Quiver Quantitative

Risk Factors Dashboard

Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.

View risk factors by ticker

Search filings by term

Risk Factors - PYPL

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Item 1A. Risk Factors” of this Form 10-K, as well as in our consolidated financial statements, related notes, and the other information appearing in this report and our other filings with the Securities and Exchange Commission (“SEC”). We do not intend, and undertake no obligation except as required by law, to update any of our forward-looking statements after the date of this report to reflect actual results, new information, or future events or circumstances. Given these risks and uncertainties, readers are cautioned not to place undue reliance on such forward-looking statements. You should read the information in this report in conjunction with the audited consolidated financial statements and the related notes that appear in this report.

ITEM 1. BUSINESS

OVERVIEW

At PayPal Holdings, Inc., our mission is to revolutionize commerce globally. Our products are designed to enable digital payments and simplify commerce experiences for consumers and merchants to make selling, shopping, and sending and receiving money simple, personalized, and secure, online or offline, including mobile. Our two-sided platform serves millions of consumers and merchants worldwide.

We help consumers transact quickly and securely with merchants, manage their financial lives, and send to and receive money from friends and family around the globe.

We help merchants connect with customers, increase conversion rates and sales, and grow their businesses in the markets where our services are available. We provide large enterprises and small and medium businesses with online branded checkout solutions, including PayPal and Venmo; online unbranded payments processing, including Braintree and PayPal Complete Payments; our buy now, pay later solutions, which we refer to as PayPal Pay Later; in-person point of sale systems, including Zettle; business financing, including PayPal Working Capital (“PPWC”) and PayPal Business Loan (“PPBL”); payouts capabilities; and risk tools.

We operate a global, two-sided network at scale that connects consumers and merchants with 434 million active accounts across approximately 200 markets as of December 31, 2024.

We earn revenues primarily by charging fees for completing payment transactions for our customers and other payment-related services, which are typically based on the volume of activity processed on our payments platform.

Unless otherwise expressly stated or the context otherwise requires, references to “we,” “our,” “us,” “the Company,” or “PayPal” refer to PayPal Holdings, Inc. and its consolidated subsidiaries.


									4

Table of Contents

KEY PERFORMANCE METRICS

In 2024, we processed $1.68 trillion of total payment volume (“TPV”), an increase of 10% compared to 2023, and 26.3 billion payment transactions, an increase of 5% compared to 2023. As of December 31, 2024, we had 434 million active accounts, an increase of 2% compared to December 31, 2023.

We measure the scale of our platform and the relevance of our products and services to our customers through certain metrics, including TPV, payment transactions, and active accounts:

TPV is the value of payments, net of payment reversals, successfully completed on our payments platform or enabled by PayPal via a partner payment solution, not including gateway-exclusive transactions.

Number of payment transactions is the total number of payments, net of payment reversals, successfully completed on our payments platform or enabled by PayPal via a partner payment solution, not including gateway-exclusive transactions.

An active account is an account registered directly with PayPal or a platform access partner that has completed a transaction on our platform, not including gateway-exclusive transactions, within the past 12 months. A platform access partner is a third party whose customers are provided access to PayPal’s platform or services through such third-party’s login credentials, including individuals and entities that utilize Hyperwallet’s payout capabilities. A user may register on our platform to access different products and may register more than one account to access a product. Accordingly, a user may have more than one active account. The number of active accounts provides management with additional perspective on the overall scale of our platform, but may not have a direct relationship to our operating results.

OUR STRENGTHS

Our business is built on a strong foundation designed to drive profitable growth and differentiate us from our competitors. We believe that our competitive strengths include the following:

•Two-sided platform—we facilitate online and offline transactions for millions of consumers and merchants. Our relationship on both sides of a transaction enables us to offer unique product experiences designed to remove friction, drive sales, and enhance shopping experiences. We utilize the data about how our customers use our platform to continually innovate and improve it.

•Trusted brands—we have built and strengthened well-recognized and trusted brands, including PayPal, Venmo, and Braintree. Our communications and marketing efforts across multiple geographies and demographic groups play an important role in building brand visibility, usage, and overall preference among customers.

•Open ecosystem—we are technology and platform agnostic. This approach allows our merchants to offer and use a variety of our branded and unbranded payment processing solutions and business financing products, alongside other tools. We give consumers flexibility to make and receive payments using a wide variety of funding options and digital wallet solutions, including their bank account, PayPal and Venmo account balance, buy now, pay later, debit and credit options.

•Scale—our global scale helps us to drive organic growth. As of December 31, 2024, we had 434 million active accounts in approximately 200 markets1 around the world.

•Risk and compliance management—our enterprise risk and compliance management program is designed to help keep customer information secure and ensure we process legitimate transactions around the world, while identifying and minimizing illegal, high-risk, or fraudulent transactions.

•Regulatory licenses—we believe that our regulatory licenses, which enable us to operate in markets around the world, are a distinct advantage and help support business growth.

1A market is a geographic area or political jurisdiction, such as a country, territory, or protectorate, in which we offer some or all of our products and services. A country, territory, or protectorate is identified by a distinct set of laws and regulations.


									5

Table of Contents

CONSUMER AND MERCHANT PAYMENT SOLUTIONS

Consumer value proposition

We help consumers transact securely with merchants, manage their financial lives, and send to and receive money from friends and family around the globe. We drive increased consumer engagement by providing consumers with a wide range of services to manage their finances and enhance their ability to shop online and offline. Our PayPal and Venmo branded checkout experiences allow customers to complete purchases in just a few steps without having to enter payment and address information. Our PayPal- and Venmo-branded debit and credit cards give consumers the ability to transact in-person through our platform and earn incentives, including cash-back rewards.

We also offer consumers person-to-person (“P2P”) payment solutions for domestic and international transfers through our PayPal, Venmo, and Xoom products and services. Our Venmo digital wallet in the United States (“U.S.”) is a leading mobile application used to move money between our customers. Our Xoom international money transfer service enables our customers to send money to people around the world in a secure, fast, and cost-effective way. P2P is an important source of customer engagement and also serves as a customer acquisition channel that facilitates organic growth by enabling potential users to establish active accounts with PayPal or Venmo at the time they make or receive a P2P payment.

We offer credit products to eligible consumers in certain markets as a funding source at checkout. Our consumer credit offerings include our buy now, pay later products in the U.S., United Kingdom (“U.K. A key attribute of our buy now, pay later products is the absence of interest or consumer late fees for missed payments in most of the geographies where we offer them. Further, we offer interest-bearing installment products for consumers in the U.S. (issued by an independent chartered financial institution) and in Germany. In the U.S., consumers may apply for our PayPal- and Venmo-branded consumer credit cards and our PayPal Credit revolving consumer credit product, which are offered through a partnership with an independent chartered financial institution. We offer a PayPal-issued PayPal Credit product in the U.K.

We generate revenue from consumers from: foreign currency conversions, instant transfers from their PayPal or Venmo account to their bank account or debit card, and facilitating the purchase and sale of cryptocurrencies; interest, fees, or other revenue from our credit products; and other miscellaneous fees.

Merchant value proposition

Merchants use our solutions to increase conversion rates and grow and manage their business. We employ a technology and platform agnostic approach intended to enable merchants of all sizes to utilize our various products. Our diversified suite of products and services is tailored to meet the needs of merchants regardless of their size or business complexity.

Our PayPal and Venmo branded checkout experiences allow customers to complete purchases in just a few steps without having to enter payment and address information. These seamless experiences reduce cart abandonment and drive higher conversion rates for merchants. Our buy now, pay later solutions are embedded into our branded checkout experiences, which can help increase consumer spend and enable merchants to grow sales.

Our unbranded payments processing solutions, which includes Braintree and PayPal Complete Payments, allow merchants to quickly and easily provide digital checkout online with a variety of popular ways to pay, including debit and credit cards, digital wallets, PayPal Pay Later, and local payment methods.

We offer a suite of value added services, including payouts, payments orchestration, and fraud prevention and risk management solutions that help reduce merchant losses through proprietary protection programs. We also offer omnichannel solutions that allow merchants to make sales in person using our Zettle by PayPal app, card reader, or point of sale systems.


									6

Table of Contents

We offer access to merchant financing products for eligible small and medium-sized businesses through the PPWC and PPBL products, which we collectively refer to as our merchant financing solutions. In the U.S., these products are provided under a program agreement with an independent chartered financial institution.

We generate revenues from merchants primarily by charging fees for completing their payment transactions and other payment-related services.

PROTECTING CONSUMERS AND MERCHANTS

Protecting consumers and merchants on our payments platform from financial and fraud loss is important to successfully compete and sustainably grow our business. Fraudulent activities, such as account takeover, identity theft (including stolen financial information), and malicious activities by counterparties, represent a significant risk to consumers and merchants, as well as their payment partners. In addition to the protections afforded by applicable law, we provide consumers and merchants with protection programs for certain purchase transactions completed on our payments platform. Our protection programs help protect both consumers and merchants from financial loss resulting from, among other things, counterparty non-performance. These programs are designed to promote confidence on the part of both consumers, who will be reimbursed in certain circumstances, such as not receiving their purchased item in the condition significantly as described, as well as merchants, who will receive payment in certain circumstances, such as establishing proof of shipment or delivery of an item to the customer. We believe that these programs are generally consistent with or broader than protections provided by other participants in the payments industry.

Our ability to help protect both consumers and merchants is based largely on our proprietary, end-to-end payments platform and our ability to utilize the data from both sides of transactions on our two-sided network, specifically from buyers and sellers and from senders and receivers of payments. Our ongoing investment in systems and processes is designed to enhance the safety and security of our products and reflects our goal of having PayPal recognized as one of the world’s most trusted payments brands.

COMPETITION

The global payments industry is highly competitive, dynamic, and innovative, and subject to regulatory scrutiny and oversight. Many of the areas in which we compete evolve rapidly with innovative and disruptive technologies, shifting user preferences and needs, price sensitivity of consumers and merchants, and frequent introductions of new products and services.

We also face competition from providers offering a variety of payment products and services ranging from broader platform solutions to point solutions focused on a specific functionality or feature, including tokenized and contactless payment cards, digital wallets and mobile payments solutions, credit, installment or other buy now, pay later methods, real-time payment systems, P2P payments and money remittance services, card readers and other devices or technologies for payment at point of sale (such as contactless cards, tokenized cards, Near Field Communication (NFC) based solutions, and Quick Response (QR) code based solutions), value added services related to payments (such as payouts, payment orchestration, foreign exchange and risk solutions), virtual currencies (such as cryptocurrencies and stablecoins) and distributed ledger technologies, and tools that simplify and personalize shopping experiences for consumers and merchants. Our products and services also face competition from paper-based payments (primarily cash and checks).


									7

Table of Contents

We differentiate ourselves to consumers through our broad acceptance and the ability to use our products and services across multiple commerce channels, including e-commerce, mobile, and offline payments, and without sharing their financial information with the merchant or any other party they are paying; our customer service, dispute resolution, and purchase protection programs; and our ability to simplify and personalize shopping experiences.

Risk Factors” under the caption “We face substantial and increasingly intense competition worldwide in the global payments industry” for further discussion of the potential impact of competition on our business.

STRATEGY

Our ability to grow revenue is affected by, among other things, the macroeconomic environment and its impact on commerce and economic growth, consumer spending patterns, adoption of digital payment methods, the expansion of multiple commerce channels, the growth of mobile devices and commerce and payment applications on those devices, the growth of consumers and merchants globally with internet and mobile access, the pace of transition from cash and checks to digital forms of payment, our share of digital payments, and our ability to innovate and introduce new products, services, and features that consumers and merchants value. Our strategy to drive growth in our business includes the following:

•Accelerating growth in our branded checkout business: by improving our user experience, including by reducing friction and enhancing rewards, we will drive consumer selection and increase conversion rates for merchants. This strategy will increase our customers’ engagement with our products and services.

•Expanding our value proposition for consumers and merchants to drive daily use: by providing consumers with simple, secure, and flexible ways to manage and move money across different markets, merchants, and platforms, including offering purchase protection programs and simplifying their shopping experiences; by being technology and platform agnostic and by expanding and launching capabilities that allow us to process payments anywhere; by partnering with our merchants to grow and expand their business online and offline, including offering merchants risk management and seller protection programs; and by delivering payment-adjacent capabilities.

•Unlocking the power of data: by responsibly utilizing data in our two-sided platform to personalize consumer offerings, we will create more value for our customers, improve the interconnectedness of our platform, and tap into new sources of revenue and profitable growth.

•Increasing offline engagement: through our PayPal-branded debit and credit cards, rewards programs, and seamless integration into other digital wallets that support in-store payments, we are giving consumers more reasons to use PayPal and Venmo for offline purchases. Providing consumers more opportunities to use PayPal for omnichannel purchases will help us to drive engagement.

•Building and expanding strategic partnerships: by building new strategic partnerships and deepening existing ones to provide better experiences for our customers, offer greater choice and flexibility, acquire new customers, and reinforce our role in the payments and commerce ecosystem.

•One PayPal platform: by investing in state-of-the-art technology, architecture, and processes to deliver high-quality products and services to our customers more efficiently and effectively.

•Seeking new areas of growth: innovate the future of commerce by focusing on creating new products in both the digital and physical worlds and finding opportunities to expand and improve upon our existing products and capabilities.


									8

Table of Contents

TECHNOLOGY

Our payments platform utilizes a combination of proprietary and third-party technologies and services intended to facilitate transactions efficiently and securely between millions of consumers and merchants worldwide across different channels, markets, and networks.

We have developed intuitive user interfaces, customer tools, transaction management databases, and payment network integrations on our platform designed to enable our customers to utilize our suite of products and services. Our payments platform, open application programming interfaces, and developer tools are designed to enable developers to innovate with ease and offer robust solutions to our global ecosystem of consumers and merchants, while at the same time helping to maintain the security of our customers’ information.

The technology infrastructure supporting our payments platform is designed to simplify the storage and processing of large amounts of data and facilitate the deployment and operation of large-scale global products and services in both our own data centers and when hosted by third-party cloud service providers. Our technology infrastructure is designed around industry best practices intended to reduce downtime and help ensure the resiliency of our payments platform in the event of outages or catastrophic occurrences. Our payments platform incorporates multiple layers of protection for business continuity and system redundancy purposes and to help mitigate cybersecurity risks. We have a comprehensive cybersecurity program designed to protect our technology infrastructure and payments platform against cybersecurity threats, which includes regularly testing our systems to identify and address potential vulnerabilities. We strive to continually improve our technology infrastructure and payments platform to enhance the customer experience and to increase efficiency, scalability, and security.

For additional information regarding risks relating to our technology infrastructure and cybersecurity, see the information in “Item 1A. Risk Factors” under the captions “Cyberattacks and security vulnerabilities could result in serious harm to our reputation, business, and financial condition” and “Business interruptions or systems failures may impair the availability of our websites, applications, products or services, or otherwise harm our business.”

RESEARCH AND DEVELOPMENT

Our total research and development expense was $1.5 billion, $1.6 billion, and $1.7 billion in 2024, 2023, and 2022, respectively.

INTELLECTUAL PROPERTY

The protection of our intellectual property, including our trademarks, copyrights, domain names, trade dress, patents, and trade secrets, is important to the success of our business. We seek to protect our intellectual property rights by relying on applicable laws, regulations, and administrative procedures in the U.S. and internationally. We have registered our core brands as domain names and as trademarks in the U.S. and many international jurisdictions. We also have an active program to secure and enforce trademarks and domain names that correspond to our brands in markets of interest. We have filed and continue to file patent applications in the U.S. and in international jurisdictions covering certain aspects of our proprietary technology and new innovations. We also rely on contractual restrictions to protect our proprietary rights when offering or procuring products and services. We routinely enter into confidentiality and invention assignment agreements with our employees and contractors, and non-disclosure agreements with parties with whom we conduct business to control access to, and use and disclosure of, our proprietary information.

For additional information regarding risks relating to our intellectual property, see the information in “Item 1A. Risk Factors” under the captions “Third parties may allege that we are infringing their patents and other intellectual property rights” and “We may be unable to protect or enforce our intellectual property.”


									9

Table of Contents

GOVERNMENT REGULATION

We operate globally and in a rapidly evolving regulatory environment characterized by a heightened focus by regulators globally on all aspects of the payments industry, including anti-money laundering, countering terrorist financing, privacy, cybersecurity, and consumer protection. The laws and regulations applicable to us, including those enacted prior to the advent of digital payments, continue to evolve through legislative and regulatory action and judicial interpretation. New or changing laws and regulations, including changes to their interpretation and implementation, as well as increased penalties and enforcement actions related to non-compliance, could have a material adverse impact on our business, results of operations, and financial condition. We monitor these areas closely and are focused on designing compliant solutions for our customers.

Government regulation impacts key aspects of our business. We are subject to the laws and regulations applicable to the payments industry in the markets we operate, which are subject to interpretation and change.

Payments regulation. Various laws and regulations govern the payments industry in the U.S. and internationally. In the U.S., PayPal, Inc. (a wholly-owned subsidiary) holds licenses to operate as a money transmitter (or its equivalent) in the states where such licenses are required, as well as in the District of Columbia and certain territories. In certain cases, these licenses also generally cover PayPal’s service enabling customers to buy, hold, transfer, and sell cryptocurrency directly from their PayPal or Venmo account. In the State of New York, PayPal holds a full Bitlicense issued by the New York Department of Financial Services to offer cryptocurrency services in the state.

Outside the U.S., we provide similar services customized for various countries and foreign jurisdictions through our foreign subsidiaries. The activities of those non-U.S. entities are, or may be, supervised by a financial regulatory authority in the jurisdictions in which they operate. Among other regulatory authorities, the Luxembourg Commission de Surveillance du Secteur Financier (the “CSSF”), the U.K.

In addition, financial services regulators in various jurisdictions, including the U.S. and the European Union (“EU”), have implemented payment authentication requirements for banks and payment processors intended to reduce online fraud, which could impose significant costs, make it more difficult for new customers to open PayPal accounts, and reduce the ease of use of our products.

Financial Services supervision. We serve our customers in the EU through PayPal (Europe) S.à.r.l. et Cie, S.C.A. (“PayPal (Europe)”), a wholly-owned subsidiary that is licensed and subject to regulation as a credit institution in Luxembourg by the CSSF. We serve our customers in the U.K.K. Limited (“PayPal U.K.”), a wholly-owned subsidiary that is subject to regulation as an electronic money institution in the U.K. by the FCA. Accordingly, we must comply with rules and regulations applicable to electronic money institutions in the U.K. and credit institutions in the E.U., including those related to capitalization, funds management, corporate governance, anti-money laundering, consumer rights, disclosure, reporting, and inspection. In addition, based on our relationships with our partner financial institutions, we are, or may be, subject to indirect regulation and examination by the regulators of these partner financial institutions.

Lending regulation. Our U.S. consumer short-term, interest-free, installment product is subject to federal and state laws governing consumer credit and debt collection, and PayPal holds multiple state licenses as the lender for this product. In Australia, PayPal Credit Pty Limited offers a consumer short-term, interest-free, installment product that is exempt from regulation by the primary consumer credit legislation, but is subject to other laws which cover the provision of financial services, credit reporting, debt collection, and privacy. PayPal’s consumer short-term, interest-free, installment products in the U.K., France, Germany, Spain, and Italy are generally exempt from primary consumer credit legislation; however, certain consumer lending laws, consumer protection, and banking transparency regulations apply to this activity. Paidy, Inc. holds multiple licenses for the issuance of its consumer installment products in Japan and is registered with the Ministry of Economy, Trade and Industry as a Comprehensive Credit Purchase Intermediary.


									10

Table of Contents

Our U.S. consumer interest-bearing installment product is subject to federal and state laws and is offered by an independent chartered financial institution. PayPal’s interest-bearing installment product for consumers in Germany is subject to applicable local laws such as consumer (lending) laws, consumer protection, or banking transparency regulations. These loans are originated by PayPal (Europe).

PayPal and Venmo co-branded consumer credit cards and the PayPal Credit revolving consumer credit product are issued by an independent chartered financial institution in the U.S., and are subject to laws and regulations governing these programs. PayPal Credit in the U.K. is a regulated, revolving consumer credit product subject to applicable local laws and regulations.

Our U.S. merchant lending products are subject to federal and state regulations and are offered by an independent chartered financial institution.K. is subject to U.K. regulation. The loans offered to European and U.K.K., respectively. Our merchant lending product in Australia is subject to the laws of Australia and is originated by PayPal Credit Pty Limited.

Consumer Financial Protection Bureau (“CFPB”). The CFPB has significant authority to regulate consumer financial products in the U.S., including consumer credit, deposits, payments, and similar products. The CFPB and similar regulatory agencies in other jurisdictions may have broad consumer protection mandates that could result in the promulgation and interpretation of rules and regulations that may materially impact our business.

Anti-money laundering, counter-terrorist financing, and sanctions. PayPal is subject to anti-money laundering (“AML”) laws and regulations in the U.S. and other jurisdictions, as well as laws designed to prevent the use of the financial systems to facilitate terrorist activities. Our AML program is designed to prevent our payments platform from being used to facilitate money laundering, terrorist financing, and other illicit activities, or to do business in countries or with persons and entities included on designated country or person lists promulgated by the U.S. Department of the Treasury’s Office of Foreign Assets Controls and equivalent authorities in other countries. Our AML and sanctions compliance programs, overseen by our AML/Bank Secrecy Act Officer, are composed of policies, procedures, and internal controls, and are designed to address these legal and regulatory requirements and assist in managing money laundering and terrorist financing risks.

Interchange fees. Interchange fees (the transaction fees for processing credit and debit card transactions) are subject to regulation in certain jurisdictions. Interchange fees are being reviewed or challenged in various jurisdictions. As a result, the fees that we collect in certain jurisdictions may become the subject of regulatory challenge.

Data protection and privacy. We are subject to a number of laws, rules, directives, and regulations (“privacy and data protection laws”) relating to the collection, use, retention, security, processing, and transfer (collectively, “processing”) of personally identifiable information about our customers, our merchants’ customers, and employees (“personal data”) in the countries where we operate. Our business relies on the processing of personal data in many jurisdictions and the movement of data across national borders. As a result, much of the personal data that we process, which may include certain financial information associated with individuals, is subject to one or more privacy and data protection laws in one or more jurisdictions. In many cases, these laws apply not only to third-party transactions, but also to transfers of information between or among us, our subsidiaries, and other parties with which we have commercial relationships.

Regulatory scrutiny of privacy, data protection, cybersecurity practices, and the processing of personal data is increasing around the world. Regulatory authorities are continuously considering numerous legislative and regulatory proposals and interpretive guidelines that may contain additional privacy and data protection obligations. In addition, the interpretation and application of these privacy and data protection laws in the U.S., Europe, and elsewhere are subject to change and may subject us to increased regulatory scrutiny and business costs.

Anti-corruption. PayPal is subject to applicable anti-corruption laws, such as the U.S. Foreign Corrupt Practices Act, the U.K. Bribery Act, and similar laws in the jurisdictions in which we operate. Anti-corruption laws generally prohibit offering, promising, giving, accepting, or authorizing others to provide anything of value, either directly or indirectly, to or from a government official or private party to influence official action or otherwise gain an unfair business advantage, such as to obtain or retain business. We have implemented policies, procedures, and internal controls that are designed to comply with these laws and regulations.


									11

Table of Contents

Additional regulatory developments. Various regulatory agencies continue to examine and implement laws governing a wide variety of issues, including virtual currencies, identity theft, account management guidelines, disclosure rules, cybersecurity, competition, and marketing, which may impact PayPal’s business.g.

For an additional discussion on governmental regulation affecting our business, please see “Item 1A. Risk Factors” and “Item 3. Legal Proceedings” included in this Form 10-K.

CORPORATE SUSTAINABILITY & IMPACT MANAGEMENT

PayPal is committed to creating a more inclusive digital economy for the customers and communities we serve across the world. Our management of priority Corporate Sustainability & Impact (“CS&I”) risks and opportunities in respect of our business is organized across employees and culture, social impact, responsible business practices, and environmental sustainability. We continue to prioritize efforts to manage key non-financial factors impacting our long-term business, including fostering an inclusive culture across the employee experience, utilizing PayPal’s unique capabilities and resources to support inclusive entrepreneurship and small business success, further enhancements to support the safety and security of our products and platform, and progress on reducing our environmental impacts. We endeavor to provide transparent disclosures with respect to our CS&I risks and opportunities through our annual Global Impact Report and other communications.

HUMAN CAPITAL

At PayPal, we consider the management of our global talent (human capital) to be essential to the ongoing success of our business. Our global employees work predominantly full-time and represent at least 140 nationalities, across 28 countries, including approximately 8,900 located in the U.S. Across our workforce, we reached approximately 43% global gender diversity and 55% U.S. ethnic diversity, as of December 31, 2024.

As a leading technology platform, we compete for top talent from around the world. We use employee feedback to directly inform the ongoing development of our employee programs.

PayPal offers a comprehensive benefits package designed to support employees at every stage of life while helping our employees to prepare for the future.

We are committed to equal pay for equal work and promoting enterprise-wide inclusive learning opportunities.

In October 2024, we moved to hybrid as our primary way of working at PayPal. As of December 31, 2024, approximately half of our employees worked a hybrid schedule while the remaining were fully virtual. Across PayPal, we are focused on providing tools and resources to support our distributed teams.


									12

Table of Contents

AVAILABLE INFORMATION

The address of our principal executive offices is PayPal Holdings, Inc., 2211 North First Street, San Jose, California 95131. Our website is located at www.paypal.com, and our investor relations website is located at https://investor.pypl.com. From time to time, we may use our investor relations site and other online and social media channels, including the PayPal Newsroom (https://newsroom.paypal-corp.com/), the PayPal Corporate website (https://about.pypl.com), PayPal’s LinkedIn page (https://www.linkedin.facebook.youtube.linkedin.com/in/alexchriss/), Alex Chriss’ X profile (https://x.com/acce), Jamie Miller’s LinkedIn profile (https://www.linkedin.com/in/jamiesmiller/), and Steven Winoker’s LinkedIn profile (https://www.linkedin. Our Form 10-K, quarterly reports on Form 10-Q, current reports on Form 8-K, and amendments to those reports are available free of charge on our investor relations website as soon as reasonably practicable after they are electronically filed with, or furnished to, the SEC. The SEC maintains an internet site that contains reports, proxy and information statements, and other information regarding issuers that file electronically with the SEC at http://www.sec.gov.

The content of our websites and information we may post on, provide to, or accessible through online and social media channels, including those mentioned above, are not a part of, and are not incorporated by reference into, this Form 10-K or in any other report or document we file with, or furnish to, the SEC. Any references to our websites or online and social media contained in this Form 10-K are intended to be inactive textual references only.


									13

Table of Contents

ITEM 1A. RISK FACTORS

You should carefully consider the risks and uncertainties described below, in addition to other information appearing in this Form 10-K, including our consolidated financial statements and related notes, for important information regarding risks and uncertainties that could affect us. These risk factors do not identify all risks we face, and additional risks and uncertainties that we are unaware of, or that we currently believe are not material, may also become important factors that adversely affect our business. If any of the following risks actually occur, our business, financial condition, results of operations, future prospects, and the trading price of our common stock could be materially and adversely affected.

CYBERSECURITY AND TECHNOLOGY RISKS

Cyberattacks and security vulnerabilities could result in serious harm to our reputation, business, and financial condition.

The techniques used to attempt to obtain unauthorized or illegal access to systems and information (including customers’ personal data), disable or degrade service, exploit vulnerabilities, or sabotage systems are continuously evolving. In some circumstances, these attempts may not be recognized or detected until after they have been launched against a target. This information may, in turn, be used to access our customers’ confidential personal or proprietary information and financial instrument data that are stored on or accessible through our information technology systems and those of third parties with whom we partner. This information may also be used to execute fraudulent transactions or otherwise engage in fraudulent actions.

We believe that hostile actors, who may comprise individuals, coordinated groups, sophisticated organizations, or nation state supported entities, may target PayPal due to our name, brand recognition, types of data (including sensitive payments- and identity-related data) that customers provide to us, and the widespread adoption and use of our products and services. We have experienced from time to time, and may experience in the future, cybersecurity incidents, including breaches of our security measures, network breaches, and compromise of personally identifiable customer information due to human error, deception, malfeasance, insider threats, system errors, defects, vulnerabilities, or other issues. Any of the foregoing events may subject us to fines, penalties, regulatory or other enforcement actions, and our business, reputation or financial condition may be adversely affected.

Any cybersecurity incidents, including cyberattacks or data security breaches affecting the information technology or infrastructure of our customers, partners, or vendors (including data center and cloud computing providers) or of companies we acquire, could have similar negative effects.

We have experienced, and may experience in the future, breaches involving customer information for which we have notified, and may notify, regulators, customers and other third parties. While we maintain insurance policies intended to help offset the financial impact we may experience from these risks, our coverage may be insufficient to compensate us for all losses caused by security breaches and other damage to or


									14

Table of Contents

unavailability of our systems.

Business interruptions or systems failures may impair the availability of our websites, applications, products or services, or otherwise harm our business.

The frequency and intensity of weather events related to climate change are increasing, which could increase the likelihood and severity of such disasters as well as related damage and business interruption. Our corporate headquarters are located in the San Francisco Bay Area, a seismically active region in California. A catastrophic event that could lead to a disruption or failure of our systems or operations could result in significant losses and require substantial recovery time and significant expenditures to resume or maintain operations. Further, some of our systems, including those of companies that we have acquired, are not fully redundant and any failure of these acquired systems, including due to a catastrophic event, may lead to operational outages or delays. While we engage in disaster recovery planning and testing intended to mitigate risks from outages or delays, our planning and testing may not be effective or sufficient for all possible outcomes or events. As a provider of payments solutions, we are also subject to heightened scrutiny by regulators that may require specific business continuity, resiliency and disaster recovery plans, and rigorous testing of such plans, which may be costly and time-consuming to implement, and may divert our resources from other business priorities. Any of the foregoing risks could have a material adverse impact on our business, financial condition, and results of operations.

We have experienced, and expect to continue to experience, system failures, cyberattacks, unplanned outages, and other events or conditions from time to time that have and may interrupt the availability, or reduce or adversely affect the speed or functionality, of our products and services. While we continue to undertake system upgrades and re-platforming efforts designed to improve the availability, reliability, resiliency, and speed of our payments platform, these efforts are costly and time-consuming, involve significant technical complexity and risk, may divert our resources from new features and products, and may ultimately not be effective. A prolonged interruption of, or reduction in, the availability, speed, or functionality of our products and services could materially harm our business and financial condition. Frequent or persistent interruptions in our services could permanently harm our relationship with our customers and partners and our reputation. If any system failure or similar event results in damage to our customers or their business partners, they could seek significant compensation or contractual penalties from us for their losses. These claims, even if unsuccessful, would likely be time-consuming and costly for us to address.

We also rely on facilities, components, applications, software, and services supplied by third parties, including data center facilities and cloud data storage and processing services. From time to time, we have experienced interruptions in the provision of such facilities and services provided by these third parties. While we maintain insurance policies intended to help offset the financial impact we may experience from these risks, our coverage may be insufficient to compensate us for all losses caused by interruptions in our service due to systems failures and similar events.

If we cannot keep pace with rapid technological developments to provide new and innovative products and services, the use of our products and services and, consequently, our revenues, could decline.

Rapid, significant, and disruptive technological changes impact the industries in which we operate, including payment technologies (including real-time payments, payment card tokenization, virtual currencies, distributed ledger and blockchain technologies, and proximity payment technology such as Near Field Communication and other contactless payments); internet browser technologies that enable users to easily store their payment card information for use on any retail or e-commerce website; artificial intelligence (“AI”) and machine learning; developments in technologies supporting our regulatory and


									15

Table of Contents

compliance obligations; and in-store, digital, and social commerce.

We cannot predict the effects of technological changes on our business, which technological developments or innovations will become widely adopted, and how those technologies may be regulated. Developing and incorporating new technologies into new and existing products and services may require significant investment, take considerable time, and may not ultimately be successful. For example, AI algorithms that we use may be flawed or may be based on datasets that are biased or insufficient. In addition, any latency, disruption, or failure in our AI systems or infrastructure could result in delays or errors in our offerings. There also may be real or perceived social harm, unfairness, or other outcomes that undermine public confidence in the use of our products or of AI. In addition, third parties may deploy AI technologies in a manner that reduces customer demand for our products and services.

These third parties may restrict or prevent our access to, or utilization of, those technologies, as well as their platforms or products. Our ability to develop, provide or incorporate new technologies and adapt our existing products and services or develop future and new products and services using new technologies may be limited or restricted by industry-wide standards, platform providers, payments networks, changes to laws and regulations, changing customer expectations, third-party intellectual property rights, and other factors. If we are unable to develop and incorporate new technologies and adapt to technological changes and evolving industry standards in a timely or cost-effective manner, our business, results of operations, or reputation could be harmed.

LEGAL, REGULATORY AND COMPLIANCE RISKS

Our business is subject to extensive government regulation and oversight. Our failure to comply with extensive, complex, overlapping, and frequently changing rules, regulations, and legal interpretations could materially harm our business.

Regulators and legislators globally have been establishing, evolving, and increasing their regulatory authority, oversight, and enforcement in a manner that impacts our business. As we introduce new products and services and expand into new markets, including through acquisitions, we expect to become subject to additional regulations, restrictions, and licensing requirements. As we expand and localize our international activities, we expect that our obligations in the markets in which we operate will continue to increase. In addition, because we facilitate sales of goods and provide services to customers worldwide, one or more jurisdictions may claim that we or our customers are required to comply with their laws, which may impose different, more specific, or conflicting obligations on us, as well as broader liability.

Any failure or perceived failure to comply with existing or new laws, regulations, or orders of any government authority (including changes to or expansion of their interpretation) may subject us to significant fines, penalties, monetary damages, injunctive relief, criminal and civil lawsuits, forfeiture of significant assets, and enforcement actions in one or more jurisdictions; result in additional compliance and licensure requirements; cause us to lose existing licenses or prevent or delay us from obtaining additional licenses that may be required for our business; increase regulatory scrutiny of our business; divert management’s time and attention from our business; restrict our operations; lead to increased friction for customers; force us to make changes to our business practices, products, or operations; require us to engage in remediation activities; or delay planned transactions, product launches, or improvements. Any of the foregoing could, individually or in the aggregate, harm our reputation, damage our brands and business, and adversely affect our results of operations and financial condition. The complexity of U.S. federal and state and international regulatory and enforcement regimes, coupled with the global scope of our operations and the evolving global regulatory environment, could result in a single event prompting a large number of overlapping investigations and legal and regulatory proceedings by multiple government authorities in different jurisdictions. While we have implemented policies and procedures designed to help ensure compliance with applicable laws and regulations, there can be no assurance that our employees, contractors, and agents will not violate such laws and regulations.

Payments Regulation


									16

Table of Contents

In the U.S., PayPal, Inc. (a wholly-owned subsidiary) holds licenses to operate as a money transmitter (or its equivalent) in the states where such licenses are required, as well as in the District of Columbia and certain territories. If we fail to comply with applicable laws or regulations required to maintain our licenses, we could be subject to liability and/or additional restrictions, forced to cease doing business with residents of certain states or territories, forced to change our business practices, or required to obtain additional licenses or regulatory approvals, which could impose substantial costs and harm our business.

While we currently allow our customers to send payments from approximately 200 markets, we allow customers in only approximately half of those markets (including the U.S.) to also receive payments, in some cases with significant restrictions on the manner in which customers can hold balances or withdraw funds. These restrictions may limit our ability to grow our business.

We principally provide our services to customers in the European Economic Area (“EEA”) through PayPal (Europe) S.à.r.l. et Cie, S.C.A.K. Limited (“PayPal U.K.”), a wholly-owned subsidiary that is subject to regulation as an electronic money institution and a consumer credit firm (and registration as a crypto asset business) in the United Kingdom (“U.K.”) by the Financial Conduct Authority (“FCA”). PayPal (Europe) or PayPal U.K. If the business activities of PayPal (Europe) exceed certain thresholds, or if the European Central Bank (“ECB”) so determines, PayPal (Europe) may be deemed a significant supervised entity and certain activities of PayPal (Europe) would become directly supervised by the ECB, rather than by the Luxembourg Commission de Surveillance du Secteur Financier.

For many of the other markets outside the U.S., we provide services on a cross-border basis through PayPal Pte. Ltd., our wholly-owned subsidiary based in Singapore. PayPal Pte. Ltd. is supervised by the Monetary Authority of Singapore (“MAS”). As of July 1, 2023, PayPal Pte. Ltd. has been issued a Major Payment Institution license by the MAS under the Payment Services Act 2019. In order to maintain this license and certain other licenses or registrations we hold in certain markets, we are required to comply with applicable regulatory requirements, which have imposed and will continue to impose increasing operational complexity and costs for our Singapore and international operations. Moreover, in many non-U.S. markets (other than Singapore) where customers of PayPal Pte. Ltd.

There are substantial costs and potential product and operational changes involved in maintaining and renewing licenses, certifications, and approvals, and we could be subject to enforcement actions, fines, penalties, and litigation if we are found to violate any of these requirements. There can be no assurance that we will be able to (or decide to) continue to apply for or obtain any licenses, renewals, certifications, and approvals in any jurisdiction. In certain markets, we may need to rely on local banks or other partners to process payments and conduct foreign currency exchange transactions in local currency, and local regulators may use their authority over such local partners to prohibit, restrict, or limit us from doing business.

Cryptocurrency Regulation and Related Risks

Our customer cryptocurrency offerings could subject us to additional regulations, licensing requirements, or other obligations or liabilities. Within the U.S., we are regulated by the New York State Department of Financial Services as a virtual currency business, which does not qualify us to engage in securities brokerage or dealing activities. The regulatory status of particular cryptocurrencies is unclear under existing law. The rapidly evolving


									17

Table of Contents

legislative and regulatory landscapes with respect to cryptocurrency may subject us to additional licensing and regulatory obligations or to additional inquiries or investigations from the SEC or other regulators and governmental authorities, and require us to make product changes, restrict or discontinue product offerings in certain markets, implement additional and potentially costly controls, or take other actions.

In August 2023, a third-party issuer with which we have partnered commercially (the “PYUSD Issuer”) launched a U.S. dollar-denominated stablecoin named PayPal USD (“PYUSD”), which is available to PayPal U.S. customers and Venmo customers. These PayPal and Venmo customers may, if provisioned for external transfers and subject to our sanctions and anti-money laundering controls, send PYUSD to external wallets not controlled by PayPal. The PYUSD Issuer may also allow institutional users to directly purchase PYUSD from the PYUSD Issuer (as per the PYUSD Issuer’s stablecoin terms and conditions). The regulatory treatment of stablecoins is evolving and has drawn significant attention from legislative and regulatory bodies around the world, including the SEC. There are uncertainties on how ongoing changes to federal, state, and international laws and regulations would apply to stablecoins in practice, and we and the PYUSD Issuer may face substantial costs to operationalize and comply with any additional or changed requirement. In addition, we could face reputational harm through our relationship with the PYUSD Issuer if the PYUSD Issuer were to face regulatory scrutiny, PYUSD is deemed to be a security, or PYUSD is alleged to be used for transactions in connection with illicit or illegal activities.

We have selected custodian partners and the PYUSD Issuer, and may in the future select additional custodian partners and stablecoin issuing entities, that are subject to regulatory oversight, capital requirements, maintenance of audit and compliance industry certifications, and cybersecurity procedures and policies.

Custodial arrangements to safeguard cryptocurrency assets involve unique risks and uncertainties in the event of a custodian’s bankruptcy. While other types of assets and some custodied cryptocurrencies have been deemed not to be part of the custodian’s bankruptcy estate under various regulatory regimes, bankruptcy courts have not yet definitively determined the appropriate treatment of custodial holdings of digital assets in a bankruptcy proceeding.

Lending Regulation

We hold a number of U.S. state lending licenses for our U.S. consumer short-term installment loan product, which is subject to federal and state laws governing consumer credit and debt collection. Similarly, the consumer short-term installment loan products that we offer outside the U.S. may be subject to consumer credit legislation, licensing requirements, consumer lending laws, consumer protection or banking transparency regulations.

Consumer Protection


									18

Table of Contents

Violations of consumer protection law in applicable jurisdictions, including both federal and state laws and regulations in the U.S., such as the Electronic Fund Transfer Act (“EFTA”) and Regulation E as implemented by the Consumer Financial Protection Bureau (“CFPB”), could result in the assessment of significant actual damages or statutory damages or penalties (including treble damages in some instances) and plaintiffs’ attorneys’ fees. We are subject to, and have paid amounts in settlement of, lawsuits containing allegations that our business violated the EFTA and Regulation E or otherwise advance claims for relief relating to our business practices (e.g., that we improperly held consumer funds or otherwise improperly limited consumer accounts).

In addition, the CFPB, pursuant to its market-monitoring authority, may require us to provide extensive information on our products and offerings.

Anti-Money Laundering and Counter-Terrorist Financing; Economic and Trade Sanctions

Regulators globally continue to increase standards and expectations regarding anti-money laundering and counter-terrorist financing, and to expand the scope of existing laws and regulations to emerging products and markets, which may require us to revise or expand our compliance program globally and/or in specific jurisdictions, including the procedures we use to verify the identity of our customers and to monitor international and domestic transactions. Such changes could have the effect of making compliance more costly and operationally difficult to manage, lead to increased friction for customers, and result in a decrease in business. Regulators regularly re-examine the transaction volume thresholds at which we must obtain and keep applicable records or the circumstances in which we must verify identities of customers, and any change to such obligations could result in greater compliance costs and impact our business. We are also required to comply with economic and trade sanctions administered by the U.S., the European Union (“EU”) and its member states, the U.K., and other jurisdictions in which we operate. Non-compliance with anti-money laundering laws and regulations or economic and trade sanctions may subject us to significant fines, penalties, lawsuits, and enforcement actions, result in regulatory sanctions and additional compliance requirements, increase regulatory scrutiny of our business, restrict our operations, and damage our reputation and brands. In the ordinary course of business we may identify and voluntarily report, and have reported, potential compliance issues to regulatory authorities, including the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”), and our compliance history may be considered by OFAC and other regulators as part of any potential future investigation of our sanctions regulation.

Privacy and Protection of Customer Data

The legal and regulatory environment relating to privacy and data protection laws continues to develop and evolve in ways we cannot predict, including with respect to technologies such as cloud computing, (generative) AI, machine learning, cryptocurrency, and blockchain technology. Any failure or alleged failure by us to comply with our privacy policies as communicated to customers or with privacy and data protection laws relating to our collection, use, storage, transfer, or sharing of customer data with third parties could result in proceedings or actions against us by data protection authorities, other government agencies, our customers or others, which could subject us to significant fines, penalties, judgments, and negative publicity, require us to change our business practices, increase the costs and complexity of compliance, result in reputational harm, and materially harm our business. Compliance with inconsistent privacy and data protection laws may also restrict or limit our ability to provide products and services to our customers.

For example, numerous U.S. states have enacted or are in the process of enacting state level data privacy laws and regulations governing the collection, use, and retention of their residents’ personal information as well as specific privacy obligations around youth. The continued proliferation of privacy laws in the jurisdictions in which we operate is likely to result in a disparate array of privacy rules with unaligned or conflicting provisions, accountability requirements, individual rights, and national or local enforcement powers, which may subject us to increased regulatory scrutiny and business costs and could lead to unintended consumer confusion.

Artificial Intelligence (AI)

The legal and regulatory landscape surrounding AI technologies is rapidly evolving and uncertain, including in the areas of consumer protection, intellectual property, cybersecurity, and privacy and data protection. In addition, there is uncertainty around the validity and enforceability of intellectual property rights related to the use, development, and deployment of AI-


									19

Table of Contents

generated outputs. Compliance with new and emerging laws, regulations or industry standards relating to AI in the U.S. and internationally, such as U.S. state regulations and the Artificial Intelligence Act in the EU, may impose significant operational costs and may limit our ability to develop, deploy or use existing or future AI technologies. As a result, our ability to adapt our existing products and services or develop future and new products and services using AI may be limited or restricted, which could adversely impact our business.

We are subject to regulatory scrutiny and may be subject to legal proceedings under antitrust and competition laws.

We are subject to scrutiny by various government agencies regarding antitrust and competition laws and regulations in the U.S. and internationally, including in connection with proposed or implemented business combinations, acquisitions, investments, partnerships, commercial agreements and business practices. Some jurisdictions also provide private rights of action for competitors or consumers to assert claims of anticompetitive conduct. Companies and government agencies have in the past alleged, and may in the future allege, that our actions (or actions of companies with which we have commercial agreements) violate the antitrust or competition laws in the U.S. or other jurisdictions in which we operate or otherwise constitute unfair competition, or that our products and services are used so broadly that otherwise uncontroversial business practices could be deemed anticompetitive.

We are regularly subject to general litigation, regulatory scrutiny, and government inquiries.

We are regularly subject to claims, individual and class action lawsuits, arbitration proceedings, government and regulatory investigations, inquiries, actions or requests, and other proceedings alleging violations of laws, rules, and regulations with respect to competition, antitrust, intellectual property, privacy, data protection, information security, anti-money laundering, counter-terrorist financing, sanctions, anti-bribery, anti-corruption, consumer protection (including unfair, deceptive, or abusive acts or practices), the terms of our customer agreements, fraud, accessibility, securities, tax, labor and employment, commercial disputes, services, charitable fundraising, contract disputes, escheatment of unclaimed or abandoned property, product liability, use of our services for illegal purposes, the matters described in “Note 13—Commitments and Contingencies—Litigation and Regulatory Matters—General Matters” to our consolidated financial statements, and other matters. Determining legal reserves or possible losses from such matters involves significant estimates and judgments and may not reflect the full range of uncertainties and unpredictable outcomes. We may be exposed to losses in excess of the amount recorded, and such amounts could be material.

Third parties may allege that we are infringing their patents and other intellectual property rights.

We are frequently subject to litigation based on allegations of infringement or other violations of intellectual property rights. Intellectual property infringement claims against us may result from, among other things, our expansion into new business areas, including through acquisitions of businesses and technology, or new or expanded products and services and their convergence with technologies not previously associated with areas related to our business, products and services. The ultimate outcome of any allegation or claim is often uncertain and any such claim, with or without merit, may be time-consuming to defend, result in costly litigation, divert management’s time and attention from our business, result in reputational harm, and require us to, among other things, redesign or stop providing our products or services, pay substantial amounts to settle claims or lawsuits, satisfy judgments, or pay substantial royalty or licensing fees.

We may be unable to protect or enforce our intellectual property.

The protection of our proprietary rights, including our trademarks, copyrights, domain names, trade dress, patents and trade secrets, is important to the success of our business. Effective protection of our proprietary rights may not be available in every jurisdiction in which we offer our products and services. Although we have generally taken measures to protect our intellectual


									20

Table of Contents

property, there can be no assurance that we will be successful in protecting or enforcing our rights in every jurisdiction, that our contractual arrangements will prevent or deter third parties from infringing or misappropriating our intellectual property, or that third parties will not independently develop equivalent or superior intellectual property rights. We may be required to expend significant time and resources to prevent infringement and enforce our rights, and we may be unable to discover or determine the extent of any unauthorized use of our proprietary rights. If we are unable to prevent third parties from infringing or otherwise violating our proprietary rights, the uniqueness and value of our products and services could be adversely affected, the value of our brands could be diminished, and our business could be adversely affected. We expect to continue to license in the future certain of our proprietary rights, such as trademarks or copyrighted material, to others. These licensees may take actions that diminish the value of our proprietary rights or harm our reputation. Any failure to adequately protect or enforce our proprietary rights, or significant costs incurred in doing so, could diminish the value of our intangible assets and materially harm our business.

BUSINESS AND OPERATIONS RISKS

We face substantial and increasingly intense competition worldwide in the global payments industry.

Many of the areas in which we compete evolve rapidly with innovative and disruptive technologies, shifting user preferences and needs, price sensitivity of consumers and merchants, and frequent introductions of new products and services.

We compete with a wide range of businesses in every aspect of our business. Some of our current and potential competitors are or may be larger than we are, have larger customer bases, greater brand recognition, longer operating histories, a dominant or more secure position, broader geographic scope, volume, scale, resources, and market share than we do, or offer products and services that we do not offer. Other competitors are or may be smaller or younger companies that may be more agile in responding to regulatory and technological changes and customer preferences. Our competitors may devote greater resources to the development, promotion, and sale of products and services, and/or offer lower prices or more effectively offer their own innovative programs, products, and services. Competition for relationships with these partners is intense, and there can be no assurance that we will be able to continue to establish, grow, or maintain these partner relationships.

Changes to payment card networks or bank fees, rules, or practices could harm our business.

To process certain transactions, we must comply with applicable payment card, bank or other network (collectively, “network”) rules. The rules govern all aspects of a transaction on the networks, including fees and other practices. From time to time, the networks have increased the fees and assessments that they charge for transactions that access their networks. Certain networks have also imposed special fees or assessments for transactions that are executed through a digital wallet such as the one that PayPal offers. Our payment processors may have the right to pass any increases in fees and assessments on to us and to increase their own fees for processing. Any increase in interchange fees, special fees, or assessments for transactions that we pay to the networks or our payment processors could make our pricing less competitive, increase our operating costs, and reduce our operating income, which could materially harm our business, financial condition, and results of operations.

In some jurisdictions, government regulations have required payment card networks to reduce or cap interchange fees.

We may also be subject to fines and other penalties assessed by networks resulting from any rule violations by us or our merchants. The network rules may also increase the cost of, impose restrictions on, or otherwise impact the development of, our products which may negatively affect product deployment and adoption. The networks could adopt new operating rules or interpret or re-interpret existing rules that


									21

Table of Contents

we or our payment processors might find difficult or impractical to follow, or costly to implement, which could require us to make significant changes to our products, increase our operational costs, and negatively impact our business. If we become unable or limited in our ability to accept certain payment types such as debit or credit cards, our business would be materially and adversely affected.

Changes in how consumers fund their PayPal transactions could harm our business.

We pay transaction fees when consumers fund payment transactions using credit cards, lower fees when consumers fund payments with debit cards, and nominal fees when consumers fund payment transactions by electronic transfer of funds from bank accounts, from an existing PayPal account balance or Venmo account balance, or through our PayPal branded consumer credit products. Our financial performance is sensitive to changes in the rate at which our consumers fund payments using payment cards, which can significantly increase our costs. Although we provide consumers in certain markets with the opportunity to use their existing PayPal account balance or Venmo account balance to fund payment transactions, some of our consumers may prefer to use payment cards, which may offer features and benefits not provided as part of their PayPal accounts. Any increase in the portion of our payment volume funded using payment cards or in fees associated with our funding mix, or other events or developments that make it more difficult or costly for us to fund transactions with lower-cost funding options, could materially and adversely affect our financial performance and significantly harm our business.

Our credit products expose us to additional risks.

We offer credit products to a wide range of consumers and merchants in the U.S. and various international markets. The financial success of these products depends largely on the effective management of related risk. The credit decision-making process for our consumer credit products uses proprietary methodologies and credit algorithms and other analytical techniques designed to analyze the credit risk of specific consumers based on, among other factors, their past purchase and transaction history with PayPal or Venmo and their credit scores. Similarly, proprietary risk models and other indicators are applied to assess merchants who desire to use our merchant financing offerings to help predict their ability to repay. These risk models may not accurately predict the creditworthiness of a consumer or merchant due to inaccurate assumptions, including those related to the particular consumer or merchant, market conditions, economic environment, or limited transaction history or other data. The accuracy of these risk models and the ability to manage credit risk related to our credit products may also be affected by legal or regulatory requirements, changes in consumer behavior, changes in the economic environment, issuing bank policies, and other factors.

We are subject to the risk that account holders who use our credit products will default on their payment obligations. The non-payment rate among account holders may increase due to, among other factors, changes to underwriting standards, risk models not accurately predicting the creditworthiness of a user, worsening economic conditions, such as a recession or government austerity programs, increases in prevailing interest rates, and high unemployment rates. Account holders who miss payments often fail to repay their loans, and account holders who file for protection under the bankruptcy laws generally do not repay their loans. Further, laws or regulations may limit the assessment of late fees or penalties on certain credit products, which could negatively impact our revenue share arrangement with an independent chartered financial institution with respect to our U.S. consumer credit products. Any deterioration in the performance of loans facilitated through our platform or unexpected losses on such loans may increase the risk of potential charge-offs, increase our allowance for loans and interest receivable, negatively impact our revenue share arrangement (as discussed in “Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations — Key Metrics and Financial Results”), and materially and adversely affect our financial condition and results of operations.

We generally rely on the activities and charters of unaffiliated financial institutions to provide PayPal and Venmo branded consumer credit and merchant financing offerings to our U.S. customers. As a service provider to these unaffiliated financial institutions, which are federally supervised U.S. financial institutions, we are subject from time to time to examination by their federal banking regulators. In the event of any termination or interruption in a partner bank’s ability or willingness to lend, our ability to offer consumer credit and merchant financing products could be interrupted or limited, which could materially and adversely affect our business. We may be unable to reach a similar arrangement with another unaffiliated financial institution on favorable terms or at all. Obtaining and maintaining the lending licenses required for us to originate such loans ourselves would be a costly, time-consuming and uncertain process, and would subject us to additional laws and regulatory requirements, which could significantly increase our costs and compliance obligations and require us to change our business practices.

Merchant loans under our U.S. PayPal Working Capital (“PPWC”) and PayPal Business Loan (“PPBL”) products and certain U.S. installment loan products are provided by a state-chartered industrial bank under a program agreement with us, and we acquire the receivables generated by those loans from the state-chartered bank after origination. In June 2020, the Federal


									22

Table of Contents

Deposit Insurance Corporation (“FDIC”) approved a final rule clarifying that loans validly originated by state-chartered banks or insured branches of foreign banks remain valid throughout the lifetime of the loan, reflecting a similar rule finalized by the Office of the Comptroller of Currency (“OCC”) in May 2020 for nationally chartered banks. While a number of state attorneys general have unsuccessfully challenged these FDIC and OCC rules, there remains some uncertainty whether non-bank entities purchasing loan receivables originated by FDIC-insured, state-chartered banks may rely on federal preemption of state usury laws and other state laws. An adverse outcome of these or similar challenges, or changes to applicable laws and regulations or regulatory policy, could materially impact our U.S. PPWC and PPBL products, certain installment products, and our business.

We currently purchase receivables related to our U.S. PayPal-branded merchant financing offerings and certain U.S. consumer installment loan products and extend credit for our consumer and merchant products outside the U.S. through our international subsidiaries. In June 2023, we entered into a multi-year agreement to sell U.K. and European buy now, pay later (“BNPL”) loan receivables originated by PayPal (Europe) and PayPal U.K., consisting of the sale of a substantial majority of the U.K. and European BNPL loan portfolio held on PayPal (Europe)’s balance sheet at the closing of the transaction and a forward-flow arrangement for the sale of future originations of eligible loans. The sale of future eligible receivables is subject to certain conditions. If these conditions are not satisfied or waived or if the parties are unable to fulfill their obligations under these arrangements, the sale of these receivables could be delayed and we may not realize the expected benefits of this arrangement.

We rely on third parties in many aspects of our business, which creates additional risk.

We rely on third parties in many aspects of our business, including, but not limited to, networks, banks, payment processors, and payment gateways that link us to the payment card and bank clearing networks to process transactions; unaffiliated third-party lenders to originate our U.S. credit products to consumers, U.S. merchant financing, and branded credit card products; branded debit card and savings products issued by unaffiliated banks; cryptocurrency custodial service providers; and external business partners and contractors who provide key functions (including, but not limited to, data center facilities and cloud computing, information technology, and outsourced customer support and product development functions). Additionally, our relationships with third parties inherently involve a lesser degree of control over business operations, governance, and compliance, which potentially increases our financial, legal, reputational, and operational risk.

Any factors that reduce cross-border trade or make such trade more difficult could harm our business.

Cross-border trade (i.e., transactions where the merchant and consumer are in different countries) is an important source of our revenues and profits. Cross-border transactions generally provide higher revenues and operating income than similar transactions that take place within a single country or market. In certain markets, cross-border trade represents our primary (and in some instances our only) offerings. Any factors that increase the costs of cross-border trade for us or our customers or that restrict, delay, or make cross-border trade more difficult or impractical could reduce our cross-border transactions and volume, negatively impact our revenues and profits, and harm our business.

Failure to deal effectively with fraud, abusive behaviors, bad transactions, and negative customer experiences may increase our loss rate and could negatively impact our business and severely diminish merchant and consumer confidence in and use of our services.

Due to the nature of PayPal’s digital payments services, third parties may seek to engage in abusive schemes or fraud attacks that are often difficult to detect and may be deployed at a scale that would otherwise not be possible in physical


									23

Table of Contents

transactions. Measures to detect and reduce the risk of fraud and abusive behavior are complex, require continuous improvement, and may not be effective in detecting and preventing fraud, particularly new and continually evolving forms of fraud or in connection with new or expanded product offerings. If these measures are not effective, our business could be negatively impacted. Numerous and evolving fraud schemes and misuse of our payments services could subject us to significant costs and liabilities, require us to change our business practices, cause us to incur significant remediation costs, lead to loss of customer confidence in, or decreased use of, our products and services, damage our reputation and brands, divert the attention of management from the operation of our business, and result in significant compensation or contractual penalties from us to our customers and their business partners as a result of losses or claims. While we actively seek to recover transaction losses where possible, such recoveries may be insufficient to compensate us for such losses.

Our purchase and seller protection programs (“protection programs”) are intended to reduce the likelihood of losses for consumers and merchants from unauthorized and fraudulent transactions. We incur substantial losses from our protection programs as a result of disputes filed by our customers.

In addition, consumers who pay through PayPal or Venmo may have reimbursement rights from their payment card issuer, which in turn will seek recovery from us. If losses incurred by us related to payment card transactions become excessive, we could lose the ability to accept payment cards for payment, which would negatively impact our business. Regulators and card networks may also adapt error resolution and chargeback requirements to account for evolving forms of fraud, which could increase PayPal’s exposure to fraud losses and impact the scope of coverage of our protection programs. Increases in our loss rate, including as a result of changes to the scope of transactions covered by our protection programs, could negatively impact our business and results of operations. See “Note 13—Commitments and Contingencies—Protection Programs” to our consolidated financial statements.

Failure to effectively monitor and evaluate the financial condition of our merchants may expose PayPal to losses. In the event of the bankruptcy, insolvency, business failure, or other business interruption of a merchant that sells goods or services in advance of the date of their delivery or use (e.g. Allowances for transaction losses that we have established may be insufficient to cover incurred losses.

Use of our payments services for illegal activities or improper purposes could harm our business.

We expect that users will continue to attempt to use our payments platform for illegal activities or improper uses, including money laundering, terrorist financing, sanctions evasion, illegal online gambling, fraudulent sales of goods or services, illegal telemarketing activities, illegal sales of prescription medications or controlled substances, piracy of software, movies, music, and other copyrighted, trademarked or digital goods, bank fraud, child pornography, human trafficking, prohibited sales of alcoholic beverages or tobacco products, securities fraud, pyramid or Ponzi schemes, or the facilitation of other illegal or improper activity. Moreover, certain activity that may be legal in one jurisdiction may be illegal in another jurisdiction, and a merchant may be found responsible for intentionally or inadvertently importing or exporting illegal goods, resulting in liability for us. Owners of intellectual property rights or government authorities may seek to bring legal action against providers of payments solutions, including PayPal, that are peripherally involved in the sale of infringing or allegedly infringing items by a user.

Acquisitions, dispositions, strategic investments, and other strategic transactions could result in operating difficulties and could harm our business.

We expect to continue to consider and evaluate a wide array of potential strategic transactions as part of our overall business


									24

Table of Contents

strategy, including business combinations, acquisitions, and dispositions of certain businesses, technologies, services, products, and other assets; strategic investments; and commercial and strategic partnerships (collectively, “strategic transactions”). At any given time, we may be engaged in discussions or negotiations with respect to one or more strategic transactions, any of which could, individually or in the aggregate, be material to our financial condition and results of operations. There can be no assurance that we will be successful in identifying, negotiating, consummating and integrating transaction opportunities. Strategic transactions may involve additional significant challenges, uncertainties, and risks, including challenges of obtaining regulatory or other approvals, integrating new employees, products, systems, technologies, operations, and business cultures; challenges associated with operating acquired businesses in markets or business areas in which we may have limited or no experience; disruption of our ongoing operations and diversion of our management’s attention; inadequate data security, cybersecurity, or operational and information technology resilience; failure to identify, or our underestimation of, commitments, liabilities, deficiencies and other risks associated with acquired businesses or assets; potential exposure to new or incremental risks associated with acquired businesses and entities, strategic investments or other strategic transactions, including potential new or increased regulatory oversight and uncertain or evolving legal, regulatory, and compliance requirements, particularly with respect to companies in new or developing businesses or industries; challenges associated with dispositions of business or operations, including disruption to other parts of our business, potential loss of employees or customers, the transfer of technology and/or certain intellectual property rights to third-party purchasers, or exposure to unanticipated liabilities or ongoing obligations to us following any such dispositions; failure of the transaction to advance our business strategy or for its anticipated benefits to materialize; potential impairment of goodwill or other acquisition-related intangible assets; and the potential for our acquisitions to result in dilutive issuances of our equity securities or the incurrence of significant additional debt. Strategic transactions are inherently risky, may not be successful, and may harm our business, results of operations, and financial condition.

Strategic investments in which we have a minority ownership stake inherently involve a lesser degree of influence over business operations. The success of our strategic investments may be dependent on controlling shareholders, management, or other persons or entities that may have business interests, strategies, or goals that are inconsistent with ours. Business decisions or other actions or omissions of the controlling shareholders, management, or other persons or entities who control companies in which we invest may adversely affect the value of our investment, result in litigation or regulatory action against us, and damage our reputation.

Our international operations subject us to increased risks, which could harm our business.

Our international operations subject us to significant challenges, uncertainties, and risks, including, but not limited to, local regulatory, licensing, reporting, and legal obligations; costs and challenges associated with operating in markets in which we may have limited or no experience, including effectively localizing our products and services and adapting them to local preferences; difficulties in developing, staffing, and simultaneously managing a large number of varying foreign operations as a result of distance, language, and cultural differences and in light of varying laws, regulations, and customs; differing employment practices and the existence of works councils; difficulties in recruiting and retaining qualified employees and maintaining our company culture; fluctuations in foreign exchange rates; exchange control regulations; profit repatriation restrictions; potential tariffs, sanctions, fines, or other trade barriers or restrictions; import or export regulations; compliance with U.S. and foreign anti-bribery, anti-corruption, sanctions, anti-money laundering and counter-terrorist financing laws and regulations; the interpretation and application of laws of multiple jurisdictions; and national or regional political, economic, or social instability. In addition, some countries have enacted or are considering data localization or residency laws, which require that certain data be maintained, stored and/or processed within their country of origin. Maintaining local data centers in individual countries could significantly increase our operating costs.

Our international operations also may heighten many of the other risks described in this “Risk Factors” section. Any violations of the complex foreign and U.S. laws, rules and regulations that may apply to our international operations may result in lawsuits, enforcement actions, criminal actions, or sanctions against us and, our directors, officers, and employees; prohibit or require us to change our business practices; and damage our reputation. Although we have implemented policies and procedures designed to promote compliance with these laws, there can be no assurance that our employees, contractors, or agents will not violate our policies. These risks are inherent in our international operations, may increase our costs of doing business internationally, and could materially and adversely affect our business.

Global and regional economic conditions could harm our business.

Adverse global and regional economic conditions such as turmoil affecting the banking system or financial markets, including, but not limited to, tightening in the credit markets, extreme volatility or distress in the financial markets (including the fixed


									25

Table of Contents

income, credit, currency, equity, and commodity markets), unemployment, consumer debt levels, recessionary or inflationary pressures, supply chain issues, reduced consumer confidence or economic activity, government fiscal, monetary and tax policies, U.S. and international trade relationships, agreements, treaties, tariffs and restrictive actions, the inability of a government to enact a budget in a fiscal year, government shutdowns, government austerity programs, geopolitical conditions or events, and other negative financial news or macroeconomic developments could have a material adverse impact on the demand for our products and services, including a reduction in the volume and size of transactions on our payments platform.

If our reputation or our brands are damaged, our business and operating results may be harmed.

Our reputation and brands are globally recognized, important to our business, and affect our ability to attract and retain our customers. There are numerous ways our reputation or brands could be damaged. Damage to our reputation or our brands may result from, among other things, new features, products, services, operational efforts, or terms of service (or changes to the same), or our decisions regarding user privacy, data practices, or information security. The proliferation of social media may increase and compound the likelihood, speed, magnitude, and unpredictability of negative brand events. If our brands or reputation are damaged, our business and operating results may be adversely impacted.

Real or perceived inaccuracies in our key metrics may harm our reputation and negatively affect our business.

Our key metrics are calculated using internal company data based on the activity we measure on our payments platform and compiled from multiple systems, including systems that are internally developed or acquired through business combinations. While the measurement of our key metrics is based on what we believe to be reasonable methodologies and estimates, there are inherent challenges and limitations in measuring our key metrics globally at scale. The methodologies used to calculate our key metrics require significant judgment. We regularly review our processes for calculating these key metrics, and from time to time we may make adjustments to improve the accuracy or relevance of our metrics. For example, we continuously apply models, processes and practices designed to detect and prevent fraudulent account creation on our platforms, and work to improve and enhance those capabilities. When we detect a significant volume of illegitimate activity, we generally remove the activity identified from our key metrics. Although such adjustments may impact key metrics reported in prior periods, we generally do not update previously reported key metrics to reflect these subsequent adjustments unless the retrospective impact of process improvements or enhancements is determined by management to be material. Further, as our business develops, we may revise or cease reporting metrics if we determine that such metrics are no longer appropriate measures of our performance. If investors, analysts, or customers do not consider our reported measures to be sufficient or to accurately reflect our business, we may receive negative publicity, our reputation may be harmed, and our business may be adversely impacted.

Environmental, social and governance (“ESG”) issues may have an adverse effect on our business, financial condition and results of operations and damage our reputation.

Various jurisdictions are adopting or considering new laws and regulations that expand mandatory disclosure, reporting and diligence requirements with respect to ESG matters. If our ESG-related data, processes and reporting are viewed as incomplete or inaccurate, or if we fail to achieve progress with respect to ESG-related goals on a timely basis or at all, we may be viewed negatively by stakeholders concerned about these matters. Moreover, investors, customers, partners, media, government entities, and other stakeholders (including those in support of or in opposition to ESG principles) may have a negative view of us to the extent we are perceived to have not responded appropriately to their ESG concerns or take positions that are contrary to their views or expectations.

We recognize that climate-related risks may impact our business. Such events may disrupt our business and may cause us to experience additional costs to maintain or resume operations.


									26

Table of Contents

If one or more of our counterparty financial institutions default on their financial or performance obligations to us or fail,we may incur significant losses.

We have significant amounts of cash, cash equivalents, receivables outstanding, and other investments on deposit or in accounts with banks or other financial institutions in the U.S. and international jurisdictions. Certain banks and other financial institutions are also lenders under our credit facilities. Despite these efforts, we may be exposed to the risk of default on obligations by, or deteriorating operating results or financial condition or failure of, these counterparty financial institutions. If one of our counterparty financial institutions were to become insolvent, placed into receivership, or file for bankruptcy, our ability to recover losses incurred as a result of default or to access or recover our assets that are deposited, held in accounts with, or otherwise due from, such counterparty may be limited due to the insufficiency of the failed institutions’ estate to satisfy all claims in full or the applicable laws or regulations governing the insolvency, bankruptcy, or resolution proceedings. In the event of default on obligations by, or the failure of, one or more of these counterparties, we could incur significant losses, which could negatively impact our results of operations and financial condition.

If we are unable, or perceived as unable, to effectively manage customer funds, our business could be harmed.

We hold a substantial amount of funds belonging to our customers, including balances in customer accounts and funds being remitted to sellers of goods and services or recipients of person-to-person transactions. In certain jurisdictions where we operate, we are required to comply with applicable regulatory requirements with respect to customer balances. Our success is reliant on public confidence in our ability to effectively manage our customers’ balances and handle substantial transaction volumes and amounts of customer funds. Any failure to manage customer funds in compliance with applicable regulatory requirements, or any public loss of confidence in us or our ability to effectively manage customer balances, could lead customers to discontinue or reduce their use of our products or reduce customer balances held with us, which could significantly harm our business.

There are risks associated with our indebtedness.

We have incurred indebtedness, and we may incur additional indebtedness in the future. Our ability to pay interest and repay the principal for our indebtedness is dependent upon our ability to manage our business operations and generate sufficient cash flows to service such debt. Our outstanding indebtedness and any additional indebtedness we incur may have significant consequences, including the need to use a significant portion of our cash flow from operations and other available cash to service our indebtedness, thereby reducing the funds available for other purposes, including capital expenditures, acquisitions, strategic investments, and share repurchases; the reduction of our flexibility in planning for or reacting to changes in our business, competitive pressures and market conditions; and limits on our ability to obtain additional financing for working capital, capital expenditures, acquisitions, strategic investments, share repurchases, or other general corporate purposes.

Our revolving credit facilities and the indentures for our senior unsecured notes pursuant to which certain of our outstanding debt securities were issued contain financial and other covenants that restrict or could restrict, among other things, our business and operations. If we fail to pay amounts due under a debt instrument or breach any of its covenants, the lenders or noteholders would typically have the right to demand immediate repayment of all borrowings thereunder (subject in certain cases to a grace or cure period). Moreover, any such acceleration and required repayment of, or default in respect of, our indebtedness could, in turn, constitute an event of default under other debt instruments, thereby resulting in the acceleration and required repayment of our indebtedness. Any of these events could materially adversely affect our liquidity and financial condition.

Changes by any rating agency to our outlook or credit rating could negatively affect the value of both our debt and equity securities and increase our borrowing costs. If our credit ratings are downgraded or other negative action is taken, the interest rates payable by us under our indebtedness may increase, and our ability to obtain additional financing in the future on favorable terms or at all could be adversely affected.

Changes in tax laws, exposure to unanticipated additional tax liabilities, or implementation of reporting or record-keeping obligations could have a material adverse effect on our business.

An increasing number of U.S. states, the U.S. federal government, and governments of foreign jurisdictions, such as the EU Commission, as well as international organizations, such as the Organization for Economic Co-operation and Development (“OECD”), are focused on tax reform and other legislative or regulatory action to increase tax revenue. These actions may


									27

Table of Contents

materially and adversely affect our effective tax rate, net income, and cash flows.

Specifically, the OECD has published model rules and is coordinating negotiations among participating countries with the goal of achieving consensus on significant changes to international tax rules, including the implementation of a global minimum tax rate of 15%, commonly referred to as Pillar Two. Each individual jurisdiction will need to enact minimum tax legislation which may result in various interpretations of the OECD model rules and applicable timelines. Certain countries in which we do business have enacted implementing legislation effective January 1, 2024. As additional jurisdictions enact similar legislation, transition rules expire, and other provisions of the minimum tax legislation become effective, our effective tax rate and cash tax payments could increase in future years. The impact will depend on several factors including U.S and foreign tax legislation as well as our overall tax profile. A number of details around the provisions are still uncertain as the OECD and individual jurisdictions continue to issue guidance.

The determination of our worldwide provision for income taxes and other tax liabilities requires estimation and significant judgment, and there are many transactions and calculations for which the ultimate tax determination is uncertain. We are currently undergoing a number of investigations, audits, and reviews by tax authorities in multiple U.S. and foreign tax jurisdictions. Any adverse outcome of any such audit or review could result in unforeseen tax-related liabilities that differ from the amounts recorded in our financial statements, which may, individually or in the aggregate, materially affect our financial results in the periods for which such determination is made. While we have established reserves based on assumptions and estimates that we believe are reasonable to cover such eventualities, these reserves may prove to be insufficient.

In addition, our future income taxes could be adversely affected by changes in our geographical mix of income and impacts of statutory tax rates; by changes in the valuation of our deferred tax assets and liabilities, including as a result of gains on our foreign exchange risk management program; by changes in tax laws, regulations, or accounting principles; or by certain discrete items.

A number of U.S. states, the U.S. federal government, and foreign jurisdictions have implemented and may impose reporting or record-keeping obligations on companies that engage in or facilitate e-commerce to improve tax compliance. A number of jurisdictions are also reviewing whether payment service providers and other intermediaries could be deemed to be the legal agent of merchants for certain tax purposes. We have modified our systems to meet applicable requirements and expect that further modifications will be required to comply with future requirements, which may negatively impact our customer experience and increase operational costs. Any failure by us to comply with these and similar reporting and record-keeping obligations could result in substantial monetary penalties and other sanctions, adversely impact our ability to do business in certain jurisdictions, and harm our business.

We may be unable to attract, retain, and develop the highly skilled employees we need to support our business.

Competition for key and other highly skilled personnel is intense, especially for executive talent, software engineers, and other technology talent. We may be limited in our ability to recruit or hire internationally, including due to restrictive laws or policies on immigration, travel, or availability of visas for skilled workers. The loss of the services of any of our key personnel, or our inability to attract, hire, develop, motivate and retain key and other highly qualified and diverse talent, whether in a remote or in-office environment, or protect the safety, health and productivity of our workforce could harm our overall business and results of operations.

We are subject to risks associated with information disseminated through our products and services.

We invest in measures intended to detect and block activities that may occur on our payments platform in violation of our policies and applicable laws. These measures require continuous improvement and may not be sufficiently effective in detecting and preventing the exchange of information in violation of our policies and applicable laws, which could negatively impact our business. This increased risk could require us to expend substantial resources or discontinue certain product or service offerings, which could harm our business.


									28

Table of Contents

ITEM 1B. UNRESOLVED STAFF COMMENTS

None.

ITEM 1C. CYBERSECURITY

CYBERSECURITY RISK MANAGEMENT AND STRATEGY

Our Information Security Program is designed to support the Company in identifying, protecting, detecting, responding to, and recovering from cybersecurity threats and incidents (collectively, “cybersecurity risks”) with the intention to protect the confidentiality, integrity, and availability of our critical systems and information.

We design and regularly assess our Information Security Program guided by National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and ISO standards (including ISO 27001), proprietary controls and industry best practices.

Our Information Security Program is built on a three lines of defense model integrated into our overall Enterprise Risk and Compliance Management Program (“ERCM Program”). It shares common methodologies, reporting channels, and governance processes that apply across the ERCM Program to other legal, compliance, strategic, operational, and financial risk areas. The Program is governed by the Technology, Information Security, and Privacy Risk Management Committee and overseen by our Board of Directors (“Board”) and its Audit, Risk and Compliance Committee (“ARC Committee”).

The three lines of defense model is designed to provide a structure for risk management in the first line of defense (“FLOD”), monitoring and guidance by the second line of defense (“SLOD”), and independent audit by the third line of defense (“TLOD”). Our Office of the Chief Information Security Officer oversees the Company's information, cyber, and technology security. The Enterprise Risk Management Organization provides second line monitoring and guidance. The Technology and Information Security team serves as SLOD and provides independent oversight of our technology and cybersecurity risk mitigation practices and capabilities. As TLOD, Internal Audit independently assesses the effectiveness of our cybersecurity risk management and independently reports the results of audits to our ARC Committee to assist it in its oversight duties.

Our Information Security Program includes:

•Risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise Information Technology (“IT”) environment;

•Regular testing of our systems to identify and address potential vulnerabilities;

•Integrated planning and preparedness activities supporting business continuity and operational resiliency;

•Security teams principally responsible for managing (1) our annual cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents;

•A cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents;

•24/7 monitoring and measurement of cybersecurity threats through our PayPal Cyber Defense Center (“CDC”);

•The use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls;

•An information training and awareness program for our employees, contractors, incident response personnel, and senior management; and

•A third-party risk management framework designed to monitor and address risks from cybersecurity incidents of service providers, suppliers, and vendors that includes due diligence over third-party’s information security and technology control environment at onboarding and periodically throughout the lifecycle of the relationship. In addition, our standard contractual terms require notification and communication from third parties in the event of a cybersecurity incident. We maintain procedures to respond to, manage and mitigate third-party cybersecurity events and vulnerabilities when identified.

For a description of risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition, see “Item 1A. Risk Factors” under the captions “Cyberattacks and security vulnerabilities could result in serious harm to our reputation, business, and financial condition” and “Business interruptions or systems failures may impair the availability of our websites, applications, products or services, or otherwise harm our business.”


									29

Table of Contents

CYBERSECURITY GOVERNANCE

Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to our ARC Committee oversight of cybersecurity and other information technology risks. The ARC Committee oversees PayPal’s overall risk framework, including management’s implementation of our cybersecurity risk management program, and reports to the full Board of Directors on a regular basis on cybersecurity and information technology risk management. The ARC Committee receives periodic reports from the Chief Information Security Officer (“CISO”) on our cybersecurity risks. Management also updates the ARC Committee, as necessary, regarding cybersecurity incidents.

Our CISO is responsible for implementing the information security strategy, security engineering, enabling business partners, and securing customer data, digital assets, and payments. His organization also monitors cyber regulation requirements and reviews impacts of new products and initiatives. Our CISO has over two decades of experience as a cybersecurity professional, including as a CISO at PayPal and four other organizations including leading global financial services institutions and large scale U.S. government agencies (including within the Department of Defense). He has an extensive record of success shepherding digital transformation aligned with business goals, launching cybersecurity frameworks, building security engineering teams, ensuring protection of assets, data, privacy, and company reputation.

The ARC Committee reports to the Board regarding its activities, including those related to cybersecurity risk oversight. The Board also receives briefings at least annually from management on our Information Security Program. Board members receive presentations on cybersecurity topics from our CISO and external experts from time to time as part of our continuing education to the Board on topics relevant to their service as a member of our Board.

Our cybersecurity teams, overseen by our CISO, are responsible for assessing and managing our risks from cybersecurity threats, including defining security policy and board reporting of security risk. The CISO approves all security policies and oversees the identification, assessment, and management of cybersecurity risks, which provides a proactive and comprehensive approach to safeguarding our information assets. The teams have primary responsibility for our overall Information Security Program and supervise both our internal cybersecurity personnel and our external cybersecurity consultants. Our cybersecurity teams’ experience includes cybersecurity incident response, in-depth security assessments, and security emulation exercises to evaluate security profile, security research, education and outreach, and security tool development.

Our cybersecurity teams, in coordination with the CDC, supervise efforts to prevent, detect, mitigate, and remediate cybersecurity threats and incidents through the operation of our incident response plan and various other means, which may include briefings from internal security personnel, threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us, as well as alerts and reports produced by security tools deployed in the IT environment. The CDC team oversees, identifies, and addresses security threats aimed at safeguarding PayPal employees, consumers, and merchants.

Recently Filed

Click on a ticker to see risk factors

Ticker *	File Date
ZONE	22 hours ago
KE	22 hours ago
FLXS	23 hours ago
ETD	1 day ago
PH	1 day, 7 hours ago
HOVR	1 day, 8 hours ago
UI	1 day, 8 hours ago
TECH	1 day, 9 hours ago
SYY	1 day, 21 hours ago
SLQT	1 day, 22 hours ago
SYNA	1 day, 23 hours ago
COTY	1 day, 23 hours ago
AX	1 day, 23 hours ago
QNST	2 days, 1 hour ago
KRNY	2 days, 3 hours ago
SCSC	2 days, 7 hours ago
AXIL	2 days, 7 hours ago
MZTI	2 days, 8 hours ago
EL	3 days, 3 hours ago
LITE	3 days, 22 hours ago
PINC	4 days, 8 hours ago
FN	4 days, 8 hours ago
EXTR	4 days, 23 hours ago
BIVI	1 week ago
EAT	1 week ago
AMCR	1 week ago
HRB	1 week ago
TEAM	1 week ago
AIT	1 week, 1 day ago
INBS	1 week, 1 day ago
TAYD	1 week, 1 day ago
COHR	1 week, 1 day ago
AVT	1 week, 1 day ago
TPR	1 week, 2 days ago
MSS	1 week, 2 days ago
WDC	1 week, 2 days ago
YYAI	1 week, 2 days ago
SRCO	1 week, 2 days ago
MSGE	1 week, 2 days ago
PFGC	1 week, 2 days ago
CMPR	2 weeks, 1 day ago
LNBY	2 weeks, 1 day ago
RMD	2 weeks, 1 day ago
CRMT	2 weeks, 1 day ago
PTON	2 weeks, 1 day ago
LFCR	2 weeks, 1 day ago
ATGE	2 weeks, 1 day ago
OTEX	2 weeks, 1 day ago
CACI	2 weeks, 2 days ago
ADP	2 weeks, 2 days ago

OTHER DATASETS

House Trading

Dashboard

Corporate Flights

Dashboard

App Ratings

Dashboard

Strategies

Alerts

Browse Data

Risk Factors Dashboard

View risk factors by ticker

Search filings by term

Risk Factors - PYPL

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Recently Filed

OTHER DATASETS

House Trading

Corporate Flights

App Ratings

TRADE SMARTER

TRADE SMARTER

Strategies

Alerts

Browse Data

Risk Factors Dashboard

View risk factors by ticker

Search filings by term

Risk Factors - PYPL

-New additions in green-Changes in blue-Hover to see similar sentence in last filing

Recently Filed

OTHER DATASETS

House Trading

Corporate Flights

App Ratings

TRADE SMARTER

TRADE SMARTER

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing