Risk Factors Dashboard

Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.

View risk factors by ticker

Search filings by term

Risk Factors - HQY

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Item 1A. Risk factors.

Unless the context otherwise indicates or requires, the terms “we,” “our,” “us,” “HealthEquity,” and the “Company,” as used in this Annual Report on Form 10-K, refer to HealthEquity, Inc. and its subsidiaries as a combined entity, except where otherwise stated or where it is clear that the terms mean only HealthEquity, Inc. exclusive of its subsidiaries.

-1-

Table of Contents

Part I

Item 1. Business

Company overview

We are a leader and an innovator in providing technology-enabled services that empower consumers to make healthcare saving, spending, and investing decisions. We use our innovative technology to manage consumers' tax-advantaged health savings accounts (“HSAs”) and other consumer-directed benefits (“CDBs”) offered by employers, including flexible spending accounts and health reimbursement arrangements (“FSAs” and “HRAs”), and to administer Consolidated Omnibus Budget Reconciliation Act (“COBRA”), commuter and other benefits. As part of our services, we provide consumers with payment processing services, personalized benefit information, access to healthcare solutions through our marketplace, and investment advice to grow their tax-advantaged healthcare savings. We believe the shift to greater consumer responsibility for healthcare costs will require a significant portion of consumers under the age of 65 with private health insurance in the United States to use offerings such as ours.

We refer to the aggregate number of HSAs and other CDBs that we administer as Total Accounts, of which we had 17.8 million as of January 31, 2026.

We reach consumers primarily through relationships with their employers, which we call Clients. As of January 31, 2026, our platforms were integrated with more than 200 Network Partners.

According to the 2025 Midyear Devenir HSA Research Report, as of June 2025, we were the largest HSA provider by number of accounts and the second largest HSA provider by HSA Assets. In addition, we believe we are the largest provider of other CDBs. Our proprietary technology allows us to help consumers optimize the value of their HSAs and other CDBs and gain confidence and skills in managing their healthcare costs as part of their financial security.

Our ability to assist consumers is enhanced by our capacity to securely share data in both directions with others in the health, benefits, and retirement ecosystems.

Our business model provides strong visibility into our future operating performance, with the vast majority of our accounts opened before the start of our fiscal year.

We earn revenue primarily from three sources: service, custodial, and interchange. We earn service revenue mainly from fees paid by our Clients, Network Partners, and account holders, which we refer to as members, for the administration services we provide in connection with the HSAs and other CDBs we offer. Service revenue also includes revenues earned from invested HSA Assets and our marketplace. We earn custodial revenue primarily from HSA cash held by our insurance company partners, HSA cash held by our federally insured bank and credit union partners, which we collectively call our Depository Partners, and Client-held funds deposited with our Depository Partners. We earn interchange revenue mainly from fees paid by merchants on payments that our members make using our physical payment cards and on our virtual payment system.

BenefitWallet HSA portfolio acquisition. In fiscal 2025, we acquired the BenefitWallet HSA portfolio, comprised of approximately 616,000 HSAs plus other accounts, which collectively totaled $2.7 billion of HSA Assets, from Conduent Business Services, LLC for a purchase price of $425.0 million. We paid the purchase price using $225.0 million of borrowings under our revolving credit facility, with the remainder paid using cash on hand.

Our products and services

Health savings accounts. The Medicare Modernization Act of 2003 created HSAs, a tax-exempt trust or custodial account managed by a custodian that is a bank, an insurance company, or a non-bank custodian specifically authorized by the Internal Revenue Service, or IRS, as meeting certain ownership, capitalization,

-2-

Table of Contents

expertise, and governance requirements. We are an IRS-approved non-bank custodian of our members' HSAs, designated to serve as both a passive and non-passive non-bank custodian of HSAs.

To be eligible to contribute to an HSA, an individual must be covered under a high-deductible healthcare plan, or HDHP, have no additional health coverage, not be enrolled in Medicare, and not be claimed as a dependent on someone else’s tax return. Additionally, taxable distributions other than for qualified medical expenses are permitted without penalty (although subject to income tax) after age 65. Balances remain in the account until used, i.e., there is no “use or lose” requirement.

Investment platform and advisory services. We offer an investment platform and access to an online-only automated investment advisory service to all of our members whose account balances exceed a stated threshold. These services are entirely elective to the member. The advisory service is delivered through a web-based tool, Advisor, which is offered and managed by HealthEquity Advisors, LLC, our SEC-registered investment adviser subsidiary. HealthEquity Advisors, LLC provides investment advice to its clients exclusively through the Advisor tool on an interactive website.

Advisor provides investment education guidance and management, including maintaining HSA cash (liquidity) in amounts directed by the member, targeting risk appropriate portfolio diversification, and mutual fund selection.

We offer investors access to three levels of service:

•Self-driven: For members who do not subscribe for Advisor, we provide an investment platform to invest HSA balances. Neither we nor Advisor provides advice to members in respect of investments on the platform. We also offer a self-directed brokerage option through a third-party partner;

•GPS powered by HealthEquity Advisors, LLC: Advisor provides guidance and advice, but the member makes the final investment decisions and implements portfolio allocation and investment advice through the HealthEquity platform; and

•AutoPilot powered by HealthEquity Advisors, LLC: Advisor manages the account and implements portfolio allocation and investment advice automatically for the member.

Regardless of the level of service selected, members are responsible for their proportionate share of fees and expenses payable by the underlying mutual funds and other investment vehicles in which they invest.

Healthcare flexible spending accounts. Healthcare FSAs are employer-sponsored CDBs that enable employees to set aside pre-tax dollars to pay for eligible healthcare expenses that are not generally covered by insurance, such as co-pays, deductibles and over-the-counter medical products, as well as vision expenses, orthodontia, and medical devices. Healthcare FSAs can be customized by employers so they have the freedom to determine what eligible expenses may be reimbursed under these arrangements. Our employer Clients also realize payroll tax (i.e., FICA and Medicare) savings on the pre-tax contributions made by their employees.

The IRS imposes a limit, indexed to inflation, on pre-tax dollar employee contributions made to healthcare FSAs. The IRS also allows a carryover of up to 20% of the indexed contribution limit that does not count against or otherwise affect the indexed salary reduction limit applicable to each plan year. Employers are able to contribute additional amounts in excess of this statutory limit and may choose to do so in an effort to mitigate the impact of rising healthcare costs on their employees.

Dependent care flexible spending accounts. We also administer FSA programs for dependent care plans. These plans allow employees to set aside pre-tax dollars to pay for eligible dependent care expenses, which typically include child care or day care expenses but may also include expenses incurred from adult and elder care. Current laws and regulations impose a statutory limit on the amount of pre-tax dollars employees can contribute to dependent care FSAs with no carryover allowed. Like healthcare FSAs, employers can also contribute funds to employees’ dependent care FSAs; however, these are subject to the statutory annual limit on total contributions. As

-3-

Table of Contents

with healthcare FSAs, employers realize payroll tax savings on the pre-tax dependent care FSA contributions made by their employees.

Health reimbursement arrangements. Under HRAs, employers provide their employees with a specified amount of reimbursement funds that are available to help employees defray their out-of-pocket healthcare expenses, such as deductibles, co-insurance and co-payments. HRAs may only be funded by employers and there is no limitation on how much employers may contribute; however, similar to other CDBs that are funded with pre-tax dollars, employers are required to establish the programs in such a way as to prevent discrimination in favor of highly compensated employees. HRAs must either be considered an excepted benefit (for example, a dental-only HRA or a vision-only HRA), a retiree HRA or be integrated with another group health plan. HRAs can be customized by employers so employers have the freedom to determine what expenses are eligible for reimbursement under these arrangements. At the end of the plan year, employers have the option to allow all or a portion of the unused funds to roll over and accumulate year-to-year if not spent. All amounts paid by employers into HRAs are deductible for tax purposes by the employer and tax-free to the employee.

COBRA. We provide federal COBRA and state continuation administration services to employer Clients. COBRA generally requires eligible employers to offer continuation coverage to qualified beneficiaries for a period that varies based on the qualifying event (generally 18 months for termination or reduction in hours and up to 36 months for certain other events). We also offer direct‑billing services and participant support for individuals who elect continuation coverage.

Commuter programs. We administer pre-tax commuter benefit programs through which employers are permitted to provide employees with commuter benefits including qualified transit and parking. The maximum monthly federal (and sometimes state) tax free exclusion is indexed for inflation.

Marketplace. We provide HSA and FSA members with access to certain healthcare products, programs, and services through our marketplace, with tax‑advantaged payment options using their HealthEquity accounts. Our marketplace is made available through partnerships with third‑party providers. These providers are responsible for the related clinical services (including prescribing medications, where applicable), fulfillment, and ongoing member support. Marketplace offerings may vary by Client or health plan partner and are subject to change over time.

Our competitive landscape

Our direct competitors are HSA custodians and other CDB providers. Many of these are state or federally chartered banks and other financial institutions for which we believe benefits administration services are not a core business. Some of our direct competitors (including well-known retail investment companies, such as Fidelity Investments, and healthcare service companies such as UnitedHealth Group's Optum and Webster Bank) are in a position to devote more resources to the development, sale and support of their products and services than we have at our disposal. In addition, numerous indirect competitors, including benefits administration service providers, partner with banks and other HSA custodians to compete with us. The products, programs, and services made available through our marketplace are part of highly competitive markets and introduce new and sophisticated competitors to us. Our success depends on our ability to predict and react quickly to these and other industry and competitive dynamics.

Our competitive strengths and strategy

We believe we are well-positioned to benefit from the transformation of the healthcare benefits market. Generally, our members begin by building tax-advantaged savings through contributions to their HSAs. These savings deliver immediate, practical value by helping members pay for qualified medical care, including through our marketplace. Our members' HSA savings can also be invested for long-term growth and, over time, become an important component of their financial planning. We believe that our offerings complement and reinforce one another and that member retention increases as they use their accounts with greater frequency and confidence.

