us from processing transactions on their networks or the loss of our bank sponsors that facilitate our participation in the payment networks, either of which could materially impede our ability to conduct business.
Although we generally require that our agreements with distribution partners or our service providers which may have access to merchant or cardholder data include confidentiality obligations that restrict these parties from using or disclosing any merchant or cardholder data except as necessary to perform their services under the applicable agreements, we cannot guarantee that these contractual measures will prevent the unauthorized use, modification, destruction or disclosure of data or allow us to seek reimbursement from the contracted party. In addition, many of our merchants are middle market businesses that may have limited competency regarding data security and handling requirements and thus may experience data breaches. Any unauthorized use, modification, destruction, or disclosure of data could result in protracted and costly litigation, and our incurring significant losses.
In addition, our agreements with our bank sponsors and our third-party payment processors (as well as payment network requirements) require us to take certain protective measures to ensure the confidentiality of merchant and consumer data. Any failure to adequately comply with these protective measures could result in fees, penalties, litigation, or termination of our bank sponsor agreements.
Cybersecurity has become a top priority for regulators around the world, and some jurisdictions have enacted laws requiring companies to notify individuals of data security breaches involving certain types of personal data. In February 2018, the SEC issued guidance stating that public companies are expected to have controls and procedures that relate to cybersecurity disclosure, and are required under the federal securities laws to disclose information relating to certain cyber-attacks or other information security breaches. In March 2022, the SEC proposed new cybersecurity disclosure requirements intended to increase the transparency of publicly traded organizations' cybersecurity practices, and has placed cybersecurity risk disclosure and compliance requirements on its rule-making agenda for 2023. Therefore, we are anticipating more detailed requirements about the information we may be required to regularly disclose if the Merger is not consummated and we continue to be a public company after rules become effective. If we fail to comply with the relevant laws and regulations relating to cybersecurity, we could suffer financial loss, a disruption of our business, liability to investors, regulatory intervention or reputational damage.
Any significant unauthorized disclosure of sensitive data entrusted to us would cause significant damage to our reputation, and impair our ability to attract new distribution partners, and may cause parties with whom we already have such agreements to terminate them.
We may not be able to successfully manage our intellectual property and may be subject to infringement claims.
We rely on a combination of contractual rights and copyright, trademark and trade secret laws to establish and protect our proprietary technology. Third parties may challenge, circumvent, infringe or misappropriate our intellectual property, or such intellectual property may not be sufficient to permit us to take advantage of current market trends or otherwise to provide competitive advantages, which could result in costly redesign efforts, discontinuance of service offerings or other competitive harm. Others, including our competitors, may independently develop similar technology, duplicate our services or design around our intellectual property and, in such cases, we could not assert our intellectual property rights against such parties. Further, our contractual arrangements may not effectively prevent disclosure of our confidential information or provide an adequate remedy in the event of unauthorized disclosure of our confidential information. We may have to litigate to enforce or determine the scope and enforceability of our intellectual property rights and knowhow, which is expensive, could cause a diversion of resources and may not prove successful. Also, because of the rapid pace of technological change in our industry, aspects of our business and our services rely on technologies developed or licensed by third parties, and we may not be able to obtain or continue to obtain licenses and technologies from these third parties on reasonable terms or at
all. The loss of intellectual property protection or the inability to license or otherwise use third-party intellectual property could harm our business and ability to compete.
We may also be subject to costly litigation if our services and technology are alleged to infringe upon or otherwise violate a third party’s proprietary rights. Third parties may have, or may eventually be issued, patents that could be infringed by our products, services, or technology. Any of these third parties could make a claim of infringement against us with respect to our products, services, or technology. We may also be subject to claims by third parties for patent, copyright or trademark infringement, breach of license or violation of other third-party intellectual property rights. Any claim from third parties may result in a limitation on our ability to use the intellectual property subject to these claims. Additionally, in recent years, individuals and groups have been purchasing intellectual property assets for the sole purpose of making claims of infringement or other violations and attempting to extract settlements from companies like ours. Even if we believe that intellectual property related claims are without merit, defending against such claims is time consuming and expensive and could result in the diversion of the time and attention of our management and employees. Claims of intellectual property infringement or violation also might require us to redesign affected products or services, enter into costly settlement or license agreements, pay costly damage awards, or face a temporary or permanent injunction prohibiting us from marketing or selling certain of our products or services. Even if we have an agreement for indemnification against such costs, the indemnifying party, if any in such circumstances, may be unable to uphold its contractual obligations. If we cannot or do not license the infringed technology on reasonable terms or substitute similar technology from another source, our revenue and earnings could be adversely impacted.
Our systems and our third-party providers’ systems may fail due to factors beyond our control, which could interrupt our service, resulting in our inability to process payments, cause us to lose business, increase our costs and expose us to liability.
We depend on the efficient and uninterrupted operation of numerous systems, including our computer network systems, software, data centers and telecommunication networks, as well as the systems and services of our bank sponsors, the payment networks, third-party providers of processing services and other third parties. Our systems and operations or those of our third-party providers, such as our provider of authorization services, or the payment networks themselves, could be exposed to damage or interruption from, among other things, fire, natural disaster, power loss, telecommunications failure, unauthorized entry, computer viruses, denial-of-service attacks, acts of terrorism, human error or sabotage, financial insolvency and similar events. Our property and business interruption insurance may not be adequate to compensate us for all losses or failures that may occur. At present, our systems are not fully redundant. Therefore, certain aspects of our operations may be subject to interruption. While we have disaster recovery policies and arrangements in place, they have not been tested under actual disasters or similar events.
Defects in our systems or those of third parties, errors or delays in the processing of payment transactions, delays or discrepancies in merchant funding and settlement processes, telecommunications failures or other difficulties could result in failure to process transactions, additional operating costs, diversion of technical and other resources, loss of revenue, merchants and distribution partners, loss of merchant and cardholder data, harm to our business or reputation, exposure to fraud losses or other liabilities and fines and other sanctions imposed by payment networks.
We rely on other service and technology providers. If they fail or discontinue providing their services or technology generally or to us specifically, our ability to provide services to merchants may be interrupted, and, as a result, our business, financial condition and results of operations could be adversely impacted.
We rely on third parties to provide or supplement card processing services and for infrastructure hosting services. We also rely on third parties for specific software and hardware used in providing our products and services. The termination by our service or technology providers of their arrangements with us or their failure to perform their services efficiently and effectively may adversely affect our relationships with our merchants and, if we cannot find alternate providers quickly, may cause those merchants to terminate their relationship with us.
We also rely in part on third parties for the development of and access to new technologies, or updates to existing products and services for which third parties provide ongoing support, which increases the cost associated with new and existing product and service offerings. Failure by these third-party providers to devote an appropriate level of attention to our products and services could result in delays in introducing new products or services, or delays in resolving any issues with existing products or services for which third-party providers provide ongoing support.
Risks Relating to Reliance on Third Parties
To acquire and retain a segment of our merchants, we depend in part on distribution partners that may not serve us exclusively and are subject to attrition.
We rely in significant part on the efforts of integrated software vendors and referral partners to market our services to merchants seeking to establish an integrated payment processing relationship. These distribution partners seek to introduce us, as well as our competitors, to newly established and existing middle market merchants. Generally, our agreements with distribution partners (except for a portion of our Integrated Solutions and Payment Services segments) are not exclusive and distribution partners retain the right to refer merchants to other merchant acquirers. Gaining and maintaining loyalty or exclusivity can require financial concessions to maintain current distribution partners and merchants or to attract potential distribution partners and merchants from our competitors. We have been required, and expect to be required in the future, to make concessions when renewing contracts with our distribution partners and such concessions can have a material impact on our financial condition or operating performance. If these distribution partners switch to another merchant acquirer, cease operations, or become insolvent, we will no longer receive new merchant referrals from them and we risk losing existing merchants that were originally enrolled by them. We cannot accurately predict the level of attrition of our distribution partners or merchants in the future, particularly those merchants we acquired as customers in the portfolio acquisitions we have completed in the past three years, which makes it difficult for us to forecast growth. If we are unable to establish relationships with new distribution partners or merchants, or otherwise increase our transaction processing volume to counter the effect of this attrition, our revenues will decline.
If the banks that currently provide ACH and wire transfers fail to properly transmit ACH or terminate their relationship with us or limit our ability to process funds or we are not able to increase our ACH capacity with our existing and new banks, our ability to process funds on behalf of our clients and our financial results and liquidity could be adversely affected.
We currently have agreements with three sponsor banks (Wells Fargo, Fifth Third Bank, and ACCU), to execute ACH and wire transfers to support our processing services. If one or more of the banks fails to process ACH transfers on a timely basis, or at all, then our relationship with our clients could be harmed and we could be subject to claims by a client with respect to the failed transfers. In addition, these banks have no obligation to renew their agreements with us on commercially reasonable terms, if at all. Currently, some agreements with our bank sponsors give them substantial discretion in approving certain aspects of our business practices, including our solicitation, application and qualification procedures for clients and the terms of our agreements with clients. If these banks terminate their relationships with us or restrict the dollar amounts of funds that they will process on behalf of our clients, their doing so may impede our ability to process funds and could have an adverse impact on our financial results and liquidity.
Inability to maintain our strategic relationship with Sage could adversely affect our business.
We have a strategic relationship with Sage Group plc, a global provider of integrated accounting, payroll, and payment solutions, which previously acquired Paya in 2006 and remained a strategic partner after GTCR, LLC acquired us in 2017. As part of this strategic relationship, we offer integration into Sage Intacct, X3, and other Sage products. During 2022, 2021 and 2020, we derived approximately 7.7%, 8.1%, and 8.6%, respectively, of our revenue from this relationship. We depend on Sage to refer new merchants to us and deliver an acceptable level of software functionality and service to our joint customers. There can be no assurance we will realize the expected benefits from this strategic relationship or that it will continue in the future. If successful, this relationship may be mutually beneficial and result in the continued growth in joint customers. However, such a relationship carries an
element of risk given the ongoing competition for this customer base. Also, if Sage fails to perform or if the relationship fails to continue as expected, we could suffer reduced sales or other operational difficulties and our business, results of operations and financial condition could be materially adversely affected.
We rely on bank sponsors, which have substantial discretion with respect to certain elements of our business practices, to process electronic payment transactions. If these sponsorships are terminated and we are not able to secure new bank sponsors, we will not be able to conduct our business.
Because we are not a bank, we are not eligible for membership in the Visa, Mastercard, and other payment networks, and are, therefore, unable to directly access these payment networks, which are required to process transactions. These networks’ operating regulations require us to be sponsored by a member bank to process electronic payment transactions. We are currently registered with Visa and Mastercard through BMO Harris and Chesapeake Bank. We are also subject to network operating rules promulgated by the NACHA relating to payment transactions processed by us using the ACH Network. For ACH payments, our ACH network is sponsored by Wells Fargo and Fifth Third Bank. The term of the agreements with Wells Fargo and Fifth Third Bank, which automatically renew annually, do not have a fixed termination date but are terminable with written notice. From time to time, we may enter into other sponsorship relationships as well.
The current term of our agreement with BMO Harris lasted through November 1, 2022 and automatically renews for one year periods unless either party provides the other at least six months’ notice of its intent to terminate. Although we believe our relationships with BMO Harris Bank and Chesapeake Bank are good, there cannot be any guarantee that BMO Harris Bank or Chesapeake Bank will not provide a notice of termination at any time.
Our bank sponsors may terminate their agreements with us if we materially breach the agreements and do not cure the breach within an established cure period, if our membership with Visa and/or Mastercard terminates, if we enter bankruptcy or file for bankruptcy, or if applicable laws or regulations, including Visa and/or Mastercard regulations, change to prevent either the applicable bank or us from performing services under the agreement. If these sponsorships are terminated and we are unable to secure a replacement bank sponsor within the applicable wind down period, we will not be able to process electronic payment transactions.
Although we do not believe that we are substantially dependent on any of these agreements, bank sponsors do have discretion in these agreements and there is a possibility that the termination of a sponsorship could have an adverse impact on our business due to the need to transition services to an alternative provider. If any of these contracts were terminated, we believe we would be able to enter into alternative arrangements, although we may not be able to procure terms of an equal or more advantageous nature. Additionally, each of these agreements have wind down and de-conversion periods, which we believe would allow sufficient time for us to replace any of the aforementioned sponsors during such de-conversion periods. We are unable to predict with any certainty which terms might change in such alternative arrangements.
Furthermore, our agreements with our bank sponsors provide the bank with substantial discretion in approving certain elements of our business practices, including our solicitation, application, and underwriting procedures for merchants. We cannot guarantee that our bank sponsors’ actions under these agreements will not be detrimental to us, nor can we provide assurance that any of our bank sponsors will not terminate their sponsorship of us in the future. Our bank sponsors have broad discretion to impose new business or operational requirements on us, which may materially adversely affect our business. If our sponsorship agreements are terminated and we are unable to secure another bank sponsor, we will not be able to offer Visa or Mastercard transactions or settle transactions which would likely cause us to terminate our operations.
Our bank sponsors also provide or supplement authorization, funding, and settlement services in connection with our bankcard processing services. If our sponsorships agreements are terminated and we are unable to secure another bank sponsor, we will not be able to process Visa and MasterCard transactions, which would have a material adverse effect on our business, financial condition and results of operations.
In July 2018, the Office of the Comptroller of the Currency (“OCC”) announced that it will begin accepting special purpose national bank charter applications from financial technology companies (“FinTech Charter”). Even though the application for FinTech Charters remains controversial, we cannot predict whether or which, if any, of our current or future competitors would take advantage of the charter, if available. However, such a development could increase the competitive risks discussed above or create new competitive risks, such as our nonbank competitors being able to more easily access the payment networks without the requirement of a bank sponsor, which could provide them with a competitive advantage.
Legal and Regulatory Risks
We are subject to extensive government regulation, and any new laws and regulations, industry standards or revisions made to existing laws, regulations or industry standards affecting the electronic payments industry may have an unfavorable impact on our business, financial condition and results of operations.
In addition to those regulations discussed below that are imposed by the cards networks, NACHA and PCI-DSS, we are subject to numerous regulations that affect electronic payments including, U.S. financial services regulations, consumer protection laws, escheat regulations, the Family Educational Rights and Privacy Act (“FERPA”), the Protection of Pupil Rights Amendment (“PPRA”), and other privacy and information security regulations. Regulation and proposed regulation of our industry has increased significantly in recent years, with states enacting regulations in areas that have historically only been federally regulated. Changes to statutes, regulations, or industry standards, including interpretation and implementation of statutes, regulations, or standards, could increase our cost of doing business, affect our competitive balance, and significantly increase the difficulty of compliance. Failure to comply with regulations may have an adverse effect on our business, including the limitation, suspension or termination of services provided to, or by, third parties, and the imposition of penalties or fines.
Interchange fees, which are typically paid by the payment processor to the issuer in connection with electronic payments, are subject to increasingly intense legal, regulatory, and legislative scrutiny. In particular, the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act, (the "Dodd-Frank Act”), significantly changed the U.S. financial regulatory system by regulating and limiting debit card fees charged by certain issuers, allowing merchants to set minimum dollar amounts for the acceptance of credit cards and allowing merchants to offer discounts or other incentives for different payment methods.
Rules implementing the Dodd-Frank Act also contain certain prohibitions on payment network exclusivity and merchant routing restrictions. These restrictions could limit the number of debit transactions, and prices charged per transaction, which would negatively affect our business. The Dodd-Frank Act also created the CFPB, which has assumed responsibility for most federal consumer protection laws, and the Financial Stability Oversight Council, which has the authority to determine whether any non-bank financial company, such as us, should be supervised by the Federal Reserve, because it is systemically important to the U.S. financial system. Because we provide data processing and other services to U.S. banks, we are subject to regular oversight and examination by the Federal Financial Institutions Examination Council (the “FFIEC”), which is an inter-agency body of federal banking regulators. Any such designation would result in increased regulatory burdens on our business, which increases our risk profile and may have an adverse impact on our business, financial condition, and results of operations.
We and many of our merchants are subject to Section 5 of the Federal Trade Commission Act prohibiting unfair or deceptive acts or practices. That statement and other laws, rules and or regulations, including the Telemarketing Sales Act, may directly impact the activities of certain of our merchants and, in some cases, may subject us, as the merchant’s electronic processor or provider of certain services, to investigations, fees, fines and disgorgement of funds if we were deemed to have improperly aided and abetted or otherwise provided the means and instrumentalities to facilitate the illegal or improper activities of the merchant through our services. Various federal and state regulatory enforcement agencies, including the Federal Trade Commission and state attorneys general, have authority to take action against non-banks that engage in unfair or deceptive practices or violate other laws, rules and regulations and to the extent we are processing payments or providing services for a merchant that may be
in violation of laws, rules and regulations, we may be subject to enforcement actions and as a result may incur losses and liabilities that may impact our business.
Our business may also be subject to the FCRA, which regulates the use and reporting of consumer credit information and imposes disclosure requirements on entities that take adverse action based on information obtained from credit reporting agencies. We could be liable if our practices under the FCRA are not in compliance with the FCRA or regulations under it.
Separately, the Housing Assistance Tax Act of 2008 included an amendment to the Internal Revenue Code of 1986, as amended (the “Code”), that requires the filing of yearly information returns by payment processing entities and third-party settlement organizations with respect to payments made in settlement of electronic payment transactions and third-party payment network transactions occurring in that calendar year. Reportable transactions are also subject to backup withholding requirements. We could be liable for penalties if our information returns do not comply with these regulations.
These and other laws and regulations, even if not directed at us, may require us to make significant efforts to change our products and services and may require that we incur additional compliance costs and change how we price our services to merchants. Implementing new compliance efforts may be difficult because of the complexity of new regulatory requirements and may cause us to devote significant resources to ensure compliance. Furthermore, regulatory actions may cause changes in business practices by us and other industry participants which could affect how we market, price and distribute our products and services, which could limit our ability to grow, reduce our revenues, or increase our costs. In addition, even an inadvertent failure to comply with laws and regulations, as well as rapidly evolving social expectations of corporate fairness, could damage our business or our reputation.
We may be required to register under the Bank Secrecy Act as a money services business or to become licensed under state money transmission statutes.
We provide payment processing services through our Paya, Inc. subsidiary, including card processing and ACH processing services. We have taken the position that Paya, Inc. is: (i) exempt from the BSA, as Paya is a payment processor and therefore able to avail itself of the payment processor exemption in accordance with guidance from the Financial Crimes Enforcement Network, or FinCEN, including FinCEN Administrative Letter Ruling FIN-2014-R009; and (ii) exempt from licensure under various state money transmission laws, either expressly as a payment processor or agent of the payee, or pursuant to common law as an agent of the payee.
While we believe we have defensible arguments in support of our positions under the BSA and the state money transmission statutes, we have not expressly obtained confirmation of such positions from either FinCEN or the state banking departments who administer the state money transmission statutes. It is possible that FinCEN or certain state banking departments may determine that our activities are not exempt. Any determination that Paya, Inc. is in fact required to be registered either under the BSA or licensed under the state money transmission statutes may require substantial expenditures of time and money and could lead to liability in the nature of penalties or fines, as well as cause us to be required to cease operations in some or all of the US jurisdictions we service, which would have a materially adverse effect on our business and our financial results.
While we believe we are exempt from the BSA we are contractually required to comply with certain obligations in the BSA pursuant to our agreements with those federally-insured depository institutions that sponsor our card processing activities and our ACH activities.
In addition, we, and those federally-insured depository institutions that sponsor our card processing activities and our ACH activities, are subject to the sanctions programs enforced by OFAC. If we fail to comply with these sanctions programs or our sanctions compliance program is found to be deficient then the fines or penalties we face may be severe and our efforts to remediate our sanctions compliance program may be costly and result in diversion of management time and effort and may still not guarantee compliance.
Governmental regulations designed to protect or limit access to or use of consumer information could adversely affect our ability to effectively provide our services to merchants.
Governmental bodies in the United States have adopted, or are considering the adoption of, laws and regulations restricting the use, collection, storage, and transfer of, and requiring safeguarding of, non-public personal information. Our operations are subject to certain provisions of these laws. Relevant federal privacy laws include the Gramm-Leach-Bliley Act of 1999, which applies directly to a broad range of financial institutions and indirectly, or in some instances directly, to companies that provide services to financial institutions. These laws and regulations restrict the collection, processing, storage, use and disclosure of personal information, require notice to individuals of privacy practices and provide individuals with certain rights to prevent the use and disclosure of protected information. These laws also impose requirements for safeguarding and proper destruction of personal information through the issuance of data security standards or guidelines. The Federal Trade Commission’s information safeguarding rules under the Gramm-Leach-Bliley Act require us to develop, implement and maintain a written, comprehensive information security program containing safeguards that are appropriate for our size and complexity, the nature and scope of our activities and the sensitivity of any customer information at issue. Our financial institution clients are subject to similar requirements under the guidelines issued by the federal banking regulators. As part of their compliance with these requirements, each of our financial institution clients is expected to have a program in place for responding to unauthorized access to, or use of, customer information that could result in substantial harm or inconvenience to customers and they are also responsible for our compliance efforts as a major service provider. Changes in our relationships with service providers, such as our plan to use AWS and Azure to provide additional redundancy, could further complicate the applicability of these regulations to our business. In addition, regulators are proposing new laws or regulations which could require us to adopt certain cybersecurity and data handling practices. In many jurisdictions, consumers must be notified in the event of a data breach, and such notification requirements continue to increase in scope and cost. The changing privacy laws in the United States create new individual privacy rights and impose increased obligations on companies handling personal data. In addition, there are state laws restricting the ability to collect and utilize certain types of information such as Social Security and driver’s license numbers. Certain state laws impose similar privacy obligations as well as obligations to provide notification of security breaches of computer databases that contain personal information to affected individuals, state officers and consumer reporting agencies and businesses and governmental agencies that own data.
In connection with providing services to our merchants, we are required by regulations and contracts with our merchants and with our financial institution referral partners to provide assurances regarding the confidentiality and security of non-public consumer information. These contracts require periodic audits by independent companies regarding our compliance with industry standards and allow for similar audits regarding best practices established by regulatory guidelines. The compliance standards relate to our infrastructure, components and operational procedures designed to safeguard the confidentiality and security of non-public consumer personal information shared by our merchants with us. Our ability to maintain compliance with these standards and satisfy these audits will affect our ability to attract, grow and maintain business in the future.
Additionally, privacy and data security have become significant issues in the United States. With the recent increase in publicity regarding data breaches resulting in improper dissemination of consumer information, all 50 states have passed laws regulating the actions that a business must take if it experiences a data breach, such as prompt disclosure to affected customers. As we receive, collect, process, use, and store personal and confidential data, we are subject to diverse laws and regulations relating to data privacy and security, including, local state laws such as the New York Stop Hacks and Improve Data Security Act (the “SHIELD Act”), and the CCPA.
The SHIELD Act requires companies to implement a written information security program that contains appropriate administrative, technical, and physical safeguards. The CCPA, which became effective on January 1, 2020 and operative on January 1, 2023, gives California residents expanded rights to access and delete their personal information, opt out of certain personal information sharing and receive detailed information about how their personal information is used. The CCPA provides for civil penalties for violations, as well as a private right of action for data breaches that is expected to increase data breach litigation. The CCPA may increase our potential liability and may require us to modify our data collection or processing practices and policies and to incur substantial costs and expenses in effort to comply. Moreover, the CPRA, which became effective on January 1,
2023, significantly modifies and expands the CCPA, potentially resulting in further uncertainty and requiring us to incur additional costs and expenses in an effort to comply. Colorado, Connecticut, Virginia and Utah have each enacted comprehensive consumer data protection legislation, which is already effective or becomes effective throughout 2023. This, along with a growing number of other U.S. states that are proposing new privacy laws, has created the need for multi-state compliance. We continue to monitor and adapt to this evolving privacy landscape.
If we fail to comply with the laws and regulations relating to the protection of data privacy, we could be exposed to suits for breach of contract or to governmental proceedings. In addition, our relationships and reputation could be harmed, which could inhibit our ability to retain existing merchants and distribution partners and obtain new merchants and distribution partners.
If more restrictive privacy laws or rules are adopted by authorities in the future, our compliance costs may increase and our ability to perform due diligence on, and monitor the risk of, our current and potential merchants may decrease, which could create liability for us. Additionally, our opportunities for growth may be curtailed by our compliance capabilities or reputational harm, and our potential liability for security breaches may increase.
Changes in tax laws or their interpretations, or becoming subject to additional U.S., state or local taxes that cannot be passed through to our clients, could negatively affect our business, financial condition and results of operations.
We are subject to extensive tax liabilities, including federal and state and transactional taxes such as excise, sales/use, payroll, franchise, withholding, and ad valorem taxes. The rules dealing with taxation are constantly under review by legislators and regulators. We cannot predict how future tax proposals or regulations or other guidance issued by regulators might affect us. Changes in tax laws or their interpretations could decrease the amount of revenues we receive, the value of any tax loss carryforwards and tax credits recorded on our balance sheet and the amount of our cash flow, and have a material adverse impact on our business, financial condition and results of operations.
Some of our tax liabilities are subject to periodic audits by the respective taxing authority which could increase our tax liabilities. Furthermore, companies in the payment processing industry, including us, may become subject to incremental taxation in various tax jurisdictions. Taxing jurisdictions have not yet adopted uniform positions on this topic. If we are required to pay additional taxes and are unable to pass the tax expense through to our clients, our costs would increase and our net income would be reduced, which could have a material adverse effect on our business, financial condition and results of operations.
The elimination of the London Interbank Offered Rate ("LIBOR") could adversely affect the cost of our debt.
The United Kingdom’s Financial Conduct Authority (the "FCA"), which regulates LIBOR, stopped persuading or compelling banks to submit LIBOR rates after 2021, and on December 31, 2021, ICE Benchmark Administration, the administrator of LIBOR, with the support of the Federal Reserve Board and the FCA, ceased publication of USD LIBOR for the one week and two month U.S. dollar LIBOR tenors. Publications related to all other LIBOR tenors will cease immediately on June 30, 2023. In the U.S, the Alternative Reference Rates Committee formally recommended the Secured Overnight Financing Rate or "SOFR," plus a recommended spread adjustment, as the replacement for USD LIBOR. The application of or transition to SOFR or any other alternative reference rate could increase our interest expense or may introduce operational risks in our accounting or financial reporting and other aspects of our business.
Any of these occurrences could materially and adversely affect our borrowing costs, financial condition, and results of operations.
Legal proceedings could have a material adverse effect on our business, financial condition or results of operations.
In the ordinary course of business, we may become involved in various litigation matters, including but not limited to commercial disputes and employee claims, and from time to time may be involved in governmental or regulatory investigations or similar matters arising out of our current or future business. Any claims asserted against us, regardless of merit or eventual outcome, could harm our reputation and have an adverse impact on our relationship with our merchants, distribution partners and other third parties and could lead to additional related claims. Certain claims may seek injunctive relief, which could disrupt the ordinary conduct of our business and operations or increase our cost of doing business. Our insurance or indemnities may not cover all claims that may be asserted against us, and any claims asserted against us, regardless of merit or eventual outcome, may harm our reputation and cause us to expend resources in our defense. Furthermore, there is no guarantee that we will be successful in defending ourselves in future litigation. Should the ultimate judgments or settlements in any pending litigation or future litigation or investigation significantly exceed our insurance coverage, they could have a material adverse effect on our business, financial condition, and results of operations.
Increasing scrutiny and changing expectations from investors, lenders, customers, government regulators and other market participants with respect to our Environmental, Social and Governance (“ESG”) policies and activities may impose additional costs on us or expose us to additional risks.
Companies across all industries and around the globe are facing increasing scrutiny relating to their ESG policies and activities. Investors, lenders and other market participants are increasingly focused on ESG practices and in recent years have placed increasing importance on the implications and social cost of their investments. Investment in funds that specialize in companies that perform well in assessments performed by ESG raters are increasingly popular, and major institutional investors have emphasized the importance of such ESG measures to their investment decisions. Responding to ESG considerations, including diversity and inclusion, environmental stewardship, support for local communities, labor conditions and human rights, ethics and compliance with law and corporate governance and transparency, and implementing goals and initiatives involve risks and uncertainties and depend in part on third-party performance or data that is outside our control.
In February 2021, the Acting Chair of the SEC issued a statement directing the Division of Corporation Finance to enhance its focus on climate-related disclosure in public company filings and in March 2021 the SEC announced the creation of a Climate and ESG Task Force in the Division of Enforcement. We risk damage to our brand and reputation or limited access to capital markets and loans, if we fail to adapt to or comply with investor, lender or other stakeholder expectations and standards and potential government regulation in a number of areas, such as diversity and inclusion, environmental stewardship, support for local communities, and corporate governance and transparency. In addition, compliance with standards and regulation may result in additional costs.
Risks Relating to Indebtedness
We have and will continue to have high levels of indebtedness.
Paya Holdings III, LLC (“Paya III”), Holdings and other indirect subsidiaries of Paya are party to a Credit Agreement, dated as of June 25, 2021 (the “Credit Agreement”). As of December 31, 2022, there were no outstanding borrowings under the revolving credit facility thereunder (the “2021 Revolving Credit Facility”) and $246.9 million outstanding under the Term Loan facility thereunder (the “2021 Term Credit Facility” and together with the 2021 Revolving Credit Facility, the “2021 Credit Facility”). Because borrowings under the 2021 Credit Facility bear interest at variable rates, increases in interest rates on debt that has not been fixed using interest rate hedges will increase interest expense, reduce cash flow or increase the cost of future borrowings or refinancings.
Our indebtedness could have important consequences to our investors, including, but not limited to:
•increasing vulnerability to, and reducing its flexibility to respond to, general adverse economic and industry conditions;
•requiring the dedication of a substantial portion of cash flow from operations to the payment of principal of, and interest on, its indebtedness, thereby reducing the availability of such cash flow to fund working capital, capital expenditures, acquisitions, joint ventures or other general corporate purposes;
•limiting flexibility in planning for, or reacting to, changes in its business and the competitive environment; and
•limiting our ability to borrow additional funds and increasing the cost of any such borrowing.
If the proposed Merger is consummated, then the Company will terminate the Credit Agreement and concurrently repay all advances and other obligations outstanding thereunder and the surviving corporation will assume all remaining debts, liabilities and duties of the Company (if any), in each case as provided under the applicable provisions of the General Corporation Law of the State of Delaware, as amended.
Risks Relating to Ownership of our Common Stock and Our Status as a Public Company
If the Merger is not consummated and we remain a public company, we may issue additional common stock or other equity securities without your approval, which would dilute your ownership interests and may depress the market price of the common stock.
Pursuant to the terms of the Merger Agreement, until the Merger is consummated or the Merger Agreement is terminated, we generally may not issue, sell, deliver, pledge or agree or commit to issue, deliver, encumber or subject to a lien, or pledge any securities. However, if the Merger is not consummated and we remain a public company, we may issue additional shares of common stock or other equity securities in the future in connection with, among other things, future acquisitions, repayment of outstanding indebtedness or grants under the Omnibus Plan without stockholder approval in a number of circumstances. In 2021 and 2022, we issued a total of 15,362,438 and 170,958 shares of common stock, respectively, including shares issued in a primary offering, shares issued to partially finance the acquisition of Paragon Payment Solutions, shares issued in exchange for our then outstanding warrants, and shares issued under the Omnibus Plan. In addition, we are required to issue an aggregate of 14,018,188 shares of common stock to existing equity holders of Paya upon achievement of milestone targets. Our issuance of additional common stock or other equity securities of equal or senior rank would have the following effects:
•our existing shareholders’ proportionate ownership interest will decrease;
•the amount of cash available per share, including for payment of dividends in the future, may decrease;
•the relative voting strength of each previously outstanding share of common stock may be diminished; and
•the market price of our common stock may decline.
Provisions in our charter and Delaware law may inhibit a takeover, which could limit the price investors might be willing to pay in the future for our common stock and could entrench management.
Our amended and restated certificate of incorporation and bylaws contain provisions to limit the ability of others to acquire control of us or cause us to engage in change-of-control transactions, including, among other things:
•provisions that authorize our board of directors, without action by our stockholders, to authorize by resolution the issuance of shares of preferred stock and to establish the number of shares to be included in such series, along with the preferential rights determined by our board of directors;
•provisions that permit only a majority of our board of directors or the Chair of the board of directors at the direction of a majority of the board of directors or, for so long as GTCR-Ultra Holdings, LLC ("Ultra") and its affiliates beneficially own at least 35% of our common stock, the Chair of the board of directors at the written request of the holders of a majority of the voting power of the then outstanding shares of voting stock, to call shareholder meetings, and therefore do not permit stockholders to call special stockholder meetings;
•provisions that impose advance notice requirements, minimum shareholding periods and ownership thresholds, and other requirements and limitations on the ability of stockholders to propose matters for consideration at stockholder meetings; and
•a staggered board whereby our directors are divided into three classes, with each class subject to reelection once every three years on a rotating basis.
These provisions could have the effect of depriving our stockholders of an opportunity to sell their shares at a premium over prevailing market prices by discouraging third parties from seeking to obtain control of us in a tender offer or similar transaction. With our staggered board of directors, at least two annual meetings of shareholders will generally be required in order to effect a change in a majority of our directors. Our staggered board of directors can discourage proxy contests for the election of our directors and purchases of substantial blocks of our shares by making it more difficult for a potential acquirer to gain control of our board of directors in a relatively short period of time.
Our amended and restated certificate of incorporation provides, subject to limited exceptions, that the Court of Chancery of the State of Delaware will be the sole and exclusive forum for certain stockholder litigation matters, which could limit our stockholders’ ability to obtain a favorable judicial forum for disputes with us or our directors, officers, employees or stockholders.
Our amended and restated certificate of incorporation requires, to the fullest extent permitted by law, that derivative actions brought in our name, actions against directors, officers and employees for breach of fiduciary duty and other similar actions may be brought only in the Court of Chancery in the State of Delaware and, if brought outside of Delaware, the stockholder bringing the suit will be deemed to have consented to service of process on such stockholder’s counsel. Any person or entity purchasing or otherwise acquiring any interest in shares of our capital stock shall be deemed to have notice of and consented to the forum provisions in its amended and restated certificate of incorporation.
This choice of forum provision may limit a stockholder’s ability to bring a claim in a judicial forum that it finds favorable for disputes with us or any of our directors, officers, other employees or stockholders, which may discourage lawsuits with respect to such claims. Alternatively, if a court were to find the choice of forum provision contained in our amended and restated certificate of incorporation to be inapplicable or unenforceable in an action, we may incur additional costs associated with resolving such action in other jurisdictions, which could harm its business, operating results and financial condition.
A market for our common stock may not be sustained, which would adversely affect the liquidity and price of our common stock.
The price of our common stock may fluctuate significantly due to general market and economic conditions. An active trading market for our common stock may not be sustained.
We may be unable to satisfy Nasdaq listing requirements in the future, which could limit investors’ ability to effect transactions in our common stock and subject us to additional trading restrictions.
If we fail to continue to satisfy ongoing Nasdaq listing requirements, or if we are delisted, there could be significant material adverse consequences, including:
•a limited availability of market quotations for our common stock;
•a limited amount of news and analyst coverage for us; and
•a decreased ability to obtain capital or pursue acquisitions by issuing additional equity or convertible securities
If we fail to maintain effective internal control over financial reporting and disclosure controls and procedures, we may not be able to accurately report our financial results, or report them in a timely manner.
We are a public reporting company subject to the rules and regulations established from time to time by the SEC and Nasdaq. As a public company we are required to document and test our internal control over financial reporting pursuant to Section 404 of the Sarbanes-Oxley Act so that our management can certify as to the effectiveness of our internal control over financial reporting. In addition, our independent registered public accounting firm is required to provide an attestation report on the effectiveness of our internal control over financial reporting in our Annual Reports on Form 10-K on an ongoing basis.
As of December 31, 2021, we identified a material weakness in our controls related to the operating effectiveness of the review of the annual income tax provision prepared by a third-party firm. We did not maintain effective controls to sufficiently review the completeness and accuracy of the annual tax provision.
This material weakness resulted in adjustments that have been recorded in our consolidated financial statements as of and for the year ended December 31, 2021. Our management and our independent registered public accounting firm determined that as of December 31, 2022, this material weakness had been remediated and our internal control over financial reporting are effective.
Remediation of the 2021 required, and any other material weakness or any significant deficiency would require management to devote significant time and incur significant expense, and management may not be able to remediate other future material weakness or significant deficiencies in a timely manner. The existence of any material weakness in our internal control over financial reporting could result in errors in our financial statements that could require us to restate our financial statements and cause us to fail to meet our reporting obligations. If we are unable to remediate the existing material weakness or assert that our internal control over financial reporting is effective, or if our independent registered public accounting firm is unable to express an opinion as to the effectiveness of our internal control over financial reporting, or expresses an adverse opinion, investors may lose confidence in the accuracy and completeness of our financial reports, we may face restricted access to the capital markets and our stock price may be adversely affected.
In addition, if the Merger is not consummated and we remain a public company, we expect to continue to incur costs related to our internal control over financial reporting in the upcoming years to improve our internal control environment. If we are unable to comply with the requirements applicable to us as a public company, including the requirements of Section 404 of the Sarbanes-Oxley Act, in a timely manner, we may be unable to accurately report our financial results, or report them within the timeframes required by the SEC. If this occurs, we also could become subject to sanctions or investigations by the SEC or other regulatory authorities.
We do not anticipate paying dividends for the foreseeable future.
Under the terms of the Merger Agreement, until the Merger is consummated or the Merger Agreement is terminated, without prior consent from Parent, we may not declare, set aside or pay any dividend or other distribution in respect of any shares of capital stock or other equity or voting interest, or make any other distribution in respect of the shares of capital stock or other equity or voting interest. In addition, we do not anticipate that our board of directors will declare dividends in the foreseeable future. In addition, the ability of our board of directors to pay dividends in the future may be restricted by our debt documents, our holding company structure and capital requirements at our subsidiaries. Because we do not pay dividends, and do not anticipate paying dividends for the foreseeable future, the price of our common stock must appreciate in order for you to realize a gain on your investment. This appreciation may not occur.
Our ability to meet expectations and projections in any research or reports published by securities or industry analysts, or a lack of coverage by securities or industry analysts, could result in a depressed market price and limited liquidity for our common stock.
The trading market for our common stock is influenced by the research and reports that industry or securities analysts may publish about us, our business, our market, or our competitors. If no securities or industry analysts commence coverage of us, our stock price would likely be less than that which would be obtained if it had such coverage, and the liquidity, or trading volume of our common stock may be limited, making it more difficult for a stockholder to sell shares at an acceptable price or amount. If any analysts do cover us, their projections may vary widely and may not accurately predict the results we actually achieve. Our share price may decline if our actual results do not match the projections of research analysts covering us. Similarly, if one or more of the analysts who write reports on us downgrades our stock or publishes inaccurate or unfavorable research about our business, our share price could decline. If one or more of these analysts ceases coverage of us or fails to publish reports on us regularly, our share price or trading volume could decline.
If the Merger is not consummated and we remain a public company, future sales of our common stock by Ultra may reduce the market price of common stock that you might otherwise obtain.
As of December 31, 2022, Ultra beneficially owned 45,234,022 shares of common stock and is entitled to receive an additional 14,018,188 shares in the event that the price of our common stock exceeds $17.50 per share for 20 out of any 30 consecutive trading days through October 16, 2025 (see Note 3 for details on the Fintech Transaction). If the Merger is not consummated and we remain a public company, Ultra or its affiliates may sell large amounts of the Company's common stock in the open market or in privately negotiated transactions. The Company also entered into a registration rights agreement with Ultra and certain other stockholders, pursuant to which it granted certain registration rights to Ultra and the other stockholders party thereto. The registration and availability of such a significant number of shares of common stock for trading in the public market may increase the volatility in the Company’s stock price or put significant downward pressure on the price of its stock.