ITEM 1A. RISK FACTORS.

An investment in our common stock involves a high degree of risk. You should carefully consider the following risk factors and other information included in this annual report on Form 10-K. If any of the following risks actually occur, our business, financial condition or results of operations could be materially and adversely affected, and you may lose some or all of your investment.

RISKS RELATED TO OUR BUSINESS

Loss of key resellers could reduce our revenue growth.

We rely on our reseller sales channel, which purchases and resells our end-to-end services to its own portfolio of merchant customers. This channel is a strong contributor to our revenue growth. If a reseller switches to another transaction processor, shuts down, becomes insolvent, or enters the processing business themselves, we may no longer receive new merchant referrals from the reseller, and we risk losing existing merchants that were originally enrolled by the reseller, all of which could negatively affect our revenues and earnings.

If our security applications are breached by cyberattacks or are not adequate to address changing market conditions and customer concerns, we may incur significant losses and be unable to sell our services.

Unauthorized parties have attempted, and we expect that they will continue to attempt, to gain access to our systems or facilities through various means, including, but not limited to, hacking into our systems or facilities or those of our customers, partners, or vendors, and attempting to fraudulently induce users of our systems, including employees and customers, into disclosing user names, passwords, payment information, or other sensitive information used to gain access to such systems or facilities. This information may in turn be used to access our customers’ personal or proprietary information and payment data that are stored on or accessible through our information technology systems and those of third parties with whom we partner. Numerous and evolving cybersecurity threats, including advanced and persisting cyberattacks, cyberextortion, distributed denial-of-service attacks, ransomware, spear phishing and social engineering schemes, the introduction of computer viruses or other malware, and the physical destruction of all or portions of our information technology and infrastructure and those of third parties with whom we partner could compromise the confidentiality, availability, and integrity of the data in our systems. We may experience in the future, breaches of our security measures due to human error, malfeasance, insider threats, system errors or vulnerabilities, or other irregularities.

Any cyberattacks or data security breaches affecting our information technology or infrastructure or of our customers, partners, or vendors could have negative effects. For example, on December 25, 2021, we detected a ransomware attack that accessed and encrypted a small portion of our information technology systems. The unauthorized access included the download of non-payment processing related data files from our externally hosted Office 365 environment which is separate from our payment processing environment. Throughout the incident, we remained operational. Promptly upon the detection of the event, we launched an investigation, notified law enforcement and our insurance carrier, and engaged legal counsel, computer forensic firms and other incident response professionals. We also implemented a series of containment and remediation measures to address this situation and reinforce the security of our information technology systems. Our systems were not only fully restored and capable of resuming normal operations to the extent they were impaired, but enhanced following our immediate and long term response. Further preventative and proactive security measures were integrated, including incremental network and cloud defenses, implementation of third party cyber defense applications, structured incident response and disaster recovery plans, along with advanced employee cyber security training. We actively pursue any potential actions that will improve our existing systems. This cyber event had no material impact on the business, and no cardholder, or payments related data was compromised. Our direct losses associated with the cyber incident and its response were largely covered by our cybersecurity insurance, except for a deductible.

Our use of applications designed for premium data security and integrity to process electronic transactions may not be sufficient to address changing market conditions or the security and privacy concerns of existing and potential customers. If our security applications are breached and sensitive data is lost or stolen, we could incur significant costs to not only assess and repair any damage to our systems, but also to reimburse customers for losses that occur from the fraudulent use of the data. We may also be subject to fines and penalties from the credit card associations or regulatory agencies in the event of the loss of confidential account information. Our insurance policies may not be adequate to compensate us for the potential costs and other losses arising from cybersecurity-related disruptions, failures, attacks or breaches. In addition, such insurance may not be available to us in the future on economically reasonable terms, or at all. Further, adverse publicity raising concerns about the safety or privacy of electronic transactions, or widely reported breaches of our or another provider's security, have the potential to undermine consumer confidence in the technology and could have a materially adverse effect on our business.

Our efforts to expand our product portfolio and market reach, including through acquisitions, may not succeed and may reduce our revenue growth and we may not achieve or maintain profitability.

Since 2014, we have completed a total of four acquisitions which have allowed us to expand our product offerings. For example, we acquired the assets of IMS, a business of electronic bill presentment, document composition, document decomposition and printing and mailing services serving hundreds of customers representing a wide range of industry verticals, including utilities and financial institutions on December 15, 2020. We also continue to invest in our established business lines and new markets, such as our payment facilitation, and prepaid card business. While we have grown the proportion of revenue from these newer products and services and we intend to continue to broaden the scope of products and services we offer, we may not be successful in maintaining or growing our current revenue streams or deriving any significant new revenue streams from these products and services. Failure to successfully broaden the scope of products and services that are attractive may inhibit our growth and harm our business. Furthermore, we expect to continue to expand our markets in the future, and we may have limited or no experience in such newer markets. We cannot assure you that any of our products or services will be widely accepted in any market or that they will continue to grow in revenue. Our offerings may present new and difficult technological, operational, regulatory, risks, and other challenges, and if we experience service disruptions, failures, or other issues, our business may be materially and adversely affected. Our expansion into newer markets may not lead to growth and may require significant management time and attention, and we may not be able to recoup our investments in a timely manner or at all. If any of this were to occur, it could damage our reputation, limit our growth, and materially and adversely affect our business.

We may need additional financing in the future. We may be unable to obtain additional financing or if we obtain financing it may not be on terms favorable to us. You may lose your entire investment.

Based on our current plans, we believe our existing cash and cash equivalents and cash flow from operations will be sufficient to fund our operating expense and capital requirements for at least 12 months, although we may need funds in the future. At December 31, 2023 we had $7.2 million of cash and cash equivalents, and for the year ended December 31, 2023, operating activities provided $14.9 million. At December 31, 2022 we had $5.7 million of cash and cash equivalents, and for the year ended December 31, 2022, we used $17.0 million in operating activities. After adjusting for the impact of operating lease right-of-use assets, operating lease liabilities, prepaid card load obligations and merchant reserves included in the statement of cash flows, net cash provided by adjusted operating activities, was $2.8 million for the year ended December 31, 2023. Adjusted operating cash flow is viewed by the company as a superior indicator of the Company's operating performance and ability to fund acquisitions, capital expenditures and other investments and, in the absence of refinancing options, to repay debt obligations. However, after adjusting for the impact of operating lease right-of-use assets, operating lease liabilities, prepaid card load obligations and merchant reserves included in the statement of cash flows, net cash provided by adjusted operating activities, was $0.7 million for the year ended December 31, 2022. Adjusted operating cash flow is viewed by the company as a superior indicator of the Company's operating performance and ability to fund acquisitions, capital expenditures and other investments and, in the absence of refinancing options, to repay debt obligations. Refer to Item 7, under the subsection "Management's Discussion and Analysis of Financial Condition and Results of Operations - Key Business Metrics - Non-GAAP Financial Measures" for our reconciliation of operating cash flows to adjusted operating cash flows. If our capital resources are insufficient to meet future capital requirements, we will have to raise additional funds by selling assets, borrowing money from a third party, or by selling debt or equity securities. If we are unable to obtain additional funds on terms favorable to us, we may be required to cease or reduce our operating activities. If we must cease or reduce our operating activities, you may lose your entire investment.

Unauthorized disclosure of cardholder data, whether through breach of our computer systems or otherwise, could expose us to liability and protracted and costly litigation.

We collect and store personal identifiable information about our cardholders, including names, addresses, social security numbers, driver’s license numbers and account numbers, and maintain a database of cardholder data relating to specific transactions, including account numbers, in order to process transactions and prevent fraud. As a result, we are required to comply with the privacy provisions of the Gramm-Leach-Bliley Act, various other federal and state privacy statutes and regulations, and the Payment Card Industry Data Security Standard, each of which is subject to change at any time. Compliance with these requirements is often difficult and costly, and our failure, or our distributors’ failure, to comply may result in significant fines or civil penalties, regulatory enforcement action, liability to our issuing banks and termination of our agreements with one or more of our issuing banks, each of which could have a material adverse effect on our financial position and/or operations. In addition, a significant breach could result in our Company being prohibited from processing transactions for any of the relevant card associations or network organizations, including Visa, Mastercard, American Express, Discover or regional debit networks, which would also have a significant material adverse impact on our financial position and/or operations.

Furthermore, if our computer systems are breached by unauthorized users, we may be subject to liability, including claims for unauthorized purchases with misappropriated bank card information, impersonation or similar fraud claims. We could also be subject to liability for claims relating to misuse of personal information, such as unauthorized marketing purposes, or failure to comply with laws governing notification of such breaches. These claims also could result in protracted and costly litigation. In addition, we could be subject to penalties or sanctions from the relevant card associations or network organizations.

If our efforts to protect the security of information about our customers, cardholders and vendors are unsuccessful, we may face additional costly government enforcement actions and private litigation, and our sales and reputation could suffer.

An important component of our business involves the receipt and storage of information about our cardholders and banking information. We have multiple programs and processes in place to detect and respond to data security incidents; however, because the techniques used to obtain unauthorized access, disable or degrade service, or sabotage systems change frequently and may be difficult to detect for long periods of time, we may be unable to anticipate these techniques or implement adequate preventive measures. In addition, hardware, software, or applications we develop or procure from third parties may contain defects in design or manufacture or other problems that could unexpectedly compromise information security. Unauthorized parties may also attempt to gain access to our systems or facilities, or those of third parties with whom we do business, through fraud, trickery, or other forms of deceiving our vendors, contractors, and employees. If we, our customers, or our vendors experience significant data security breaches or fail to detect and appropriately respond to significant data security breaches, we could be exposed to government enforcement actions and private litigation. In addition, our cardholders and customers could lose confidence in our ability to protect their information, which could cause them to discontinue using our services.

If we do not adapt to rapid technological change, including as a result of artificial intelligence, our business may fail.

Our success depends on our ability to develop new and enhanced services and related products that meet ever changing customer needs and industry standards. However, the market for our services is characterized by rapidly changing technology, evolving industry standards, emerging competition and frequent new and enhanced software, service and related product introductions. In addition, the software market is subject to rapid and substantial technological change. To remain successful, we must respond to new developments in hardware and semiconductor technology, operating systems, programming technology and computer capabilities. In many instances, new and enhanced services, products and technologies are in the emerging stages of development and marketing and are subject to the risks inherent in the development and marketing of new software, services and products. We may not successfully identify new service opportunities and develop and introduce new and enhanced services and related products to market in a timely manner. We may not successfully identify new service opportunities, develop and bring new and enhanced services and related products to market in a timely manner. Even if we do bring such services, products or technologies to market, they may not become commercially successful. Additionally, services, products or technologies developed by others may render our services and related products noncompetitive or obsolete. If we are unable, for technological or other reasons, to develop and introduce new services and products in a timely manner in response to changing market conditions or customer requirements, our business may fail.

Business interruptions or systems failures may impair the availability of our websites, applications, products or services, or otherwise harm our business.

Our systems and operations and those of our service providers and partners have experienced from time to time, and may experience in the future, business interruptions or degradation because of distributed denial-of-service and other cyberattacks, insider threats, hardware and software defects or malfunctions, human error, earthquakes, hurricanes, floods, fires, and other natural disasters, public health crises (including pandemics), power losses, disruptions in telecommunications services, fraud, military or political conflicts, terrorist attacks, computer viruses or other malware, or other events. A catastrophic event that results in a disruption or failure of our systems or operations could result in significant losses and require substantial recovery time and significant expenditures to resume or maintain operations, which could have a material adverse impact on our business, financial condition, and results of operations. Additionally, some of our systems, including those of companies we have acquired, are not fully redundant, and our disaster recovery planning may not be sufficient for all possible outcomes or events. As a provider of payment solutions, we are subject to heightened scrutiny by regulators that may require specific business continuity, resiliency and disaster recovery plans, and rigorous testing of such plans, which may be costly and time-consuming to implement, and may divert our resources from other business priorities.

We have experienced, and expect to continue to experience, system failures, cyberattacks, unplanned outages, and other events or conditions from time to time that have and may interrupt the availability, or reduce or adversely affect the speed or functionality, of our products and services. These events could result in future losses of revenue. A prolonged interruption in the availability or reduction in the availability, speed, or functionality of our products and services could materially harm our business. Frequent or persistent interruptions in our services could permanently harm our relationship with our customers and partners and our reputation. Moreover, if any system failure or similar event results in damage to our customers or their business partners, they could seek significant compensation or contractual penalties from us for their losses, and those claims, even if unsuccessful, would likely be time-consuming and costly for us to address, and could have other consequences described in this “Risk Factors” section under the caption “If our security applications are breached by cyberattacks or are not adequate to address changing market conditions and customer concerns, we may incur significant losses and be unable to sell our services.”

We have undertaken and continue to undertake certain system upgrades and re-platforming efforts designed to improve the availability, reliability, resiliency, and speed of our platform. These efforts are costly and time-consuming, involve significant technical risk, and may divert our resources from new features and products, and there can be no guarantee that these efforts will be effective. Frequent or persistent site interruptions could lead to regulatory scrutiny, significant fines and penalties, and mandatory and costly changes to our business practices, and ultimately could cause us to lose existing licenses that we need to operate or prevent or delay us from obtaining additional licenses that may be required for our business.

We also rely on facilities, components, applications, and services supplied by third parties, including data center facilities and cloud data storage and processing services. From time to time, we have experienced interruptions in the provision of such facilities and services provided by these third parties. If these third parties experience operational interference or disruptions (including a cybersecurity incident), breach their agreements with us, or fail to perform their obligations and meet our expectations, our operations could be disrupted or otherwise negatively affected, which could result in customer dissatisfaction, regulatory scrutiny, and damage to our reputation and brands, and materially and adversely affect our business. While we maintain insurance policies intended to offset the financial impact we may experience from these risks, our coverage may be insufficient to compensate us for all losses caused by interruptions in our service as a result of systems failures and similar events.

In addition, any failure to successfully implement new information systems and technologies, or improvements or upgrades to existing information systems and technologies in a timely manner could have an adverse impact on our business, internal controls (including internal controls over financial reporting), results of operations, and financial condition.

Fraud by merchants or others could have an adverse effect on our operating results and financial condition.

We have potential liability for fraudulent bankcard, ACH and prepaid card transactions or credits initiated by merchants or others. Examples of merchant fraud include when a merchant knowingly uses a stolen or counterfeit bankcard, card number or bank account to record a false sales transaction, processes an invalid bankcard, or intentionally fails to deliver the merchandise or services sold in an otherwise valid transaction. Criminals are using increasingly sophisticated methods to engage in illegal activities such as counterfeit and fraud. While we have systems and procedures designed to detect and reduce the impact of fraud, we cannot assure the effectiveness of these measures. It is possible that incidents of fraud could increase in the future. Failure to effectively manage risk and prevent fraud would increase our chargebacks liability or cause us to incur other liabilities, including regulatory and association fines, penalties and harm to our reputation. Increases in chargebacks or other liabilities could have an adverse effect on our operating results and financial condition.

We rely on our relationship with the Automated Clearing House network, and if the Federal Reserve rules were to change, our business could be adversely affected.

We have contractual relationships with North American Banking Company, or NABC, Metropolitan Commercial Bank, and TransPecos Bank, which are Originating Depository Financial Institutions, or ODFI, in the ACH network. The ACH network is a nationwide batch-oriented electronic funds transfer system that provides for the interbank clearing of electronic payments for participating financial institutions. An ODFI is a participating financial institution that must abide by the provisions of the ACH Operating Rules and Guidelines. Through our relationships with Metropolitan Commercial Bank, TransPecos Bank, and NABC, we process payment transactions on behalf of our customers and their consumers by submitting payment instructions in a prescribed ACH format. Through our relationships with Fifth Third Bank, Metropolitan Commercial Bank, and NABC, we process payment transactions on behalf of our customers and their consumers by submitting payment instructions in a prescribed ACH format. We pay volume-based fees to TransPecos Bank, and NABC for debit and credit transactions processed each month, and pay fees for other transactions such as returns and notices of change to bank accounts. We pay volume-based fees to Metropolitan Commercial Bank, Fifth Third Bank, and NABC for debit and credit transactions processed each month, and pay fees for other transactions such as returns and notices of change to bank accounts. These fees are part of our agreed-upon cost structures with the banks. If the Federal Reserve rules were to introduce restrictions or modify access to the Automated Clearing House, our business could be materially adversely affected. Further, if one or all of Metropolitan Commercial Bank, TransPecos Bank, or NABC were to cancel our respective contract with the bank, our business could be materially affected. Further, if either, two or all four of Fifth Third Bank, Metropolitan Commercial Bank, and NABC were to cancel our respective contract with the bank, our business could be materially affected. At this time, we believe we could find and enter into additional agreements with other bank sponsors on similar contractual terms, but no assurances can be made.

If we lose key personnel or we are unable to attract, recruit, retain and develop qualified employees, our business, financial condition and results of operations may be adversely affected.

In order for us to successfully compete and grow, we must attract, recruit, retain and develop the necessary personnel who can provide the needed expertise and skills across the spectrum of our intellectual capital needs. The market for qualified personnel is highly competitive and we may not be successful in recruiting qualified personnel for needed skill sets or replacing current personnel who leave us. Failure to retain or attract key personnel and skill sets could have a material adverse effect on our business, financial condition and results of operations.

If our third-party card processing providers or our bank sponsors fail to comply with the applicable requirements of Visa, Mastercard and Discover credit card associations or if our current processors cancel or fail to renew our contracts, we may have to find a new third-party processing provider, which could increase our costs.

Substantially all of the card-based transactions we process involve the use of Visa, Mastercard or Discover credit cards. In order to provide payment-processing services for Visa, Mastercard and Discover transactions, we must be sponsored by a financial institution that is a principal member of the respective Visa, Mastercard and Discover card associations. Both Central Bank of St. Louis and Wells Fargo Bank have sponsored us under the designations Third Party Processor, or TPP, and Independent Sales Organization, or ISO, with the Visa card association, and under the designations Third Party Servicer, or TPS, and Merchant Service Provider, or MSP, with the Mastercard card association. We have agreements with TriSource Solutions, LLC, Card Connect / First Data Merchant Services Corp. and Global Payments Inc. through which their member banks, Central Bank of St. Louis and Wells Fargo Bank, sponsor us for membership in the Visa and Mastercard card associations, and settle card transactions for our merchants. If our third-party processing provider, TriSource Solutions, Card Connect or Global Payments, or our bank sponsors, Central Bank of St. Louis, Wells Fargo Bank, TransPecos Bank, CBW Bank or Evolve Bank & Trust fail to comply with the applicable requirements of the Visa, Mastercard, and Discover card associations, Visa, Mastercard or Discover could suspend or terminate the registration of our third-party processing provider. Also, our contracts with both of these third parties are subject to cancellation upon limited notice by either party. The cancellation of either contract, termination of their registration or any changes in the Visa, Mastercard or Discover rules that would impair the registration of our third-party processing provider could require us to stop providing such payment processing services if we are unable to enter into a similar agreement with another provider or sponsor at similar costs and upon similar contractual terms. Additionally, changing our bank sponsor could adversely affect our relationship with our merchants if the new sponsor provides inferior service or charges higher costs.

We may not be able to obtain and maintain sufficient insurance coverage.

We insure against a majority of business risks, including liability for cyber incidents, and for director and officer liability. D&O and cyber insurance especially are becoming increasingly challenging to purchase and maintain due to market factors. Premiums and deductibles have been increasing, sometimes dramatically, and some insurers are cutting back on the number of companies they insure, causing the supply of insurance to lag behind demand. As a result of these factors, we may not be able to maintain such insurance on acceptable terms or be able to secure coverage and the coverage of our existing insurance may not be sufficient to offset existing or future claims. A successful claim against us with respect to uninsured liabilities or in excess of insurance coverage could have a material adverse effect on our business, financial condition, and results of operations.

We have incurred substantial losses in the past and may incur additional losses in the future.

We reported a net loss of $0.5 million and $5.5 million for the years ended December 31, 2023 and December 31, 2022, respectively. Including these results, we have an accumulated deficit of $71.3 million at December 31, 2023. Our future operating results are not certain and we may incur future operating losses.

We may need to raise additional capital to pursue product development initiatives and to penetrate additional markets for the sale of our products in the future. We believe that we have access to capital resources through possible public or private equity offerings, debt financings, corporate collaborations or other means but we cannot assure you that we will be able to complete such a financing on terms acceptable to us or at all. We believe that we have access to capital resources through possible public or private equity offerings, debt financings, corporate collaborations or other means. If we are unable to secure additional capital, we may be required to curtail our research and development initiatives and take additional measures to reduce costs in order to conserve our cash in amounts sufficient to sustain operations and meet our obligations. These measures could cause significant delays in our efforts to expand our product offerings and customer base in the United States, which are critical to the realization of our business plan and to future operations.

We have recorded significant deferred tax assets, and we might never realize their full value, which would result in a charge against our earnings.

As of December 31, 2023, we had deferred tax assets of $1.5 million. Realization of our deferred tax assets is dependent upon our generating sufficient taxable income in future years to realize the tax benefit from those assets. Deferred tax assets are reviewed at least annually for realizability. A charge against our earnings would result if, based on the available evidence, it is more likely than not that some portion of the deferred tax asset will not be realized beyond our existing valuation allowance. This could be caused by, among other things, deterioration in performance, adverse market conditions, adverse changes in applicable laws or regulations, including changes that restrict the activities of or affect the solutions sold by our business and a variety of other factors.

If a deferred tax asset net of our valuation allowance was determined to be not realizable in a future period, the charge to earnings would be recognized as an expense in our results of operations in the period the determination is made. Additionally, if we are unable to utilize our deferred tax assets, our cash flow available to fund operations could be adversely affected.

Depending on future circumstances, it is possible that we might never realize the full value of our deferred tax assets. Any future impairment charges related to a significant portion of our deferred tax assets would have an adverse effect on our financial condition and results of operations.

Our prepaid card revenues from the sale of services to merchants that accept Mastercard cards are dependent upon our continued Mastercard registration and financial institution sponsorship and, in some cases, continued participation in certain payment networks.

In order to provide processing services for our Mastercard prepaid card program, we must be either a member of a payment network or be registered as a prepaid processor of Mastercard. Sunrise Banks, N.A. has sponsored us under the designations Third Party Servicer, or TPS, and Merchant Service Provider, or MSP, with the Mastercard card association. Registration as a prepaid processor is dependent upon our being sponsored by member clearing banks. If our sponsor bank should stop providing sponsorship for us, we would need to find another financial institution to provide those services or we would need to be a member, either of which could prove to be difficult and/or more expensive. If our sponsor banks should stop providing sponsorship for us, we would need to find another financial institution to provide those services or we would need to be a member, either of which could prove to be difficult and/or more expensive. If we are unable to find a replacement financial institution to provide sponsorship or become a member of the association, we may no longer be able to provide prepaid processing services to our Mastercard customers, which would negatively impact our revenues and earnings.

If we fail to comply with the applicable requirements of the respective card networks, they could seek to fine us, suspend us or terminate our registrations.

In order to provide our transaction processing services, we are registered with Visa, Mastercard and Discover as service providers and transaction processors for member institutions and with other networks. As such, we are subject to card association and network rules that could subject us to a variety of fines or penalties that may be levied by the card networks for certain acts or omissions. The rules of the card networks are set by their boards, which may be influenced by banks that own their stock and, in the case of Discover by the card’s issuers, and some of those banks and issuers are our competitors with respect to these processing services. The termination of our registrations or our status as a service provider or transaction processor, or any changes in card association or other network rules or standards, including interpretation and implementation of the rules or standards, that increase the cost of doing business or limit our ability to provide transaction processing services to our customers, could have a material adverse effect on our business, operating results and financial condition. If a merchant or one of our resellers fails to comply with the applicable requirements of the card associations and networks, it could be subject to a variety of fines or penalties that may be levied by the card associations or networks. If we cannot collect such amounts from the applicable merchant or one of our resellers, we could end up bearing such fines or penalties, resulting in lower earnings for us.

If we fail to comply with complex and expanding consumer protection regulations, our business could be adversely affected.

The establishment of the federal Consumer Financial Protection Bureau, or CFPB, will likely expose us to increased regulatory oversight and possibly more burdensome regulation that could have an adverse impact on our revenue and profits. For example, on October 5, 2016, the CFPB issued a final rule to regulate certain prepaid accounts, or the Prepaid Account Rule. On October 5, 2016, the CFPB issued a final rule to regulate certain prepaid accounts, or the Prepaid Account Rule. The Prepaid Account Rule mandates, among other things, extensive pre-purchase and post-purchase disclosures, expanded electronic billing statements, adherence to certain overdraft regulations for prepaid accounts that permit negative balances, and public posting of account agreements and submission to the CFPB which will then publish them on its website. The Prepaid Account Rule took effect on April 1, 2019, subject to certain exceptions. On January 25, 2018, the CFPB announced certain changes to the Prepaid Account Rule, including allowing the error resolution and liability limitations protections to apply prospectively, after a consumer’s identity has been verified, and providing more flexibility to credit cards linked to digital wallets. On February 27, 2019, the CFPB also announced a streamline electronic submission system, or Collect, for prepaid account issuers to submit their prepaid account agreements, including fee information, to the CFPB. All prepaid account agreements offered as of April 1, 2019 must be uploaded to Collect by May 1, 2019. Thereafter, prepaid account issuers must make a submission to the CFPB within 30 days after a new agreement is offered, a previously submitted agreement is amended, or a previously submitted agreement is no longer offered. Compliance with existing and new obligations as result of further expanding consumer protections regulations, could result in increased compliance costs for us, our issuing banks and our distributors, and may therefore have a negative impact on the profitability of our business.

We are subject to extensive and complex federal and state regulation and new regulations and/or changes to existing regulations could adversely affect our business.

As an agent of, and third-party service provider to, our issuing banks, we are subject to indirect regulation and direct audit and examination by the Office of Thrift Supervision, the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, or the FRB, and the Federal Deposit Insurance Corporation.

On March 23, 2010, the FRB issued a final rule implementing Title IV of the Credit Card Accountability, Responsibility, and Disclosure Act of 2009, or CARD Act, which imposes requirements relating to disclosures, fees and expiration dates that are generally applicable to gift certificates, store gift cards and general-use prepaid cards. We believe that our general-purpose re-loadable prepaid cards, and the maintenance fees charged on our general-purpose re-loadable cards, are exempt from the requirements under this rule, as they fall within an express exclusion for cards which are re-loadable and not marketed or labeled as a gift card or gift certificate. However, this exclusion is not available if the issuer, the retailer selling the card to a consumer or the program manager, promotes, even if occasionally, the use of the card as a gift card or gift certificate. As a result, we provide retailers with specific instructions and policies regarding the display and promotion of our general-purpose re-loadable cards. However, it is possible that despite our instructions and policies to the contrary, a retailer engaged in offering our general-purpose re-loadable cards to consumers could take an action with respect to one or more of the cards that would cause each similar card to be viewed as being marketed or labeled as a gift card, such as by placing our general-purpose re-loadable cards on a display which prominently features the availability of gift cards and does not separate or otherwise distinguish our general purpose re-loadable cards from the gift cards. In such event, it is possible that such general-purpose re-loadable cards would lose their eligibility for such exclusion to the CARD Act and its requirements, and therefore could be deemed to be in violation of the CARD Act and the rule, which could result in the imposition of fines, the suspension of our ability to offer our general-purpose re-loadable cards, civil liability, criminal liability, and the inability of our issuing banks to apply certain fees to our general-purpose re-loadable cards, each of which would likely have a material adverse impact on our revenues.

In 2014, we resumed issuing gift cards. Any gift cards we issue will be governed by the CARD act and other various regulations. Any violations with our gift card issuance could result in the imposition of fines, the suspension of our ability to offer our gift cards, civil liability, criminal liability, and the inability of our issuing banks to apply certain fees to our gift cards, each of which would likely have a material adverse impact on our revenues.

As the laws applicable to our business, and those of our distributors and issuing banks, change frequently, are often unclear and may differ or conflict between jurisdictions, ensuring compliance has become more difficult and costly. Any failure, or perceived failure, by us, our issuing banks or our distributors to comply with all applicable statutes and regulations could result in fines, penalties, regulatory enforcement actions, civil liability, criminal liability, and/or limitations on our ability to operate our business, each of which could significantly harm our reputation and have a material adverse impact on our business, results of operations and financial condition.

State and federal legislatures and regulatory authorities have become increasingly focused upon the regulation of the financial services industry and continue to adopt new legislation which could result in significant changes in the regulatory landscape for financial institutions, which could include our bank sponsors, and other financial services companies, such as our Company.

If our software fails, and we need to repair or replace it, or we become subject to warranty claims, our costs could increase.

Our software products could contain errors or “bugs” that could adversely affect the performance of services or damage a user’s data. We attempt to limit our potential liability for warranty claims through technical audits and limitation-of-liability provisions in our customer agreements; however, these measures may not be effective in limiting our exposure to warranty claims. We have not experienced a significant increase in software errors or warranty claims. Despite the existence of various security precautions, our computer infrastructure may also be vulnerable to viruses or similar disruptive problems caused by our customers or third parties gaining access to our processing system.

We depend on the efficient and uninterrupted operation of our computer network systems, software, data center and telecommunications networks, as well as the systems and services of third parties. Our systems and operations or those of our third-party providers could be exposed to damage or interruption from, among other things, fire, natural disaster, power loss, telecommunications failure, terrorist acts, war, unauthorized entry, human error, and computer viruses or other defects. Defects in our systems or those of third parties, errors or delays in the processing of payment transactions, telecommunications failures or other difficulties could result in loss of revenue, loss of merchants, loss of merchant and cardholder data, harm to our business or reputation, exposure to fraud losses or other liabilities, negative publicity, additional operating and development costs, and/or diversion of technical and other resources. We perform the majority of our disaster recovery operations ourselves, though we utilize select third parties for some aspects of recovery. To the extent we outsource our disaster recovery, we are at risk of the vendor’s unresponsiveness in the event of breakdowns in our systems.

Our card programs are subject to strict regulation under federal law regarding anti-money laundering and anti-terrorist financing. Failure to comply with such laws, or abuse of our card programs for purposes of money laundering or terrorist financing, could have a material adverse impact on our business.

Provisions of the USA PATRIOT Act, the Bank Secrecy Act and other federal law impose substantial regulation of financial institutions designed to prevent use of financial services for purposes of money laundering or terrorist financing. Increasing regulatory scrutiny of our industry with respect to money laundering and terrorist financing matters could result in more aggressive enforcement of such laws or more onerous regulation, which could have a material adverse impact on our business. In addition, abuse of our prepaid card programs for purposes of money laundering or terrorist financing, notwithstanding our efforts to prevent such abuse through our regulatory compliance and risk management programs, could cause reputational risk or other harm that would have a material adverse impact on our business.

Effective September 27, 2011, the Financial Crimes Enforcement Network of the U.S. Department of the Treasury, or FinCEN, issued a final rule regarding the applicability of the Bank Secrecy Act’s anti-money laundering provisions to prepaid products and other matters related to the regulation of money services businesses. This rule created additional obligations for entities, including our distributors, engaged in the provision and sale of certain prepaid products, including our prepaid debit cards, such as the obligation for sellers of prepaid debit cards to obtain identification information from the purchaser at the point-of-sale. Compliance with these obligations may result in increased compliance costs for us, our issuing banks and our distributors, and may therefore have a negative impact on the profitability of our business.

We will be liable for separation payments in case of change in control, termination without cause, non-renewal of the agreement, death, or disability under the employment agreement with our Chairman, President, Chief Executive Officer, and Chief Operating Officer, Mr. Hoch, which could have an adverse effect on our cash position and on our financial results.

Pursuant to our employment agreement, as amended, with Louis Hoch, Chairman, President, Chief Executive Officer, and Chief Operating Officer, in the event of change in control, termination without cause, termination by employee, or non-renewal of the employment agreement, we will be liable for separation payments, equaling an amount of (a) 2.95 times the respective base salary and bonus payments, plus (b) a pro rata portion of the respective annual bonus based on the number of days elapsed in the year prior, plus (c) 2.0 times the respective base salary for non-competition, and (d) continuing other benefits. We estimate the cash disbursements over time to be $4.0 million for the agreement with Mr. Hoch.

In the case of termination of the agreement due to death of the executive, we will be liable for separation payments, equaling an amount of 2.95 times the respective base salary. The deferred compensation does not include amounts paid or accrued to executive for bonuses or bonus compensation, benefits or equity awards. Unpaid and unearned bonus compensation or bonus deferred compensation is forfeited. No deferred compensation will be due as long as we and/or an insurance company continues to pay executive’s base salary, minus any monthly base salary already paid to the executive prior to his death pursuant to the executive’s disability, to the executive’s estate for a period of up to 36 months. If these continuing payments cease before 36 months, we will have to pay the executive’s estate the deferred compensation minus any base salary payments within 30 days of the cessation. We estimate the cash disbursements over time to be approximately $2.4 million for the agreement with Mr. Hoch. Further, all stock options issued to the executive and all restricted stock granted to executive shall continue on their established vesting schedule.

In the case of termination of the agreement due to disability without death, we will be liable for separation payments, equaling an amount of disability benefits constituting base salary for three years. We estimate the cash disbursement over time to be $2.4 million for the agreement with Mr. Hoch. Unpaid and unearned bonus compensation or bonus deferred compensation is forfeited. Further, all stock options issued to the executive and all restricted stock granted to executive shall continue on their established vesting schedule. No further compensation will be due for compliance with the agreements’ non-compete, non-solicitation and disparagement clauses.

Depending on when such an event might occur, it could have a substantial adverse effect on our operating capital and cash on hand. If our cash position is not sufficient, we may need to raise additional cash which could involve selling equity securities which would dilute our shareholders. In addition, the loss of our Chairman or Chief Executive Officer may adversely affect our business and results of operations.

We are subject to the privacy requirements of the California Consumer Privacy Act.

The California Consumer Privacy Act of 2018, or CCPA, went into effect on January 1, 2020. The CCPA imposes expansive data privacy and data protection requirements for the data of California residents, and provides for significant penalties for non-compliance. The CCPA underwent multiple amendments prior to coming into effect and while enforcement actions may not be brought by the California attorney general until July 1, 2020 it remains unclear how various provisions of the CCPA will be interpreted and enforced. Further, on November 3, 2020, the California voters passed the California Privacy Rights and Enforcement Act, or CPRA, which replaces the CCPA effective January 1, 2023. The CPRA alters the scope of covered businesses, adds a new category of sensitive personal information and grants certain consumer rights, such as a right to opt out and a right to delete. The effects of this legislation potentially are far-reaching, however, and may require us to modify our data processing practices and policies and to incur substantial costs and expenses in an effort to achieve compliance. The CCPA and the CPRA impose obligations that are new and burdensome, and we may face challenges in addressing their requirements and making necessary changes to our policies and practices and may incur significant expenses in an effort to do so. Any failure, real or perceived, by us to comply with evolving regulatory requirements, interpretations, or orders, other local, state, federal, or international privacy, data protection, information security, or consumer protection-related laws and regulations, could cause our customers unease and materially and adversely affect our business.

We depend on Louis A. Hoch, our Chairman, President, Chief Executive and Chief Operating Officer, and if he ceased to be active in our management, our business may not be successful.

Our success depends to a significant degree upon the continued contributions of our key management, marketing, service and related product development and operational personnel, including our President and Chief Executive and Chief Operating Officer, Louis A. Hoch. We entered into an employment agreement with Mr. Hoch in February 2007 and update his agreement as changes are required. The terms of the agreement prohibit the executive from competing with us for a period of two years from the executive’s date of termination. Our business may not be successful if, for any reason, Mr. Hoch ceases to be active in our management.

Risks associated with reduced levels of consumer spending could adversely affect our revenues and earnings.

Significant portions of our revenue and earnings are derived from fees from processing consumer ACH, prepaid, credit, and debit card transactions. We are exposed to general economic conditions that affect consumer confidence, consumer spending, consumer discretionary income or changes in consumer purchasing habits. A general reduction in consumer spending in the United States or in any other country where we do business could adversely affect our revenues and earnings. Please also refer to "General Risk Factors" in this Item 1A in this Annual Report on Form 10-K

We are subject to risks and write-offs resulting from fraudulent activities and losses from overdrawn cardholder accounts that could adversely impact our financial performance and results of operations.

Our prepaid cards expose us to threats involving the misuse of such cards, collusion, fraud, identity theft and systemic attacks on our systems. Although a large portion of fraudulent activity is addressed through the charge-back systems and procedures maintained by the card association networks, we are often responsible for other losses due to merchant and cardholder fraud. No system or procedures established to detect and reduce the impact of fraud are entirely effective. We recorded fraud losses of $573,281 and $299,162, respectively, in 2023 and 2022. We experienced an increase in fraudulent accounts in 2023 as a result of growth in our prepaid card business of 105%. We recorded fraud losses of $299,162 and $136,608, respectively, in 2022 and 2021. We experienced an increase in fraudulent accounts in 2022 as a result of massively expanding prepaid growth. Although we actively devote efforts to effectively manage risk and prevent fraud, we could nevertheless experience future increases in fraud losses over our historical experience.

Our prepaid cardholders can in some circumstances incur charges in excess of the funds available in their accounts and are liable for the resulting overdrawn account balance. Although we generally decline authorization attempts for amounts that exceed the available balance in a prepaid cardholders account, the application of the card association networks’ rules and regulations, the timing of the settlement of transactions and the assessment of subscription, maintenance or other fees can, among other things, result in overdrawn card accounts.

Although we maintain reserves for fraud and other losses, our exposure to these types of risks may exceed our reserve levels for a variety of reasons, including our failure to predict the actual recovery rate, failure to effectively manage risk and failure to prevent fraud. Accordingly, our business, results of operations and financial condition could be materially and adversely affected to the extent that we incur losses resulting from overdrawn cardholder accounts and fraudulent activity that exceed our designated reserves or if we determine that it is necessary to increase our reserves substantially in order to address any increased recovery risk.

Our business strategy includes identifying businesses and assets to acquire, and if we cannot integrate acquisitions into our company successfully, we may have limited growth.

Our success partially depends upon our ability to identify and acquire undervalued businesses and merchant portfolios within our industry. Although we believe that there are companies and portfolios available for potential acquisition that might offer attractive business opportunities, we may not be able to make any acquisitions, and if we do make acquisitions, they may not be profitable. As a result, our business may not grow and regain profitability.

Acquisitions may involve significant cash expenditures, debt issuances, equity issuances, operating losses and expenses. Acquisitions involve numerous other risks, including:

If we do not manage our credit risks related to our merchant accounts, we may incur significant losses.

We rely on the Federal Reserve’s Automated Clearing House system for electronic fund transfers and the Visa, Mastercard and Discover associations for settlement of payments by credit or debit card on behalf of our merchant customers. In our use of these established payment clearance systems, we generally bear the credit risks arising from returned transactions caused by insufficient funds, stop payment orders, closed accounts, frozen accounts, unauthorized use, disputes, customer chargebacks, theft or fraud. Consequently, we assume the credit risk of merchant disputes, fraud, insolvency or bankruptcy in the event we attempt to recover funds related to such transactions from our customers. We have not experienced a significant increase in the rate of returned transactions or incurred any losses with respect to such transactions. We utilize a number of systems and procedures to manage and limit credit risks, but if these actions are not successful in managing such risks, we may incur significant losses.

We have adopted certain measures that may make it more difficult for a third party to acquire control of our Company.

Our Board of Director members are classified into three classes of directors serving staggered three-year terms. Such classification of the Board of Directors expands the time required to change the composition of the majority of directors and may discourage a proxy contest or other takeover bid for our company.

RISKS RELATED TO OUR INDUSTRY

The electronic commerce market is evolving and if it does not grow, we may not be able to sell sufficient services to make our business viable.

The electronic commerce market is a service industry that continues to grow significantly. If the electronic commerce market fails to grow or grows slower than anticipated, or if we, despite an investment of significant resources, are unable to adapt to meet changing customer requirements or technological changes in this emerging market, or if our services and related products do not maintain a proportionate degree of acceptance in this growing market, our business may not grow and could even fail. Additionally, the security and privacy concerns of existing and potential customers may inhibit the growth of the electronic commerce market in general, and our customer base and revenues, in particular. Similar to the emergence of the credit card and automatic teller machine industries, we and other organizations serving the electronic commerce market must educate users that electronic transactions use encryption technology and other electronic security measures that make electronic transactions more secure than paper-based transactions.

Changes in regulation of electronic commerce and related financial services industries could increase our costs and limit our business opportunities.

We believe that we are not required to be licensed by the Office of the Comptroller of the Currency, the Federal Reserve Board, or other federal or state agencies that regulate or monitor banks or other types of providers of electronic commerce services. It is possible that a federal or state agency will attempt to regulate providers of electronic commerce services, which could impede our ability to do business in the regulator's jurisdiction. Our business has also been affected by anti-terrorism legislation, such as the USA PATRIOT Act. Banking-related provisions of the USA PATRIOT Act have been implemented as additions to the banking rules regarding monetary instrument sales record keeping requirements and tracking of cash movements. In our capacity as an agent for Sunrise Banks, N.A., the issuing bank for our prepaid card programs and in our capacity as an agent for Metropolitan Commercial Bank, NABC and TransPecos Bank, the sponsoring banks for our ACH services, we are required to comply with these rules. We are also required to implement a Customer Identification Program and establish an Anti-Money Laundering program and to report any suspected money laundering to the appropriate agencies. Our compliance with such regulations increases our responsibilities and costs associated with the administration of our debit card programs. We are also subject to various laws and regulations relating to commercial transactions, such as the Uniform Commercial Code, and may be subject to the electronic funds transfer rules embodied in Regulation E, promulgated by the Federal Reserve Board. Given the expansion of the electronic commerce market, the Federal Reserve Board might revise Regulation E or adopt new rules for electronic funds transfer affecting users other than consumers. Because of growth in the electronic commerce market, Congress has held hearings on whether to regulate providers of services and transactions in the electronic commerce market. It is possible that Congress or individual states could enact laws regulating the electronic commerce market. If enacted, such laws, rules and regulations could be imposed on our business and industry and could increase our costs or limit our business opportunities.

If we cannot compete successfully in our industry, we could lose market share and our costs could increase.

Portions of the electronic commerce market are becoming increasingly competitive. We expect to face growing competition in all areas of the electronic payment processing market. New companies could emerge and compete for merchants of all sizes. We expect competition to increase from both established and emerging companies and that such increased competition could lower our market share and increase our costs. Moreover, our current and potential competitors, many of whom have greater financial, technical, marketing and other resources than us, may respond more quickly than us to new or emerging technologies or could expand to compete directly against us in any or all of our target markets. Accordingly, it is possible that current or potential competitors could rapidly acquire market share. We may not be able to compete against current or future competitors successfully. Additionally, competitive pressures may increase our costs, which could lower our earnings, if any.

RISKS RELATED TO OUR COMMON STOCK

Our stock price is volatile, and you may not be able to sell your shares at a price higher than what you paid.

The market for our common stock is highly volatile. In 2023, our stock price fluctuated between $1.45 and $2.36. The trading price of our common stock could be subject to wide fluctuations in response to, among other things, quarterly variations in operating and financial results, announcements of technological innovations or new products by our competitors or us, changes in prices of our products and services or our competitors' products and services, changes in product mix, or changes in our revenue and revenue growth rates.

If security or industry analysts publish reports that are interpreted negatively by the investment community, publish negative research reports about our business, cease coverage of our company or fail to regularly publish reports or us, our share price could decline.

The trading for our common stock depends, to some extent, on the research and reports that security or industry analyst publish about us, our business, our market and our competitors. We do not have any control over these analysts or the information contained in their reports. If one or more analysts publish reports that are interpreted negatively by the investment community or have a negative tone about our business, financial or operating performance or industry, our share price could decline. In addition, if a majority of our analysts cease coverage of our company or fail to regularly publish reports on us, we could lose visibility in the financial markets, which could cause our share price to decline.

Additional stock issuances could result in significant dilution to our stockholders.

We may issue additional equity securities to raise capital, make acquisitions or for a variety of other purposes. Any such stock issuances will result in dilution to existing holders of our stock. We rely on equity-based compensation as an important tool in recruiting and retaining employees. The amount of dilution due to future equity-based compensation issued to our employees and other additional issuances could be substantial.

Pursuant to our 2015 Equity Incentive Plan (the “2015 Plan”), our management is authorized to grant stock options to our employees, directors and consultants. There are 5,000,000 shares of Common Stock reserved for issuance under the 2015 Plan. Additionally, the number of shares of our Common Stock reserved for issuance under our 2015 Plan automatically increases on January 1 of each year, beginning on January 1, 2022, and continuing through and including January 1, 2031, by 5% of the total number of shares of our capital stock outstanding on December 31 of the preceding calendar year (determined on an as-converted to voting common stock basis, without regard to any limitations on the conversion of the non-voting common stock), or a lesser number of shares determined by our board of directors. As of December 31, 2023, we had granted awards under the 2015 Plan for 7,889,455 shares of Common Stock and have 5,510,845 shares still reserved.

In addition, pursuant to our 2023 Employee Stock Purchase Plan (“ESPP”), we have reserved 2,500,000 shares of Common Stock. The number of shares of our Common Stock reserved for issuance automatically increases on January 1 of each calendar year, beginning on January 1, 2024 through December 31, 2033, by the lesser of (i) 1% of the total number of shares of our Common Stock outstanding on the last day of the fiscal year before the date of the automatic increase (determined on an as-converted to voting common stock basis); and (ii) such number of shares of Common Stock that would cause the aggregate number of shares of Common Stock then reserved for issuance under the ESPP to not exceed 2,500,000 shares. As of December 31, 2023, no shares of our Common Stock had been purchased pursuant to the ESPP.

Unless our board of directors elects not to increase the number of shares available for future grant pursuant to our 2015 Plan and ESPP each year, our stockholders may experience additional dilution, which could cause our stock price to fall.

We may issue additional equity securities, or engage in other transactions that could dilute our book value or affect the priority of our Common Stock, which may adversely affect the market price of our Common Stock.

Our articles of incorporation allow our Board to issue up to 200,000,000 shares of Common Stock. Our Board may determine from time to time that we need to raise additional capital by issuing Common Stock or other equity securities. Except as otherwise described in this Annual Report, we are not restricted from issuing additional securities, including securities that are convertible into or exchangeable for, or that represent the right to receive, shares of our Common Stock. Because our decision to issue securities in any future offering will depend on market conditions and other factors beyond our control, we cannot predict or estimate the amount, timing, or nature of any future offerings, or the prices at which such offerings may be affected. Additional equity offerings may dilute the holdings of our existing stockholders or reduce the market price of our Common Stock, or both. Holders of our Common Stock are not entitled to pre-emptive rights or other protections against dilution. New investors also may have rights, preferences and privileges that are senior to, and that adversely affect, the then-current holders of our Common Stock. Additionally, if we raise additional capital by making offerings of debt or shares of preferred stock, upon our liquidation, holders of our debt securities and shares of preferred stock, and lenders with respect to other borrowings, may receive distributions of our available assets before the holders of our Common Stock.

We may issue shares of preferred stock with greater rights than our Common Stock.

Subject to the rules of The Nasdaq Stock Market, our articles of incorporation authorize our board of directors to issue one or more series of preferred stock and set the terms of the preferred stock without seeking any further approval from holders of our Common Stock. Any preferred stock that is issued may rank ahead of our Common Stock in terms of dividends, priority and liquidation premiums and may have greater voting rights than our Common Stock.

We have not paid any cash dividends in the past and have no plans to issue cash dividends in the future, which could cause our Common Stock to have a lower value than that of similar companies which do pay cash dividends.

We have not paid any cash dividends on our Common Stock to date and do not anticipate any cash dividends being paid to holders of our Common Stock in the foreseeable future. Any determination to pay dividends in the future will be at the discretion of our Board.

While our dividend policy will be based on the operating results and capital needs of the business, it is anticipated that any earnings will be retained to finance our future expansion. As we have no plans to issue cash dividends in the future, our Common Stock could be less desirable to other investors and as a result, the value of our Common Stock may decline, or fail to reach the valuations of other similarly situated companies that pay cash dividends.

Shares eligible for future sale may depress our stock price.

As of March 22, 2024, we had 26,342,459 shares of Common Stock outstanding of which 4,992,659 shares were held by affiliates. All of the shares of Common Stock held by affiliates are restricted or control securities under Rule 144 promulgated under the Securities Act of 1933, as amended (the “Securities Act”). Sales of shares of Common Stock under Rule 144 or another exemption under the Securities Act or pursuant to a registration statement could have a material adverse effect on the price of our Common Stock and could impair our ability to raise additional capital through the sale of equity securities. Furthermore, all Common Stock beneficially owned by persons who are not our affiliates and have beneficially owned such shares for at least one year may be sold at any time by these existing stockholders in accordance with Rule 144 of the Securities Act. However, there can be no assurance that any of these existing stockholders will sell any or all of their Common Stock and there may be a lack of supply of, or demand for, our Common Stock on The Nasdaq Stock Market. In the case of a lack of supply of our Common Stock offered in the market, the trading price of our Common Stock may rise to an unsustainable level, particularly in instances where institutional investors may be discouraged from purchasing our Common Stock because they are unable to purchase a block of our Common Stock in the open market due to a potential unwillingness of our existing stockholders to sell the amount of Common Stock at the price offered by such investors and the greater influence individual investors have in setting the trading price. In the case of a lack of market demand for our Common Stock, the trading price of our Common Stock could decline significantly and rapidly after our listing.

Our directors and officers have substantial control over us.

Our directors and executive officers, together with their affiliates and related persons, beneficially owned, in the aggregate, approximately 19% of our outstanding Common Stock as of March 22, 2024. These stockholders have the ability to substantially control our operations and direct our policies including the outcome of matters submitted to our stockholders for approval, such as the election of directors and any acquisition or merger, consolidation or sale of all or substantially all of our assets.

GENERAL RISK FACTORS

Market conditions could negatively impact our business, results of operations, cash flows and financial condition.

The market in which we operate is affected by a number of factors that are largely beyond our control but can nonetheless have a potentially significant, negative impact on us. These factors include, among other things:

Changes in these factors are difficult to predict, and a change in one factor could affect other factors, which could result in adverse effects to our business, results of operations, financial condition, and cash flows.

The broader implications of the macroeconomic environment, including uncertainty around recent international conflicts including the Russia and Ukraine conflict, supply chain shortages, a recession globally or in markets in which we operate, higher inflation rates, higher interest rates, and other related global economic conditions, remain unknown. A deterioration in macroeconomic conditions could continue to increase the risk of lower consumer spending, merchant and consumer bankruptcy, insolvency, business failure, higher credit losses, or other business interruption, which may adversely impact our business. If these conditions continue or worsen, they could adversely impact our future financial and operating results.

ITEM 1B. UNRESOLVED STAFF COMMENTS.

Not Applicable.

ITEM 1C. CYBERSECURITY.

We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things: operational risks, intellectual property theft, fraud, extortion, harm to employees or customers and violation of data privacy or security laws.

Identifying and assessing cybersecurity risk is integrated into our overall risk management systems and processes. Cybersecurity risks related to our business, technical operations, privacy and compliance issues are identified and addressed through a multi-faceted approach including third party assessments, internal IT Audit, IT security, governance, risk and compliance reviews. To defend, detect and respond to cybersecurity incidents, we, among other things: conduct proactive privacy and cybersecurity reviews of systems and applications, audit applicable data policies, perform penetration testing using external third-party tools and techniques to test security controls, conduct employee training, monitor emerging laws and regulations related to data protection and information security (including our consumer products) and implement appropriate changes. Numerous and evolving cybersecurity threats, including advanced and persisting cyberattacks, cyberextortion, distributed denial-of-service attacks, ransomware, spear phishing and social engineering schemes, the introduction of computer viruses or other malware, and the physical destruction of all or portions of our information technology and infrastructure and those of third parties with whom we partner could compromise the confidentiality, availability, and integrity of the data in our systems.

We have implemented incident response and breach management processes which have four overarching and interconnected stages: 1) preparation for a cybersecurity incident, 2) detection and analysis of a security incident, 3) containment, eradication and recovery, and 4) post-incident analysis. Such incident responses are overseen by leaders from our Information Security, Network Administration, Compliance and Legal teams regarding matters of cybersecurity.

Security events and data incidents are evaluated, ranked by severity and prioritized for response and remediation. Incidents are evaluated to determine materiality as well as operational and business impact, and reviewed for privacy impact.

We also conduct tabletop exercises to simulate responses to cybersecurity incidents. Our team of cybersecurity professionals then collaborate with technical and business stakeholders across our business units to further analyze the risk to the company, and form detection, mitigation and remediation strategies.

As part of the above processes, we regularly engage external auditors and consultants to assess our internal cybersecurity programs and compliance with applicable practices and standards. As of 2023, our Information Security Management System has been certified to conform to SOC 2 Type 2 and PCI, and are working to conform to ISO 27001.

Our risk management program also assesses third party risks, and we perform third-party risk management to identify and mitigate risks from third parties such as vendors, suppliers, and other business partners associated with our use of third-party service providers. Cybersecurity risks are evaluated when determining the selection and oversight of applicable third-party service providers and potential fourth-party risks when handling and/or processing our employee, business or customer data. In addition to new vendor onboarding, we perform risk management during third-party cybersecurity compromise incidents to identify and mitigate risks to us from third-party incidents.

We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “If our security applications are breached by cyberattacks or are not adequate to address changing market conditions and customer concerns, we may incur significant losses and be unable to sell our services” included as part of our risk factor disclosures at Item 1A of this Annual Report on Form 10-K.

The Board of Directors is responsible for overseeing the Company’s enterprise risk, and has established its Risk and Cybersecurity Committee with specific responsibility for overseeing cybersecurity threats, among other things. The Company’s cybersecurity organization is led by the CTO, who is responsible for assessing and managing material risks from cybersecurity threats and reports to Usio’s CEO, CAO, and Legal team, as well as to the Risk and Cybersecurity Committee. The CTO has served in this role for 16 years, and more than 20 years with the Company developing, maintaining, and securing our corporate network and information technology systems. The CTO holds a bachelor's degree in Information Technology from the University of Texas at San Antonio with over 11 years of previous software and hardware systems engineering experience.

The CTO and the Cybersecurity Management Board monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including through the operation of the Company’s incident response plans, which include escalation to the CTO and the Cybersecurity Management Board, as appropriate. As discussed above, the CTO reports out to the Risk and Cybersecurity Committee about cybersecurity threat risks, among other cybersecurity related matters, at least quarterly.