Market leadership. We have established a leadership position in the HSA industry through our focus on innovation and differentiated capabilities.

-4-

Table of Contents

Differentiated consumer experience. We have designed our solution and support services to deliver a differentiated consumer experience, which is a function of our culture and technology.

•Culture: We seek to provide customer-friendly experiences for our members, Clients, and Network Partners through what we call our "Purple" service.

•Technology: We believe our technology helps us drive member outcomes and deliver on our commitment to provide Purple service. For example, our technology generates health savings strategies that are delivered to our members when they interact with our platforms, including our mobile application.

•Customer service and education: As a key part of our strategy and commitment to provide Purple service, our team members work directly with our Network Partners, Clients, and members, educating them about the benefits of our HSAs and other products. We employ individuals who provide real-time assistance to our members via telephone, email, or chat.

Bundled solution for HSAs and complementary CDBs. We are a market-share leader in the administration of HSAs and each of the major categories of complementary CDBs, including FSAs and HRAs, COBRA and commuter benefits.

We believe our differentiated distribution platforms provide a competitive advantage by efficiently enabling us to reach a growing consumer market. Our solution is built on a business-to-business-to-consumer, or B2B2C, channel strategy, whereby we work with Network Partners and Clients to reach consumers in addition to marketing our services to these potential members directly. Reaching the consumer is critical in order for us to increase the number of our HSA members. Our integrations with Network Partners have provided, and continue to provide, a key channel through which we gain access to Clients and members.

Our Clients collectively employ thousands of human resources professionals who are tasked with explaining the benefits of our HSAs to their employees. Our sales and account management teams work with and train the sales representatives and account management teams of our Network Partners and the human resource professionals of our Clients on the benefits of enrolling in, contributing to, and saving and spending through our HSAs, and our Network Partners and Clients then convey these benefits to prospective members. As a result of this collaboration, we develop relationships with each member who enrolls in an HSA with us. This personalized engagement with our members constitutes our B2B2C channel strategy.

Proprietary and integrated technology solution. We have a proprietary cloud-based technology solution, which we believe is differentiated for the key reasons described below. We are currently investing in a modernization of our proprietary technology platforms, including through the increasing use of artificial intelligence ("AI") tools and technologies, to support new opportunities and enhance security, privacy and platform infrastructure, while maintaining existing applications, features, and services.

•Complete solution for managing consumer healthcare saving, spending, and investing: We believe our technology platforms and marketplace drive member outcomes by enabling our members to use this technology based on their own needs and desires. Members also utilize the platform’s mobile app to view and pay claims on-the-go, including uploading medical and insurance documentation to the platform with their mobile phone cameras.

•Purpose-built technology: Our technology solution was designed specifically to serve the needs of our members, Network Partners, other ecosystem partners and our Clients. We believe our technology enables us to both provide customer-friendly experiences and drive member outcomes by providing greater functionality and flexibility than the technologies used by our competitors, many of which were originally

-5-

Table of Contents

developed for banking, benefits administration or retirement services.

•Innovation: We continue to invest in technology solutions to meet the evolving needs of our Network Partners, Clients and members. Among other things, we also increasingly use AI tools and technologies to improve customer service, lower costs, and increase efficiencies. Our current innovation efforts include, among others, increasing member and Client self-service capabilities, developing application programming interfaces (APIs), driving electronic communication rather than paper, increasing straight-through processing, improving overall process times utilizing traditional robotic process automation, providing our members access to healthcare solutions through our marketplace, and AI tools including the Expedited Claims and HSAnswers tools, leveraging chip-enabled stacked cards, and mobile wallet.

•Data integration: Our technology solution allows us to integrate data from disparate sources. We utilize APIs to integrate with health plans, pharmacy benefit managers, employers, and other benefits provider systems. A key part of our strategy is to integrate into our partners' ecosystems, rather than requiring them to conform to ours, as many of our partners’ systems rely on custom data models, non-standard formats, complex business rules, and security protocols that are difficult or expensive to change. We believe that this integration enables us to deepen our partnerships with our Network Partners and other ecosystem partners.

•Configurability: Our flexible technology solution enables us to create a unique solution for each of our Network Partners.

Scalable operating model. We believe that our model is scalable because our services are accessed primarily through our cloud-based technology platforms. After initial on-boarding and a period of education, our service costs for any given customer typically decline over time.

Enhanced Rates. We partner with large, highly rated insurance company partners to hold, through group annuity contracts or other similar arrangements, HSA cash. We refer to this as our "Enhanced Rates" offering. Enhanced Rates is our default HSA cash offering, and a significant portion of new HSA cash is placed in Enhanced Rates. An increase in the percentage of HSA cash held in our Enhanced Rates offering positively impacts our custodial revenue, as we generally receive a higher yield on HSA cash held by our insurance company partners compared to cash held by our Depository Partners, which we refer to as our "Basic Rates" offering. In addition, increased participation in our Enhanced Rates offering reduces our exposure to short-term fluctuations in prevailing interest rates because contract repricing occurs gradually, at approximately 10% per year. The percentage of HSA cash held in our Enhanced Rates offering has increased, and we expect that it will continue to increase. As our Basic Rates contracts continue to expire, the HSA cash held in those Basic Rates contracts will transition to Enhanced Rates contracts, subject to our members retaining the right to keep their HSA cash in Basic Rates.

Strong retention rates. Retention of our HSA members has been strong over time. Individually owned trust accounts, including HSAs, have inherently high switching costs, as switching requires a certain amount of effort on the part of the account holder and may result in closure fees. We believe that our retention rates are also high due to our HSA platform’s integration with the broader healthcare system used by our HSA members and our customer engagement and focus on the consumer experience.

Selective acquisition strategy. We have historically acquired HSA portfolios and businesses that we believe strengthen our service offerings. We have developed an internal capability to source, evaluate, and integrate acquisitions. We believe the nature of our competitive landscape provides significant acquisition opportunities. Many of our competitors view their HSA businesses as non-core functions. We believe they may look to divest these assets and, in certain cases, be limited from making acquisitions due to depository capital requirements. Our success depends in part on our ability to successfully integrate acquired businesses and HSA portfolios with our business in an efficient and effective manner.

-6-

Table of Contents

Our technology

Technology platforms. We provide secure cloud-based platforms, accessed by our members online via our mobile application or a desktop, through which our members are empowered to make health saving, spending and investment decisions, pay healthcare bills, receive personalized benefit information, and grow their savings. The platforms provide users with access to services we provide as well as services provided by third parties selected by us or by our Network Partners. We are increasingly using AI tools and technologies to increase efficiencies and reduce costs while developing AI-powered technologies to improve our customer experience.

Among other features, our HSA platform includes the capability to present to users medical bills upon adjudication by a health plan, including details such as the amount paid by insurance, specific nature of the medical service provided, and diagnostic code. Users of our HSA platform can pay these bills from an account of ours or from any bank account, online, via a mobile device, or using our payment card. All users of our HSA platform gain access to our healthcare consumer specialists, available every hour of every day, via a toll-free telephone number or email. Our specialists can assist users with such tasks as optimizing the use of tax-advantaged accounts to reduce medical spending or selecting from among medical plans offered by an employer or health plan.

For a description of our cybersecurity risk management framework for our technology platforms, see Cybersecurity.

Cloud-based solution. Our proprietary technology is deployed as a cloud-based solution that is accessible to customers online and through our mobile app. We utilize a multi-tenant architecture that allows changes made for one Network Partner to be extended to all others. This architecture provides operating leverage by reducing costs and improving efficiencies, enabling us to maximize the utilization of our infrastructure capacity with a reduction in required maintenance. We are increasing investment in our technology and communications systems to support new opportunities and enhance security, privacy, and platform infrastructure.

Our solution is delivered via cloud-based services and hosted in third-party data centers or on a virtual private cloud with an ability to scale on demand. This allows us to quickly support our current and projected growth. We utilize regional cloud failover and multiple redundant third-party data centers to ensure continuous access and data availability. The data centers are purpose-built facilities for hosting mission critical systems with multiple built-in redundancy layers to minimize service disruptions and meet industry-standard measures.

Government regulation

Our business is subject to extensive, complex, and rapidly changing federal and state laws and regulations.

IRS regulations

We are subject to applicable IRS regulations, which lay the foundation for tax savings and eligible expenses under the HSAs, HRAs, tax-advantaged commuter benefits, and FSAs we administer. The IRS issues guidance regarding these regulations regularly. In addition, we are subject to conflict of interest and other prohibited transaction rules that are enforced through excise taxes under the Internal Revenue Code. Although the excise taxes are enforced by the IRS, the underlying rules are promulgated by the Department of Labor.

In February 2006, HealthEquity, Inc. received designation by the U.S. Department of Treasury to act as a passive non-bank custodian, which allows HealthEquity, Inc. to custody HSA Assets for individual account holders. In July 2017, HealthEquity, Inc. received designation by the U.S. Department of Treasury to act as both a passive and non-passive non-bank custodian, which allows HealthEquity, Inc. As a passive and non-passive non-bank custodian, the Company must maintain net worth (assets minus liabilities) greater than 2% of passive custodial funds held at each fiscal year-end and 4% of the non-passive custodial funds held at each fiscal year-end in order to take on additional custodial assets. As of January 31, 2026, the Company's year-end for trust and tax purposes, the net worth of the Company exceeded the required thresholds.

Privacy and data security regulations

In the provision of HSA custodial services and directed third-party administration services for FSAs and HRAs, we are subject to the Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley Act or GLBA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA, as amended by the Health Information Technology for

-7-

Table of Contents

Economic and Clinical Health Act), and similar state laws. The products and services made available through our marketplace may subject us to additional federal, state, and local laws and regulations.

GLBA imposes financial privacy and security requirements on financial institutions that relate to the collection, storage, use, and disclosure of an account holder’s nonpublic personal information. Nonpublic personal information includes information that is collected or generated in the course of offering a financial product or service. For example, nonpublic personal information includes information submitted by a prospective account holder in an application, an account holder’s name and contact information, and transaction information. We are also required under GLBA to establish reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of nonpublic personal information pursuant to the Federal Trade Commission’s safeguards rule. Violations of GLBA can result in civil and criminal penalties.

HIPAA covered entities and their business associates are required to adhere to HIPAA privacy and security standards. Covered entities include most healthcare providers, health plans, and healthcare clearinghouses. Because we perform services (such as FSA services) for covered entities that include processing protected health information, we are a business associate and subject to HIPAA. The two rules that most significantly affect our business are: (i) the Standards for Privacy of Individually Identifiable Health Information, or the Privacy Rule; and (ii) the Security Standards for the Protection of Electronic Protected Health Information, or the Security Rule. The Privacy Rule restricts the use and disclosure of protected health information and requires us to safeguard that information and provide certain rights to individuals with respect to that information. The Security Rule establishes requirements for safeguarding protected health information transmitted or stored electronically. Both civil and criminal penalties apply for violating HIPAA, which may be enforced by both the Department of Health and Human Services’ Office for Civil Rights and state attorneys general.

Various states also have laws and regulations that impose additional restrictions on our collection, storage, use, and disclosure of personal information. Privacy regulation in particular has become a priority issue in many states and with the federal government. The CCPA does not generally apply to data subject to GLBA or HIPAA. Several of these laws do not apply to entities or data subject to GLBA or HIPAA. The federal government also at times considers legislative and regulatory proposals concerning privacy, data protection, and cybersecurity, which may require us to implement and maintain additional operational or compliance measures.

ERISA

Our private-sector clients’ FSAs, HRAs, COBRA continuation insurance, and other account-based retirement plans are covered by the Employee Retirement Income Security Act of 1974, as amended, or ERISA, which governs “employee benefits plans.” Title I of ERISA does not generally apply to HSAs. ERISA generally imposes extensive reporting requirements on employers, as well as an obligation to provide various disclosures to covered employees and beneficiaries; and employers and third-party administrators that have authority or discretion over management, administration, or investment of plan assets are subject to fiduciary responsibility under ERISA. ERISA's requirements affect our FSAs, HRAs, and COBRA administration businesses. The Department of Labor can bring enforcement actions or assess penalties against employers, investment advisers, administrators, and other service providers for failing to comply with ERISA’s requirements. Participants and beneficiaries may also file lawsuits against employers, investment advisers, administrators, and other service providers under ERISA.

Department of Labor

The Department of Labor, or the DOL, regulates plans that are subject to ERISA, including health FSAs, HRAs, and 401(k) and other retirement plans, as well as COBRA administration. The DOL also issues guidance related to fiduciary responsibility and prohibited transactions under ERISA and the Internal Revenue Code that affect administration of HSAs (as well as health FSAs, HRAs, and retirement plans).

The DOL issues regulations, technical releases, and other guidance that apply to employee benefit plans, tax-favored savings arrangements (including HSAs) and COBRA administration, generally. In addition, in response to a

-8-

Table of Contents

request by an individual or an organization, the DOL’s Employee Benefits Security Administration may issue an advisory opinion that interprets and applies ERISA and/or corresponding prohibited transaction rules under the Internal Revenue Code to a specific situation, including issues related to consumer-centric healthcare accounts and retirement plans.

Healthcare reform

In March 2010, the federal government enacted significant reforms to healthcare benefits through the Affordable Care Act. The legislation amended various provisions in many federal laws, including the Internal Revenue Code and ERISA. The reforms included new excise taxes that incentivize employers to provide health benefits (including HSA-compatible benefits) to all full-time employees and new coverage mandates for health plans. The rules directly affect health FSAs and HRAs and have an indirect effect on HSAs.

In July 2025, the “One Big Beautiful Bill Act” was signed into law, which expanded HSA availability to individuals with Bronze and Catastrophic health plans and expanded HSA eligibility to include a broader range of healthcare services.

Further changes to healthcare regulation remain under consideration, including "Medicare for all" plans.

Investment Advisers Act of 1940

Our subsidiary HealthEquity Advisors, LLC is an SEC-registered investment adviser that provides web-only automated investment advisory services to members. As an SEC-registered investment adviser, it must comply with the requirements of the Investment Advisers Act of 1940, or the Advisers Act, and related Securities and Exchange Commission, or SEC, regulations and is subject to periodic inspections by the SEC staff. Such requirements relate to, among other things, fiduciary duties to clients, disclosure obligations, recordkeeping and reporting requirements, marketing restrictions limitations on agency cross and principal transactions between the adviser and its clients, and general anti-fraud prohibitions. The SEC is authorized to institute proceedings and impose sanctions for violations of the Advisers Act, ranging from fines and censure to termination of an investment adviser’s registration. Investment advisers also are subject to certain state securities laws and regulations. Failure to comply with the Advisers Act or other federal and state securities and regulations could result in investigations, sanctions, profit disgorgement, fines or other similar consequences.

Intellectual property

Intellectual property is important to our success. We require our team members and consultants to execute confidentiality agreements in connection with their employment or consulting relationships with us. We also require our team members and consultants to disclose and assign to us all inventions conceived during the term of their employment or engagement while using our property or which relate to our business.

Geographic areas

Our sole geographic market is the U.S.

Human capital

HealthEquity is comprised of people dedicated to empowering consumers to spend, save, and invest for healthcare by delivering Purple service.

Our board of directors and its committees provide oversight on certain human capital matters.

As of January 31, 2026, we had 2,814 team members.

-9-

Table of Contents

Talent acquisition and team member development

Our People team seeks to attract, hire, and develop the best, most qualified candidates and team members.

HealthEquity has taken, and continues to take, steps to strengthen our talent:

Our People team uses a hiring framework which seeks to improve candidate experience, ensure quality of hire, and increase our focus on hiring practices that meet or exceed industry and legal standards.

•We continued an early career internship program, offering positions across two key areas: corporate business functions and technology. We strive to attract candidates aligned with our vision and who will provide the unique viewpoints and experiences that help drive our success going forward, including by our engaging in outreach with universities where we have a strong regional presence.

•We offer a library of resources for our “Grow Your Career” series with the Talent Partner and Talent Operations teams. This includes guides on how to write resumes, create a social media presence, and prepare for interviews to support team member development.

•We run the Temporary On-Project Specialist (TOPS) program, which allows Member Service Specialists to experience working in other areas of the business. The program is open to all Member Service Specialists, and selected individuals who are able to support areas that need help while gaining experience that can assist with their personal and professional goals.

•We offer a broad leadership development program to improve team member engagement and productivity.

•We coordinate an annual company-wide learning series. Open to all teammates, sessions include leadership development, emotional intelligence, technical skills, and other professional development topics.

•We also offer an annual summit for company leadership that provides an opportunity to discuss strategic priorities and initiatives and focus on leadership development and effective leadership workshops.

Pay equity

Pay equity is a crucial metric in assessing equal opportunity at HealthEquity. We strive to provide a consistent and fair remuneration strategy for all team members through our Total Rewards package. This package includes:

•Base salary

•Incentive/bonus pay

•Stock-based compensation

•401(k) with company matching

•Health benefits

The Total Rewards philosophy underlying this package is intended to promote fairness and simplicity so that team members and people leaders understand the performance goals they target during the year and the outcomes that result from achieving or exceeding those goals. We strive to administer the Total Rewards package consistently and to ensure equal opportunity as follows:

•Maintaining competitive pay by reviewing market data annually

•Rewarding team members based on their abilities, competencies, experience, and performance levels

•Effectively communicating our Total Rewards policies and practices

•Complying with all applicable federal, state, and local laws and requirements

Team member engagement

We also consider team member engagement an important metric of our organizational health. We regularly seek team member feedback and measure engagement through a survey which contains three engagement key performance indicators (KPIs) that we believe provide a comprehensive measure of team member engagement. The KPIs are designed to determine whether our team members recommend HealthEquity as a great place to work, whether their work gives them a sense of accomplishment, and whether they are motivated to go above and beyond in their work.

As of October 2025, our team member engagement score was 78% favorable, 15% neutral, and 7% unfavorable, based on a participation rate of 86%. We believe that our team member engagement impacts our ability to retain our team members. For the fiscal year ended January 31, 2026, our total team member turnover was 25% and our voluntary turnover was 10%.

-10-

Table of Contents

Corporate information

HealthEquity, Inc. was incorporated as a Delaware corporation on September 18, 2002. Our principal business office is located at 15 W. Scenic Pointe Dr., Ste. 100, Draper, Utah 84020. Our website address is www.healthequity.com. We do not incorporate the information contained on, or accessible through, our corporate website into this Annual Report on Form 10-K, and you should not consider it to be part of this report.

Where you can find additional information

Our website is located at www.healthequity.com, and our investor relations website is located at ir.healthequity.com. Information on our website is not incorporated into this report. Copies of our Annual Reports on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K, and any amendments to these reports filed or furnished pursuant to Section 13(a) or 15(d) of the Exchange Act are available, free of charge, on our investor relations website as soon as reasonably practicable after we file such material electronically with or furnish it to the SEC. The SEC maintains an internet site that contains reports, proxy and information statements, and other information regarding issuers that file electronically with the SEC at www.sec.gov.

-11-

Table of Contents

Item 1A. Risk factors

You should carefully consider the risks described below together with the other information set forth in this Annual Report on Form 10-K. The risks described below are not the only risks facing our company. Risks and uncertainties not currently known to us or that we currently deem to be immaterial also may materially adversely affect our business, financial condition, and operating results.

Risks relating to our business and industry

Any diminution in, elimination of, or change in the availability of tax benefits for HSAs and other CDBs would materially adversely affect us.

Substantially all of our revenue is earned from tax-advantaged HSAs and other CDBs. The efforts of governmental and third-party payers to raise revenue or contain or reduce healthcare or other costs could include restructuring the tax benefits available through HSAs and other CDBs, which may adversely affect our business, operating results, and financial condition. We cannot predict if any new tax reforms will ultimately become law, or if enacted, what their terms or the regulations promulgated pursuant to such reforms will be. If the laws or regulations are changed to limit or eliminate the tax benefits available through these accounts, such a change would have a material adverse effect on our business.

The portion of HSA cash held by our insurance company partners continues to increase with the increasing adoption of our Enhanced Rates program. The HSA cash held through our insurance company partners is not federally insured, and our members bear the risk of loss with respect to either the failure of the insurance company partner holding their HSA cash or the breach by the insurance company partner of its obligations to guarantee principal or pay interest thereon. In addition, we deposit Client-held funds with our Depository Partners in interest-bearing demand deposit accounts, and federal deposit insurance may not be available for certain Clients.

If any material adverse event were to affect one of our insurance company partners or Depository Partners, including a significant decline in its financial condition, a decline in the quality of its service, a loss of deposits, its inability to comply with applicable insurance, banking, or other regulatory requirements, systems failure, or its inability to return principal or pay interest thereon, our business, financial condition, and results of operations could be materially and adversely affected. In addition, in the event of such a failure of, or breach by, one of our insurance company partners, the HSA cash held through that insurance company partner would be at risk and no assurance can be given that our contractual arrangements with that insurance company partner would be sufficient for our members to fully recover their HSA cash, which would in turn result in reputational and financial harm to the Company.

In addition, certain of our insurance company partners have commitments to us with respect to the interest rates paid; however, some of these commitments are conditional upon certain market events or the satisfaction of our obligations to the partner. A reduction of the interest rate payable, or a requirement that we post collateral in lieu of any such reduction, could have a material and adverse impact on our business, financial condition, and results of operations.

Failure to adequately manage the liquidity of the custodial assets held by our insurance company partners and Depository Partners could materially and adversely affect our business, financial condition, and results of operations.

Certain of our arrangements with our insurance company partners and Depository Partners require that we keep a minimum amount of HSA cash with such partner.

-12-

Table of Contents

A decline in interest rates would reduce our income on our HSA Assets and Client-held funds and our ability to attract HSA contributions.

A decline in prevailing interest rates would negatively impact our business by reducing the yield we realize on our HSA Assets and other Client-held funds. In addition, if we do not offer competitive interest rates on HSA Assets, our members may choose another HSA custodian. Any such scenario could materially and adversely affect our business and results of operations.

A decline in the value of invested HSA Assets would adversely affect our results of operations.

If the value of invested HSA Assets that our members hold declines, whether due to market conditions or other factors, our fees received on invested HSA Assets, which are based on a percentage of the asset values, would be adversely affected, which would in turn negatively impact our results of operations.

If we are not successful in adapting to our rapidly evolving industry, our growth may be limited, and our business may be adversely affected.

The market for our products and services is subject to rapid and significant change and competition. In addition, there may be a limited-time opportunity to achieve and maintain a significant share of this market due in part to our rapidly evolving industry, industry consolidation, and the substantial resources available to our existing and potential competitors. In order to remain competitive, we are continually involved in a number of projects to develop new services or compete with these new market entrants. These projects carry risks, such as cost overruns, delays in delivery, performance problems, and lack of acceptance by our Clients, Network Partners, marketplace partners, and members.

Any diminution in the use of HSAs or other CDBs would materially adversely affect us.

We believe that many consumers are not familiar with, or do not fully appreciate, the tax-advantaged benefits of HSAs and other CDBs.

If our members do not fully use their HSAs or CDBs, if employers reduce or cease to offer HSAs or other CDB programs, if the rate of adoption of these accounts decreases, if existing Clients, Network Partners, and members do not recognize or acknowledge the benefits of our services or we do not drive engagement, then the market for our services might decline or develop more slowly than we expect, which could adversely affect our operating results.

The expanding use or anticipated use of AI technologies, including generative AI, by us or third parties, may increase or create new operational and competitive risks.

AI technologies – including generative AI – present numerous opportunities, such as benefits from increased operational efficiencies and innovative new products. The use of AI technologies by us, our service providers, and our competitors has increased recently, and we expect it to further increase rapidly. We utilize AI to streamline administrative processes and improve the experience for our members. These applications have and likely will continue to become increasingly important to our operations.

However, the development and deployment of such technologies also pose significant risks. For example, new products and services incorporating or utilizing AI and machine learning may raise technological, security, legal, reputational, and other risks and challenges related to, among other items, the use of personal information or the information of clients who have not granted permission for the use of their data in such AI systems, flaws in our models or training datasets that may result in biased or inaccurate results, or other unanticipated outcomes, ethical considerations regarding AI, potential infringement of third-party intellectual property rights, exposure of data, and our ability to safely deploy and implement governance and controls for AI systems. We are also exposed to risks arising from the use of AI technologies by bad actors, who may use such technologies to commit fraud, misappropriate funds, and facilitate cyberattacks. Further, our competitors may adopt AI or generative AI more quickly or more effectively than we do, causing competitive harm. AI is subject to rapidly evolving domestic and international laws and regulations, the scope and requirements of which may be inconsistent across jurisdictions and which could impose significant costs and obligations on us. Any of these risks could negatively impact our reputation, the demand for our products and services, and our financial condition and results of operations.

-13-

Table of Contents

We may be unable to compete effectively against our current and future competitors.

The market for our products and services is highly competitive. We view our competition in terms of direct and indirect competitors. Our direct HSA competitors are well-known retail investment companies, such as Fidelity Investments, HSA custodians and administrators that include state or federally chartered banks, such as Webster Bank and Optum Bank, insurance companies, and non-bank custodians approved by the U.S. Treasury. We also have numerous indirect HSA administration competitors, including benefits administrators and health plans, that license technology platforms and partner with other HSA custodians to provide "white label" HSA offerings. Our other CDB administration competitors include health insurance carriers, human resources consultants and outsourcers, payroll providers, national CDB specialists, regional third-party administrators, and commercial banks, and these competitors have entered, and others may also enter, the HSA market or expand existing HSA offerings to compete with us. Our marketplace initiative also faces competition from telehealth companies with whom we are not affiliated, other providers of similar marketplaces, the producers of products and services competitive with the products and services made available through our marketplace, as well as from similar initiatives by our direct HSA competitors.

An increased focus on HSA-favorable healthcare regulatory reforms may create renewed interest and investment by our competitors in their HSA offerings and lead to greater competition, which could make it harder for us to maintain our growth trajectory. This risk would be compounded if legal requirements or administrative rules are interpreted in a way that makes compliance more onerous for us than for our competitors.

If one or more of our competitors were to merge or partner with another of our competitors, the change in the competitive landscape could materially adversely affect our ability to compete effectively. We have seen an increase in Network Partners that have decided to offer HSAs or other CDBs directly to their customers, and a continuation of this trend would significantly reduce our channel partner opportunities and result in account attrition.

These investment companies have significant advantages over us in terms of brand name recognition, years of experience managing tax-advantaged retirement accounts (e.g., 401(k) and IRA), highly developed recordkeeping, trust functions, and fund advisory and customer relations management, among others. If we are unable to compete effectively with these mutual fund company competitors, our results of operations, financial condition, business, and prospects could be materially adversely affected.

Many of our competitors, in particular banks, insurance companies, and other financial institutions, have longer operating histories and significantly greater financial, technical, marketing, and other resources than we have.

Finally, our competitors may have the ability to devote more financial and operational resources than we can to developing new technologies and services, including services that provide improved operating functionality, and adding features to their existing service offerings. They may have a greater ability to use AI to provide enhanced products and service offerings. If successful, their development efforts could render our services less desirable, resulting in the loss of our existing customers or a reduction in the fees we earn from our products and services.

Developments in the rapidly changing healthcare industry could adversely affect our business.

Substantially all of our revenue is derived from healthcare-related saving and spending by consumers, which could be affected by changes affecting the broader healthcare industry, including decreased spending in the industry overall. General reductions in expenditures by healthcare industry participants could result from, among other things:

•government regulation or private initiatives that affect the manner in which healthcare industry participants interact with consumers and the general public;

•consolidation of healthcare industry participants;

•reductions in governmental funding for healthcare; and

•adverse changes in general business or economic conditions affecting healthcare industry participants.

-14-

Table of Contents

Even if general expenditures by industry participants remain the same or increase, developments in the healthcare industry may result in reduced spending in some or all of the specific market segments that we serve now or in the future. The healthcare industry has changed significantly in recent years, and we expect that significant changes will continue to occur. However, the timing and impact of developments in the healthcare industry are difficult to predict.

If our members do not continue to utilize our payment cards, our results of operations, business, and prospects would be materially adversely affected.

We derived 15%, 15%, and 16% of our total revenue during the fiscal years ended January 31, 2026, 2025, and 2024, respectively, from interchange fees that are paid to us when our customers utilize our payment cards. These fees represent a percentage of the expenses transacted on each card.

If we fail to operate our marketplace effectively, if our Network Partners, Clients, or members respond negatively to our marketplace, or if our marketplace partners, products, or services are disrupted, our business may be adversely affected.

We generate revenue from our marketplace partners who provide the HSA or FSA eligible products and services, including access to telehealth consultations, certain healthcare programs, and certain prescription medications through a third-party partner, to our members. The growth of our marketplace is dependent on our ability to operate the marketplace in a regulatorily compliant manner, market to members effectively and in a cost-efficient manner, and adapt to demands of our Network Partners, Clients, and members. Failure to operate the marketplace effectively could have a negative impact on our growth opportunities.

In addition, negative publicity concerning our marketplace, our marketplace partners, or member experience using our marketplace could limit acceptance of this offering by our Network Partners, Clients, or members, which would adversely affect our revenue and future growth opportunities.

We are dependent upon the partnerships we have entered into for certain of the products, programs, and services available in our marketplace which could be negatively affected if those partnerships are disrupted or experience negative publicity. Such disruption of our partners, along with any negative developments regarding the products, programs, and services made available through the marketplace, could damage our brand, subject us to liability, affect our ability to retain Network Partners, Clients and members, and harm our business and financial results.

The products, programs, and services made available through our marketplace may also subject us to additional federal, state, and local laws and regulations, and a failure to comply with any such law or regulation could have a negative effect on our business, financial condition, and results of operations, and may expose us to civil and criminal penalties. For example, one of our marketplace partners, in addition to offering branded GLP-1 medications as part of its weight loss programs, also offers access to compounded GLP-1 medications, and the regulatory environment around compounded GLP-1 medications has been volatile. The products, programs, and services made available through the marketplace are part of highly competitive markets, and introduce new and more sophisticated competitors to us, which could result in scrutiny, competitive pressures, and litigation from these competitors.

Failure to maintain effective internal control over financial reporting could have a material adverse effect on our reputation, results of operations, and financial condition.

Effective internal control over financial reporting is necessary for us to provide reliable financial reports, prevent fraud, and operate successfully as a public company. Any failure, whether in connection with our growth, acquisitions, or otherwise, to execute on our internal controls and continue to maintain effective internal controls, to timely implement any necessary additional improvement to our internal controls, or to effect remediation of any future material weakness or significant deficiency could, among other things, result in losses from fraud or error, harm our reputation, result in regulatory fines, penalties, or investigations, or cause investors to lose confidence in our reported financial information, all of which could have a material adverse effect on our reputation, results of operations, or financial condition.

Management reviews and updates our systems of internal controls and procedures, as appropriate. Any system of controls is based in part on certain assumptions and can provide only reasonable, not absolute, assurances that the objectives of the system are met. Any failure or circumvention of our controls and procedures or failure to comply

-15-

Table of Contents

with regulations related to controls and procedures could have a material adverse effect on our reputation, results of operations and financial condition.

Data security, technological, and intellectual property risks

Cyber attacks, including ransomware attacks, or other privacy or data security incidents could materially adversely impact our business.

As one of the largest providers of HSAs and other CDBs, our proprietary technology platforms enable the exchange of, and access to, sensitive information. As a result, we are frequently the target of cyber attacks, including ransomware attacks, which means we must continue to monitor and take steps to secure each of our technology platforms, making sure these platforms are aligned to our industry benchmark security posture.

Substantially all of our workforce works remotely. This remote work environment increases the risk of cybersecurity breaches and incidents, and the potential impact of these on our operations is also higher while our team members log into our network remotely. In addition, we use third-party partners to service our members. These third-party partners must have access to member information in order to provide this service. Third-party partner remote access to our member information further increases the risk of cybersecurity breaches and incidents through those partners, and from time to time our third-party partners are also the victims of cybersecurity breaches and incidents that may involve member information.

We rely on standard Internet and other security systems to provide the security and authentication necessary to effect secure transmission of data. Such threats could result in actual security events that compromise our networks, or those of third-party service providers on which we rely, and result in the information stored or transmitted there to be accessed, modified, or used in an unauthorized manner, publicly disclosed, lost, or stolen. Such access, use, disclosure, or other loss of information may result in regulatory scrutiny, and legal claims and liability, including under laws that protect the privacy of personal information, as it has in the recent past. Cybersecurity events disrupt our operations and the services we provide to our Clients, damage our reputation, and cause a loss of confidence in our products and services, which could adversely affect our business, operations, and competitive position.

We have been the victim of such breaches, which have damaged our reputation and caused a loss of confidence in our products and services, and which may lead to a reduction in demand and result in an unwillingness of members, Clients, Network Partners, and other data owners to provide us with their payment information or personal information, and otherwise harm our brand. Furthermore, when third parties improperly obtain and use the personal information of our members, we are required to expend significant resources to investigate and resolve these problems.

While we have security measures in place, we have experienced data privacy incidents in the past, including an incident in 2024 in which a business partner's user account containing personally identifiable information was breached. As a result of the incident, we are now subject to a consolidated putative class action lawsuits seeking unspecified damages, and we are subject to regulatory inquiries related to the incident, which may lead to fines or other enforcement by these regulators. Whether as a result of these incidents, or if our security measures are breached again or unauthorized access to data is otherwise obtained as a result of third-party action, team member error, or otherwise, our reputation could be significantly damaged, our business may suffer, and we could incur substantial liability, which could result in loss of sales, Clients and Network Partners.

-16-

Table of Contents

Fraudulent activity, whether involving member accounts or our third-party service providers, has led, and could continue to lead, to financial and reputational damage to us and could reduce the use and acceptance of our products and services.

As a non-bank custodian of HSAs, we are frequently targeted by sophisticated and persistent bad actors for fraudulent activity, through various tactics such as high-volume credential stuffing attacks, denial of service attacks, and social engineering attacks, among others. For example, in the fiscal year ended January 31, 2025, and the fiscal quarter ended April 30, 2025, we experienced a significant increase in the volume and sophistication of outside fraudulent activity targeting member accounts, resulting in a significant loss to us as we incurred service costs to reimburse and protect impacted members. Losses due to fraud committed against us and our Clients, members, and Network Partners may not be covered by insurance policies, and losses not covered by insurance may be material. Even in the event that losses relating to fraudulent activity are covered by insurance, premiums and/or deductibles related to our insurance coverage may increase or the scope of our coverage may decrease, any of which could have an adverse impact on our financial results.

We are also vulnerable to criminal fraudulent activity through our third-party service providers. For example, we are exposed to risks relating to the theft of payment card numbers housed in a merchant's point of sale systems if our members use our payment cards at a merchant whose systems are compromised.

In addition, because of a significant increase in outside fraudulent member account activity, we have suffered reputational damage that could reduce the use and acceptance of our products and services, or cause our Clients, members, and Network Partners to look for alternative providers. Further fraud incidents, or increases in the overall level of fraud involving either member accounts, our reimbursement administrative services, or our third-party service providers, could result in financial and reputational damage to us. If we fail to successfully protect against fraud in the future, our business and financial results may be adversely affected.

We rely on software licensed from third parties that may be difficult to replace or that could cause errors or failures of our technology platforms that could lead to lost customers or harm to our reputation.

We rely on certain cloud-based software licensed from third parties to run our business. In addition, we have service level agreements with certain of our Clients and Network Partners for which the availability of this software is critical.

Developing and implementing new and updated applications, features, and services for our technology platforms may be more difficult than expected, may take longer and cost more than expected, or may result in the platforms not operating as expected.

We rely on a combination of internal development, strategic relationships, licensing, and acquisitions to develop our content offerings, products, and services. These efforts may be more expensive than expected, take longer to develop and implement, and require additional personnel and resources.

-17-

Table of Contents

The revenue opportunities earned from these efforts may fail to justify the effort or resources spent and may not have the anticipated returns on attracting and retaining new Clients and Network Partners. Similar challenges in the future may affect our reputation, the demand for our products and services, our financial condition and results of operations, and otherwise draw adverse regulatory scrutiny.

New products and services, including those incorporating or utilizing AI and machine learning, may raise technological, security, legal, and other risks and challenges related to, among other items, the use of personal information in such AI systems, flaws in our models or training datasets that may result in biased or inaccurate results or other unanticipated outcomes, ethical considerations regarding AI, potential infringement of third-party intellectual property rights, and our ability to safely deploy and implement governance and controls for AI systems. Realization of these risks could negatively impact our reputation, the demand for our products and services, our financial condition and results of operations, and otherwise draw adverse regulatory scrutiny.

Disruptions of service at our facilities, our servers, our third-party data centers, or our cloud service providers have interrupted and delayed our customers’ access to our products and services and will be harmful if repeated.

The ability of our team members, members, Network Partners, and Clients to access our technology platforms is critical to our business. We may experience disruptions to certain data centers and servers upon which we rely to provide timely services to our clients. For example, an unplanned storage service outage in 2024 led to multiple critical services for our members being unavailable and degraded. Our facilities, our third-party data centers, and our cloud service providers are vulnerable to interruption or damage from a number of sources, many of which are beyond our control, including, without limitation:

•extended power loss or other failure of critical infrastructure;

•telecommunications failures from multiple telecommunications providers;

•natural disaster or an act of terrorism;

•software and hardware errors, or failures in our own systems or in other systems;

•mistakes in updating, maintaining, and accessing databases, data centers, and servers;

•network environment disruptions such as computer viruses, hacking, and similar problems in our own systems and in other systems;

•theft and vandalism of equipment; and

•actions or events caused by or related to third parties.

Our data recovery centers are equipped with physical space, power, storage and networking infrastructure and Internet connectivity to support our technology platforms in the event of the interruption of services at our data centers. We have experienced interruptions and delays in service and availability for data centers, and bandwidth and other technology issues in the past. Any future errors, failure, interruptions, or delays experienced in connection with these third-party technologies could delay access to our products by members, Clients and Network Partners, which would harm our business. This could damage our reputation, subject us to potential liability or costs related to defending against claims or cause our members, Clients and Network Partners to cease doing business with us, any of which could negatively impact our financial results.

Our technology platforms may link to or utilize open source software, and any failure to comply with the terms of one or more of these open source licenses could negatively affect our business.

Our technology platforms may incorporate software covered by open source licenses. The terms of various open source licenses have not been interpreted by United States courts, and there is a risk that such licenses could be

-18-

Table of Contents

construed in a manner that imposes unfavorable conditions on us. For example, by the terms of certain open source licenses, we could be required to offer our technology platforms that incorporate the open source software for no cost, that we make publicly available source code for modifications or derivative works that we created based upon, incorporating or using the open source software, and/or that we license such modifications or derivative works under the terms of the particular open source license. If portions of our proprietary software are determined to be subject to an open source license, then the value of our technologies and services could be reduced.

In addition to risks related to license requirements, usage of open source software may be riskier than use of third-party commercial software, as open source licensors generally do not provide warranties or controls on the origin of the software. Many of the risks associated with usage of open source software cannot be eliminated and could negatively affect our business.

Legal and regulatory risks

The healthcare regulatory and political framework is uncertain and evolving, and we cannot predict the effect that further healthcare reform and other changes in government programs may have on our business, financial condition, or results of operations.

In addition, proposals to implement a single payer or "Medicare for all" system in the U.S. or in individual states, if adopted, could have a material adverse effect on our business. Accordingly, we are unable to predict what effect healthcare reform measures will have on our business.

Changes in applicable federal and state laws relating to HSAs and other CDBs could materially adversely affect our business.

HSAs and other CDBs exist as a result of provisions in the Internal Revenue Code and other laws and regulations. Changes to the regulatory landscape impacting our products require substantial time and costs for us to ensure our products are compliant. In addition, federal or state governments could impose laws that limit the eligibility requirements for our products, which could limit our ability to grow or cause us to lose existing members, or such governments could change the eligibility requirements we must meet to maintain the licenses we need to offer our products. We cannot predict if any new reforms will ultimately become law, or if enacted, what their terms or the regulations promulgated pursuant to such reforms will be, and such reforms could have a material adverse effect on our business.

We are subject to privacy regulations, including regarding the access, use, and disclosure of personal information, and the privacy breaches that we or our third-party service providers have experienced or may experience in the future could result in substantial financial and reputational harm, including possible criminal and civil penalties.

We and certain third party service providers process sensitive personal information in connection with our services, including, where applicable, protected health information and nonpublic personal information. A failure to comply with evolving privacy and data protection requirements including sector-specific regimes such as HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH"), which govern protected health information, the Gramm-Leach-Bliley Act, which governs nonpublic personal information, and various state privacy and breach-notification laws, or a failure to prevent unauthorized access to or disclosure of personal information due to cyberattack, human error, system misconfiguration, third‑party compromise, or other security incident or event could result in regulatory investigations, penalties, litigation (including class actions), contractual claims, member losses, remediation and monitoring costs, operational disruption, and reputational harm. We experienced privacy/security incidents in the past (including an incident in 2024 involving a third-party user account) and future incidents could have greater impact. While we maintain formal privacy and security programs, third‑party oversight, and incident response and notification processes designed to mitigate risks to the confidentiality, integrity, and availability of the sensitive information, including personal information that we hold, residual risk remains. Compliance costs may increase as requirements and expectations continue to change, along with the possibility of costly penalties in the event we are deemed to not be in compliance with such laws and regulations. For example, many states provide a private right of action for data breaches. Additional privacy requirements are expected as new state and federal privacy laws are enacted.

-19-

Table of Contents

Legislative, regulatory, and legal developments involving taxes could adversely affect our results of operations and cash flows.

We are subject to U.S. federal and state income, payroll, property, sales and use, and other types of taxes in numerous jurisdictions. Significant judgment is required in determining our provisions for income taxes. Changes in tax rates, enactments of new tax laws, revisions of tax regulations, and claims or litigation with taxing authorities could result in substantially higher taxes.

We do not collect sales and use taxes in all jurisdictions in which our customers are located, other than from sales of certain commuter services, based on our belief that such taxes are generally not applicable to our services. Sales and use tax laws and rates vary by jurisdiction and such laws are subject to interpretation. In those jurisdictions and in those cases where we do believe sales taxes are applicable, we collect and file timely sales tax returns. Currently, such sales taxes apply to certain commuter services, but otherwise are minimal to the rest of our services. Jurisdictions in which we do not collect sales and use taxes may assert that such taxes are applicable, which could result in the assessment of such taxes, interest, and penalties, and we could be required to collect such taxes in the future. Such additional sales and use tax liability could adversely affect the results of our operations.

Regulatory changes and changes in the enforcement environment may have an adverse result on our business.

Changes to regulations and the enforcement environment create uncertainty around our business and our Clients. In addition, changes to the legal, regulatory, or political environment may require management's attention, divert resources from other areas, and expose us to potential liability.

As a federal contractor, we are required to follow federal law, including executive orders, directed at federal contractors. We are unable to anticipate the scope of potential changes federal contractors will be required to comply with and cannot predict what impact any such changes may have on us or whether we will be able to implement adequate preventative measures to address any future requirements.

Additionally, we administer programs allowing eligible federal government employees access to our technology platforms and services. We generate revenue from this relationship, and in the event that the program or the number of federal employees who participate in the program change significantly, our financial results could be affected.

Changes in laws and regulations relating to interchange fees on payment card transactions could adversely affect our revenue and results of operations.

Existing laws and regulations limit the fees or interchange rates that can be charged on payment card transactions. For example, the Federal Reserve Board has the power to regulate payment card interchange fees and has issued a rule setting a cap on the interchange fee an issuer can receive from a single payment card transaction. Our HSA-linked payment cards are exempt from this rule, although we are subject to a general requirement of reasonable compensation for services rendered. To the extent that our payment cards lose their exempt status, the interchange rates applicable to transactions involving our payment cards could be impacted, which could have a material adverse effect on our financial condition and results of operations.

Failure to comply with these rules and standards could result in significant fines, other penalties, or the termination of our interchange revenue agreements. In addition, from time-to-time, card associations increase the organization or processing fees that they charge, which could increase our operating expenses, reduce our profit margin, and materially adversely affect our results of operations, financial condition, business, and prospects.

-20-

Table of Contents

We are subject to complex regulation, and any compliance failures or regulatory action could adversely affect our business.

Our business, including HSAs and many of the CDBs we administer and our investment adviser and trust company subsidiaries, is subject to extensive, complex, and frequently changing federal and state laws and regulations, including IRS, Health and Human Services (“HHS”), and Department of Labor (“DOL”) regulations; ERISA, HIPAA, HITECH, and other privacy and data security regulations; the Advisers Act; state banking laws; state third-party administrator laws; the Patient Protection and Affordable Care Act; and developing regulation regimes for the use of AI.

Our subsidiary HealthEquity Advisors, LLC is an SEC-registered investment adviser that provides automated web-only investment advisory services. As such, it must comply with the requirements of the Advisers Act and related SEC regulations and is subject to periodic inspections by the SEC staff. Such requirements relate to, among other things, fiduciary duties to clients, disclosure obligations, recordkeeping and reporting requirements, marketing restrictions, limitations on agency cross and principal transactions between the adviser and its clients, and general anti-fraud prohibitions. The SEC is authorized to institute proceedings and impose sanctions for violations of the Advisers Act, ranging from fines and censure to termination of an investment adviser’s registration. Investment advisers also are subject to certain state securities laws and regulations.

Our subsidiary HealthEquity Trust Company is a non-depository trust company and subject to regulation and supervision by the Wyoming Division of Banking.

As we continue to innovate and improve our products and services by leveraging automated decision making, machine learning, and AI, our business model may be affected by global trends and laws that regulate the use of these developing technologies. Such laws or regulations may restrict or impose burdensome and costly requirements on our ability to use AI and machine learning and also may impact our ability to use certain data for developing our products and services.

Compliance with regulatory requirements requires resources and takes significant time and effort. Any claim of non-compliance, regardless of merit or ultimate outcome, could subject us to investigation by the HHS, the DOL, the SEC, the Wyoming Division of Banking, or other regulatory authorities. Furthermore, investor perceptions of us may suffer, and this could cause a decline in the market price of our common stock. Our compliance processes may not be sufficient to prevent assertions that we failed to comply with any applicable law, rule, or regulation. In addition, all of our business is subject, to varying degrees, to fiduciary and other service provider obligations under ERISA, the Internal Revenue Code, and underlying regulations. A failure to comply with these or other regulatory and compliance obligations could subject us to disgorgement of profits, excise taxes, civil penalties, private lawsuits, and other costs, including reputational harm.

If we are unable to meet or exceed the net worth test required by the IRS, we could be unable to maintain our non-bank custodian status.

If we should fail to comply with the Treasury Regulations’ non-bank custodian requirements, including the net worth requirements, such failure would materially and adversely affect our ability to maintain our current custodial accounts and grow by adding additional custodial accounts, and it could result in the institution of procedures for the revocation of our authorization to operate as a non-bank custodian.

Risks relating to our service and culture

Any failure to offer high-quality member, Client, and Network Partner support services could adversely affect our relationships with our members, Clients, and Network Partners and our operating results.

Our sales process is highly dependent on the reputation of our products, services, and business and on positive recommendations from our existing members, Clients and Network Partners. Further, we use third-party service providers for certain call centers and COBRA claims and transaction processing, including certain offshore service

-21-

Table of Contents

providers for member chat service, which service providers may not provide the same quality of support services for our Clients and members. Any failure to maintain high-quality education and technical support, or a market perception that we do not maintain high-quality education support, could adversely affect our reputation, our ability to sell our products and services to existing and prospective customers, and our business and operating results. We promote 24/7/365 education and support along with our proprietary technology platforms.

We rely on our management team and team members, and our business could be harmed if we are unable to retain qualified personnel.

Our success depends, in part, on the skills, working relationships and continued services of our executive team and other key personnel. While we have entered into employment agreements with our executive officers, all of our team members are “at-will” employees, and their employment can be terminated by us or them at any time, for any reason, and without notice, subject, in certain cases, to severance payment rights. In order to retain valuable team members, in addition to salary and cash incentives, we provide equity-based awards that vest over time or based on performance. The value to team members of these awards will be significantly affected by movements in our stock price that are beyond our control and may at any time be insufficient to counteract offers from other organizations. The departure of key personnel could adversely affect the conduct of our business. In such event, we would be required to hire other personnel to manage and operate our business, and there can be no assurance that we would be able to employ a suitable replacement for the departing individual, or that a replacement could be hired on terms that are favorable to us. Volatility or lack of performance in our stock price may affect our ability to attract replacements should key personnel depart.

Our success also depends on our ability to attract, retain, and motivate additional skilled management personnel and other team members. New hires require significant training and, in most cases, take significant time before they achieve full productivity. New team members may not become as productive as we expect, and we may be unable to hire or retain sufficient numbers of qualified individuals.

If we cannot maintain our corporate culture as we grow, we could lose the innovation, teamwork, passion, and focus on execution that we believe contribute to our success.

We believe that a critical component to our success has been our corporate culture. We have invested substantial time and resources in building our team. In addition, it is difficult to instill our culture in our now predominantly remote workforce. Any failure to preserve our culture could negatively affect our future success, including our ability to retain and recruit personnel and to effectively focus on and pursue our corporate objectives.

Risks relating to our partners and service providers

If our Network Partners choose to partner with other providers of, or otherwise reduce offering or cease to offer, our products and services, our business could be materially and adversely affected.

In particular, certain of our Network Partners enjoy significant market share in various geographic regions. If these Network Partners choose to instead partner with our competitors, or otherwise reduce offering, or cease to offer, our products and services, our results of operations, business, and prospects could be materially adversely affected.

A BIN sponsor is a bank or credit union that provides the BIN that allows a prepaid card program to run on one of the major card brand networks (e.g., VISA, MasterCard, Discover, or American Express). If any material adverse event were to affect our BIN

-22-

Table of Contents

sponsor, including a significant decline in the financial condition of such BIN sponsor, a decline in the quality of service provided by our BIN sponsor, the inability of our BIN sponsor to comply with applicable banking and financial service regulatory requirements or industry standards, systems failure, or the inability of our BIN sponsor to pay us fees, our business, financial condition, and results of operations could be materially and adversely affected because we may be forced to reduce the availability of, or eliminate entirely, our payment card offering, which would materially impact our interchange revenue.

In the past, certain of these service providers have failed to maintain adequate levels of support, did not provide high quality service to us and our members, increased the fees they charge us, discontinued their lines of business, terminated our contractual arrangements, or ceased or reduce operations, and as a result, we suffered additional costs and were required to pursue new third-party relationships, which resulted in reputational harm, material disruption of our operations and our ability to provide our products and services, missed service-level agreements with Clients and Network Partners, and diverted management’s time and resources, and these events and consequences could happen with our current service providers moving forward. We may also be unable to establish comparable new third-party relationships on as favorable terms or at all, which could materially and adversely affect our business, financial condition, and results of operations.

Growth-related risks

Our acquisition and investment strategies may not be successful.

Certain of our past transactions also resulted in dilutive issuances of equity securities and the incurrence of additional debt, and future acquisitions or investments could result in additional dilutive issuances of equity securities or the incurrence of additional debt, which could adversely affect our business, results of operations, or financial condition.

Failure to manage future growth effectively could have a material adverse effect on our business, financial condition, and results of operations.

The continued rapid expansion and development of our business has placed a significant strain upon our management and administrative, operational, and financial infrastructure. As of January 31, 2026, we had approximately 10.6 million HSAs and $36.5 billion in HSA Assets representing growth of 7% and 14%, respectively, from January 31, 2025. Our growth strategy contemplates further increasing the number of our HSAs, CDBs, and HSA Assets at relatively higher growth rates than industry averages. However, the rate at which we have been able to add new HSAs, CDBs, and HSA Assets in the past may not be indicative of the rate at which we will be able to grow in the future.

-23-

Table of Contents

Our success depends in part upon the ability of our executive officers to manage growth effectively. There can be no assurance that we will be able to accurately anticipate and respond to the changing demands we will face as we continue to expand our operations or that we will be able to manage growth effectively or to achieve further growth at all. If our business does not continue to grow or if we fail to effectively manage any future growth, our business, financial condition, and results of operations could be materially and adversely affected.

We may not accurately estimate the impact on our business of developing, introducing, and updating new and existing products and services.

We intend to continue to invest in technology and development to create new and enhanced products and services to offer our customers and to enhance the capabilities of our platforms. We may not be able to anticipate or manage new risks and obligations or legal, compliance, or other requirements that may arise in these areas. The anticipated benefits of such new and improved products and services may not outweigh the costs and resources associated with their development. Some new services may be received negatively by our existing and/or potential customers and strategic partners and have to be put on hold or canceled entirely.

Our ability to attract and retain new customer revenue from existing customers will depend in large part on our ability to enhance and improve our existing products and services and to introduce new products and services. The success of any enhancement or new product or service depends on several factors, including the timely completion, introduction, and market acceptance of the enhancement or new product or service. Any new product or service we develop or acquire may not be introduced in a timely or cost-effective manner and may not achieve the broad market acceptance necessary to earn significant revenue.

We may need to record write-downs from future impairments of identified intangible assets and goodwill.

We test our goodwill for impairment each fiscal year, but we also test goodwill and other intangible assets for impairment at any time when there is a change in circumstances that indicates that the carrying value of these assets may be impaired. This is particularly relevant to us given our recent acquisition history and the amount of goodwill and intangible assets on our balance sheet associated with those acquisitions. Any future determination that these assets are carried at greater than their fair value could result in substantial non-cash impairment charges, which could significantly impact our reported operating results.

Integration of our acquisitions may not be successful, and we may not realize the synergies anticipated from our acquisitions.

In addition, we may not realize the anticipated cost, revenue, and other synergies associated with successfully integrating our acquisitions.

Financing and related risks

Our substantial debt could limit our ability to fund operations, expose us to interest rate volatility, limit our ability to raise additional capital, and have a material adverse effect on our ability to fulfill our obligations under our Credit Agreement and Indenture and to our Network Partners, Clients, and members.

We are party to a credit agreement (the "Credit Agreement"), which consists of a five-year senior secured revolving credit facility in the aggregate principal amount of $1 billion (the “Revolving Credit Facility”), of which $361.9 million

-24-

Table of Contents

was outstanding as of January 31, 2026. We have also issued $600 million of 4.50% unsecured Senior Notes due 2029 (the "Notes"). Under the Credit Agreement, we have the right to request additional loans or commitments in an amount up to $450 million, plus (ii) an additional amount so long as the pro forma First Lien Net Leverage Ratio (as defined in the Credit Agreement) does not exceed 3.85 to 1.00 as of the date such loans or commitments are incurred. We also have the right to incur additional debt from time to time, subject to the restrictions contained in the Credit Agreement and the indenture under which the Notes were issued (the "Indenture"). The substantial debt we have outstanding, combined with our other financial obligations and contractual commitments, has important consequences, including the following:

•our level of debt may make it more difficult for us to satisfy our obligations with respect to our debt, and any failure to comply with the obligations under any of our debt instruments, including restrictive covenants, could result in an event of default under the Credit Agreement or the Indenture and the agreements governing such other debt;

•we use a portion of our cash flow from operations to pay principal and interest on our debt, thereby reducing the availability of our cash flow to fund working capital, capital expenditures, strategic acquisitions, investments, alliances, and other general corporate requirements;

•our interest expense has increased substantially, and could continue to increase if interest rates increase beyond current levels, because any outstanding borrowings under the Revolving Credit Facility are based on variable interest rates;

•the interest rate on our Revolving Credit Facility will depend on the level of its specified financial ratios, and therefore could increase if such specified financial ratios increase;

•such substantial debt could leave us vulnerable to general economic downturns and adverse competitive and industry conditions and could place us at a competitive disadvantage compared to those of our competitors that are less leveraged;

•our debt service obligations could limit our flexibility to plan for, or react to, changes in our business and the industry in which we operate;

•our level of debt may restrict us from raising additional financing on satisfactory terms to fund working capital, capital expenditures, strategic acquisitions, investments, joint ventures, and other general corporate requirements;

•our level of debt may prevent us from raising the funds necessary to repurchase all of the Notes tendered to us upon the occurrence of a change of control, which would constitute an event of default under the Indenture; and

•a potential failure to comply with the financial and other restrictive covenants in any of our debt instruments, which, among other things, require us to maintain specified financial ratios, could, if not cured or waived, have a material adverse effect on our ability to fulfill our obligations under the Notes and on our business and prospects generally.

The Indenture and the Credit Agreement contain covenants that impose significant operational and financial restrictions on us, and the failure to comply with these covenants would result in an event of default under these instruments.

The Indenture and the Credit Agreement impose on us operating and other restrictions. These restrictions affect, and in many respects limit or prohibit, among other things, our ability to:

•incur additional debt and issue certain capital stock;

•create liens;

•make investments or acquisitions;

•enter into transactions with affiliates;

•sell assets;

•guarantee debt;

•declare or pay dividends or other distributions to shareholders;

•repurchase equity interests;

•redeem debt that is subordinated in right of payment to certain debt instruments;

•enter into agreements that restrict dividends or other payments from subsidiaries; and

•consolidate, merge, or transfer all or substantially all of our assets and the assets of our subsidiaries on a consolidated basis.

The terms of the Revolving Credit Facility in the Credit Agreement also require us to achieve and maintain compliance with specified financial ratios and contain the following restrictions:

•limit our ability to plan for or react to market conditions or meet capital needs or otherwise restrict our activities or business plans; and

-25-

Table of Contents

•adversely affect our ability to finance our operations, strategic acquisitions, investments, alliances, or other capital needs or to engage in other business activities that would be in our interest.

A breach of any of these restrictive covenants or our inability to comply with the required financial ratios would result in a default under some or all of the debt agreements. The lenders will also have the right in these circumstances to terminate any commitments they have to provide further borrowings. Additionally, our Credit Agreement contains a cross-default provision, which generally causes a default or event of default under the Credit Agreement upon a qualifying default or event of default under any other debt instrument (including under the Indenture) and the Indenture contains a cross-acceleration provision. If not cured or waived, such acceleration could have a material adverse effect on our business and our prospects.

General risk factors

Provisions in our charter documents and under Delaware law could discourage a takeover that stockholders may consider favorable.

Certain provisions in our governing documents could make a merger, tender offer, or proxy contest involving us difficult; even if such events would be beneficial to the interests of our stockholders. These provisions include the inability of our stockholders to act by written consent and certain advance notice procedures with respect to stockholder proposals and nominations for candidates for the election of directors. In addition, because we are incorporated in Delaware, we are governed by the provisions of Section 203 of the Delaware General Corporation Law which, subject to certain exceptions, prohibits stockholders owning in excess of 15% of our outstanding voting stock from merging or combining with us. Accordingly, our board of directors could rely upon these or other provisions in our governing documents and Delaware law to prevent or delay a transaction involving a change in control of our company, even if doing so would benefit our stockholders.

The exclusive forum provision in our amended and restated certificate of incorporation could limit our stockholders’ ability to obtain a favorable judicial forum for disputes with us or our directors, officers, or team members.

Our amended and restated certificate of incorporation provides that the Court of Chancery of the State of Delaware is the exclusive forum for any derivative action or proceeding brought on our behalf, any action asserting a claim for breach of a fiduciary duty owed by any of our directors and officers to us or our stockholders, any action asserting a claim arising pursuant to any provision of the Delaware General Corporation Law, our amended and restated certificate of incorporation or our amended and restated bylaws, or any action asserting a claim governed by the internal affairs doctrine. The choice of forum provision may limit a stockholder’s ability to bring a claim in a judicial forum that it finds favorable for disputes with us or our directors, officers or other team members, which may discourage such lawsuits against us and our directors, officers, and other team members. Alternatively, if a court were to find the choice of forum provision contained in our amended and restated certificate of incorporation to be inapplicable or unenforceable in an action, we may incur additional costs associated with resolving such action in other jurisdictions, which could adversely affect our business and financial condition.

Item 1B. Unresolved staff comments

None.

Cybersecurity

Overview

Cybersecurity risk is the risk of compromising the confidentiality, integrity, or availability of our technology platforms, data, and other systems, which could have an adverse impact on us, our members, Clients, and Network Partners, and our relationships with them. As further described below, we take various steps designed to help ensure that our platforms, data, and other systems remain available, resilient, and secure in the face of risks presented both by inadvertent actions (e.g., software that fails to operate properly) and by malicious activities (e.g., threat actors deliberately seeking to steal data or otherwise cause disruption). In particular, our industry continues to be a target

-26-

Table of Contents

for increasingly sophisticated cyber threats, including those driven by the rapid advancement of AI, adoption of public cloud environments, and reliance on third parties. We take a security-by-design and risk-based approach to our cybersecurity program, which emphasizes continual improvement to safeguard non-public information and enable our business operations.

Our cybersecurity program is structured to identify, assess, and mitigate risks through continuous monitoring, proactive threat intelligence, and a multi-layered defense strategy. We implement security controls, tools, and incident response procedures to prevent, detect, escalate, investigate, resolve, and recover from identified and reasonably anticipated vulnerabilities, including cybersecurity incidents. We emphasize fraud prevention, data protection, and securing our core platforms, while also prioritizing zero trust architecture, third-party risk management, immutable backups, training our staff and others who may have access to our data and systems, and improvement of our security personnel.

In the event of a security risk or breach, we are prepared with response protocols aligned with National Institute of Standards & Technology ("NIST") guidelines. Our Security Incident Response Plan defines roles and responsibilities, incident severity levels, key contacts, post-incident steps, and testing guidelines. Our procedures cover response steps for phishing attacks, ransomware, data breaches, and major vulnerabilities. This adaptive approach strengthens our ability to anticipate and counter emerging threats. See “Risk Factors” in Part I, Item 1A of this Form 10-K for further information about cybersecurity risk.

Risk management and strategy

We have implemented the Three Lines of Defense Model as the foundation of our risk management approach. Our information security team serves as a First Line, working with our Enterprise Risk Management & Compliance functions as a Second Line, and our Internal Audit function as the Third Line.

Cybersecurity is integrated into our operations, including through team member engagement, technology infrastructure, data fabric, and product development. We maintain administrative, technical, and physical safeguards designed to protect confidential data. Additionally, to help ensure our approach to customer privacy and security is effective and in line with industry standards, we publish Service and SOC 2 attestation reports on our risk management standards established by the Statement on Standards for Attestation Engagements 18.

We regularly engage external and internal assessors and auditors to evaluate and audit our cybersecurity policies, procedures, standards, and practices. Results from these assessments are shared with management for remediation and with the Cybersecurity and Technology Committee of our board of directors on a regular basis. We have obtained, or are working toward obtaining, industry certifications and attestations and have aligned our cybersecurity program with the NIST Cybersecurity Framework and related controls.

As part of our Third Party Risk Management program, we perform initial risk assessments prior to engaging third-party service providers and ongoing risk assessments annually thereafter, which follow an established process designed to identify, assess, and periodically review our exposure to risk through our partners.

During the fiscal year ended January 31, 2026, no known cybersecurity threats materially affected, or we believe are reasonably likely to materially affect, our business, our business strategy, financial reporting, or results of operations.

Governance

The Cybersecurity and Technology Committee of our board of directors provides oversight of the Company’s cybersecurity threat landscape, risks and data security programs, and the Company’s management and mitigation of cybersecurity risks and potential breach incidents. The Audit and Risk Committee of our board of directors provides an additional layer of cybersecurity oversight, as it provides oversight of the Company’s enterprise risk management program, which includes management of cybersecurity risks and the potential fraud and privacy risks that could arise from a cybersecurity incident.

The Chief Security Officer ("CSO") and his delegates meet with the Cybersecurity and Technology Committee at least quarterly to, among other items, review any cybersecurity incidents, review key risks and metrics on the Company’s cybersecurity program and related risk management programs, and discuss the Company’s cybersecurity programs and goals. The Cybersecurity and Technology Committee also participates in cybersecurity

-27-

Table of Contents

tabletop exercises with management and receives training on cybersecurity trends and developments. The Cybersecurity and Technology Committee updates the full board of directors at each quarterly board meeting, or more frequently if needed.

Our enterprise cybersecurity program is led by the CSO, who brings more than two decades of cybersecurity leadership experience and oversees both information technology and information security functions. In order to assess and manage our material risks from cybersecurity threats, our CSO works with cross-functional teams, which are staffed with subject matter experts and leaders from each of the following areas:

•Threat & Vulnerability Management: We follow a defense-in-depth security model with a Joint Security Operations Center, Attack Surface Management, and Data Protection team working with security architects and engineers deploying controls designed to prevent or limit the success of an attack.

•Governance, Risk, and Compliance: Our Security Governance, Risk, and Compliance team helps drive trust, compliance, and data protection by managing risks, including supply chain risks, to strengthen customer confidence, support innovation, and protect our reputation.

•Fraud Prevention: Our Fraud Strategy and Prevention team seeks to employ industry best practices of fraud prevention, identity and access management ("IAM"), and cybersecurity monitoring to protect the transactions of our members and Clients. We continue to invest in people, processes, and technology solutions to enhance our fraud prevention program.

•Security Engineering & Architecture: Our Security Engineering & Architecture team designs and implements resilient security solutions, embedding security into cloud and on-premise environments while automating controls and integrating security into development lifecycles.

•Identity & Access Management: Our IAM team enforces zero trust principles, least privilege access, and adaptive authentication, managing multi-factor authentication, privileged access management, and just-in-time access to protect critical systems while ensuring seamless and compliant user access.

Recently Filed

Click on a ticker to see risk factors

Ticker *	File Date
LFWD	19 minutes ago
PFBX	57 minutes ago
MHH	2 hours ago
NEON	2 hours ago
VACI	2 hours ago
GIFT	3 hours ago
NSPR	3 hours ago
CING	3 hours ago
PLX	4 hours ago
HIND	5 hours ago
BOBS	5 hours ago
TSSI	14 hours ago
CNTY	15 hours ago
ESLA	15 hours ago
DMYY	16 hours ago
PGIM	16 hours ago
PFHO	17 hours ago
GGROU	17 hours ago
ARTC	18 hours ago
TELO	18 hours ago
CLPT	18 hours ago
HHS	18 hours ago
GXAI	18 hours ago
MESH	19 hours ago
CAPR	19 hours ago
SLXN	19 hours ago
VREOF	19 hours ago
AUBN	19 hours ago
CBUS	19 hours ago
AXTI	19 hours ago
INDP	19 hours ago
CWGL	19 hours ago
BRLT	19 hours ago
GTLB	19 hours ago
IPM	19 hours ago
ANKM	19 hours ago
PHXE-P	19 hours ago
LULU	19 hours ago
FLD	19 hours ago
TRVI	19 hours ago
NN	19 hours ago
IZEA	19 hours ago
OKLO	19 hours ago
HQY	19 hours ago
BKSY	19 hours ago
ANTX	19 hours ago
COPR	21 hours ago
GAP	22 hours ago
MGTI	23 hours ago
CHCI	1 day, 2 hours ago

OTHER DATASETS

House Trading

Dashboard

Corporate Flights

Dashboard

App Ratings

Dashboard

Strategies

Alerts

Browse Data

Risk Factors Dashboard

View risk factors by ticker

Search filings by term

Risk Factors - HQY

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Recently Filed

OTHER DATASETS

House Trading

Corporate Flights

App Ratings

TRADE SMARTER

TRADE SMARTER

Strategies

Alerts

Browse Data

Risk Factors Dashboard

View risk factors by ticker

Search filings by term

Risk Factors - HQY

-New additions in green-Changes in blue-Hover to see similar sentence in last filing

Recently Filed

OTHER DATASETS

House Trading

Corporate Flights

App Ratings

TRADE SMARTER

TRADE SMARTER

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing