Flywire Corp [FLYW] Filings

z

UNITED STATES

SECURITIES AND EXCHANGE COMMISSION

Washington, D.C. 20549

FORM 10-K

(Mark One)

For the fiscal year ended December 31, 2023

OR

Commission File Number 001-40430

FLYWIRE CORPORATION

(Exact name of registrant as specified in its charter)

Registrant’s telephone number, including area code: (617) 329-4524

Securities registered pursuant to Section 12(b) of the Act:

Securities registered pursuant to Section 12(g) of the Act: None

Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act. Yes ☒ No ☐

Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or 15(d) of the Act. Yes ☐ No ☒

Indicate by check mark whether the registrant: (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days. Yes ☒ No ☐

Indicate by check mark whether the registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit such files). Yes ☒ No ☐

Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, smaller reporting company, or an emerging growth company. See the definitions of “large accelerated filer,” “accelerated filer,” “smaller reporting company,” and “emerging growth company” in Rule 12b-2 of the Exchange Act.

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐

Indicate by check mark whether the registrant has filed a report on and attestation to its management’s assessment of the effectiveness of its internal control over financial reporting under Section 404(b) of the Sarbanes-Oxley Act (15 U.S.C. 7262(b)) by the registered public accounting firm that prepared or issued its audit report. ☒

If securities are registered pursuant to Section 12(b) of the Act, indicate by check mark whether the financial statements of the registrant included in the filing reflect the correction of an error to previously issued financial statements. ☐

Indicate by check mark whether any of those error corrections are restatements that required a recovery analysis of incentive-based compensation received by any of the registrant’s executive officers during the relevant recovery period pursuant to §240.10D-1(b). ☐

Indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Exchange Act). Yes ☐ No ☒

As of June 30, 2023, the last business day of the registrant’s mostly recently completed second fiscal quarter, the aggregate market value of the voting and non-voting common stock held by non-affiliates of the registrant was $3,367,883,922 based upon the closing sale price of our voting common stock of $31.04 per share on that date. The voting and non-voting common stock held by each officer and director and by each person known to own in excess of 5% of aggregate outstanding shares of our voting and non-voting common stock has been excluded in that such persons may be deemed to be affiliates. The determination of affiliate status is not necessarily a conclusive determination for other purposes.

As of February 23, 2024, the registrant had 120,954,994 shares of voting common stock, $0.0001 par value per share, outstanding and 1,873,320 shares of non-voting common stock $0.0001 par value per share, outstanding.

DOCUMENTS INCORPORATED BY REFERENCE

Table of Contents

SPECIAL NOTE REGARDING FORWARD-LOOKING STATEMENTS

This Annual Report on Form 10-K, as well as information included in oral statements or other written statements made or to be made by us, contains forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended, that involve substantial risks and uncertainties. All statements other than statements of historical fact contained in this report, including statements regarding our future results of operations and financial condition, business strategy, and plans and objectives of management for future operations, are forward-looking statements. In some cases, forward-looking statements may be identified by words such as “believe,” “may,” “will,” “potentially,” “estimate,” “continue,” “anticipate,” “intend,” “could,” “would,” “project,” “target,” “plan,” “expect,” or the negative of these terms or other similar expressions. These forward-looking statements include, but are not limited to, statements concerning the following:

Forward-looking statements are based on our management’s beliefs and assumptions and on information currently available. These forward-looking statements are subject to a number of known and unknown risks, uncertainties and assumptions, including risks described in the section titled “Risk Factors” and elsewhere in this Annual Report on Form 10-K. Other sections of this Annual Report on Form 10-K may include additional factors that could harm our business and financial performance. Moreover, we operate in a very competitive and rapidly changing environment. New risk factors emerge from time to time, and it is not possible for our management to predict all risk factors nor can we assess the impact of all factors on our business or the extent to which any factor, or combination of factors, may cause actual results to differ from those contained in, or implied by, any forward-looking statements.

You should not rely upon forward-looking statements as predictions of future events. Although we believe that the expectations reflected in the forward-looking statements are reasonable, we cannot guarantee future results, levels of activity, performance, achievements, events, or circumstances. Except as required by law, we undertake no obligation to update publicly any forward-looking statements for any reason after the date of this report or to conform these statements to actual results or to changes in our expectations. You should read this Annual Report on Form 10-K and the documents that we have filed as exhibits to this report with the understanding that our actual future results, levels of activity, performance, and achievements may be materially different from what we expect. We qualify all of our forward-looking statements by these cautionary statements.

In addition, statements that “we believe” and similar statements reflect our beliefs and opinions on the relevant subject. These statements are based upon information available to us as of the date of this report, and while we believe such information forms a reasonable basis for such statements, such information may be limited or incomplete, and our statements should not be read to indicate that we have conducted an exhaustive inquiry into, or review of, all potentially available relevant information. These statements are inherently uncertain and you are cautioned not to unduly rely upon these statements.

Unless otherwise noted or unless the context provides otherwise, all references in this Annual Report on Form 10-K to our “common stock” refer to our voting common stock.

PART I

Item 1. Business

Our Mission

Our mission is to deliver the most important and complex payments. In an increasingly digital world, getting paid means Flywire.

Our Company

Flywire is a leading global payments enablement and software company. Our next-gen payments platform, proprietary global payment network and vertical-specific software help our clients get paid and help their customers pay with ease—no matter where they are in the world. Our clients rely on us for integrated solutions that are both global and local, and combine tailored invoicing, flexible payment options, and highly personalized omni-channel experiences. We believe we make generational advances for our clients by transforming payments into a source of value and growth for their organizations while delighting their customers with payment experiences that are engaging, secure, fast, and transparent.

There have been substantial strides made in payments technology in the retail and e-commerce industries; however, massive sectors of our global economy—including education, healthcare, travel, and B2B payments—are still in the early stages of digital transformation. We estimate the annual addressable volume for these sectors alone to be approximately $11.7 trillion, as more fully described in “Our Market Opportunity”. We believe Flywire is well-positioned to capture a meaningful share of this global payment volume given our ability to provide deeply-integrated digital solutions that address both domestic and cross-border payments.

Our clients, and the types of organizations we serve in education, healthcare, travel, and B2B, require payment processes and experiences that can deliver high-stakes, high-value payments and are specifically tailored to their industry, their business, and their customers. Often, payment solutions have a “one size fits all” approach, without regard for the particular nuances and detailed operations of specific verticals. Without Flywire, organizations often invest substantial resources in building their own payment offerings or rely on disparate legacy systems, which not only fail to meet their or their customers’ needs but also divert meaningful resources away from revenue-generating work. When core payment capabilities like invoicing, diverse payment offerings and reconciliation are inefficient, organizations miss the opportunity to use payments to scale and grow their business.

Flywire was founded to solve these challenges. We aim to power the transformation of our clients’ accounts receivable functions by automating paper and check-based business processes in addition to creating interactive, digital payment experiences for their customers. As a result, clients who implement our cross-border and in-country domestic payments and software solutions can experience improved accounts receivable, higher enrollment in payment plans, and a reduction in customer support inquiries. We help our clients turn their accounts receivable functions into strategic, value-enhancing areas of their organizations.

Over the last decade, we have invested significant resources to build a global network of bank, payment and technology partners that enable us to provide end-to-end connectivity between our clients and their customers in many countries around the world. We have engineered our software-driven payments technology stack to meet enterprise-level standards and functionality while delivering simplicity, convenience and ease of use for our clients and their customers. In addition, we have developed personalized communication channels (e.g., short message service (sms), chat, email, text, or phone) to enhance our clients’ ability to engage with their customers through a digital-first user experience. The result of these investments is our Flywire Advantage.

Our Flywire Advantage is derived from three core elements: (i) our next-gen payments platform; (ii) our proprietary global payment network; and (iii) our vertical-specific software backed by our deep industry expertise.

These three core elements of our business fuel a powerful and accelerating flywheel. When we started Flywire, we built a robust payments platform that solved pain points for cross-border payments and delivered simplicity, transparency, and cost-effective solutions. Continued adoption of our payments platform has enabled us to enhance engagement with our clients, create more personalized connections for our clients’ customers and extend our reach. Adding new clients and their customers builds our global scale and deepens our knowledge and expertise, enabling us to streamline and automate complex accounts receivable functions. As shown in the illustration below, as the number of clients using our next-gen payments platform grows, we are able to continue to enhance our end-to-end solutions, tailor our vertical-specific software and expand our global payment network to support more local payment types.

The benefits of our flywheel are visible in the significant scale we have achieved to date. As of December 31, 2023, we serve over 3,800 clients around the world. In education, we serve more than 2,800 institutions. In healthcare, we serve more than 90 healthcare systems, including four of the top 10 healthcare systems in the United States ranked by hospital size. In our newer payment verticals of travel and B2B, we have a growing portfolio of more than 900 clients.

Our business model is designed to encourage rapid, widespread utilization of our solutions. We enable our clients to scale the use of Flywire to an unlimited number of customers with favorable unit economics. For the years ended December 31, 2023 and 2022, we enabled over $24.0 billion and approximately $18.1 billion, respectively, of total payment volume across more than 140 currencies.

The value of our Flywire Advantage has been recognized, with global financial institutions and technology providers choosing to form channel partnerships with us. Our channel partners include financial institutions such as Bank of America Corporation; payment providers such as China UnionPay Co. Ltd. and Adyen N.V.; and software companies that serve as the core systems in our verticals such as Ellucian Company, L.P. in education and Cerner Corporation in

healthcare. These partnerships promote organic referral and lead generation opportunities and enhance our indirect sales strategy.

We also reach clients through our direct channel. Our domain-experienced sales and relationship management teams bring vertical expertise and regional and local reach that drives high dollar-based net retention. For the year ended December 31, 2023, our annual net dollar-based retention rate was approximately 125%. For the year ended December 31, 2022, our annual net dollar-based retention rate was approximately 124%. For the year ended December 31, 2021, our annual net dollar-based retention rate was approximately 140%. In addition, our client and customer service combines high-tech and high-touch functions backed by 24x7 multilingual customer support, resulting in high client and customer satisfaction. For the year ended December 31, 2022, we had a net promoter score (NPS) of 62, which exceeds the average NPS of traditional financial institutions.

We have grown rapidly since our founding. We generated revenue of $403.1 million, $289.4 million and $201.1 million for the years ended December 31, 2023, 2022 and 2021, respectively, and incurred net losses of $8.6 million, $39.3 million and $28.1 million, respectively for those same years. In November 2023, we acquired Learning Information Systems Pty Ltd. (StudyLink), an Australian-based software as a service (SaaS) education company that provides platforms to education providers to support their student admissions systems and processes, including features such as eligibility assessment, offer generation, recruitment agent and commission management and acceptance processing. In July 2022, we acquired Cohort Solutions Pty Ltd. (Cohort Go), an Australian-based education payments provider that simplifies the student recruitment process by bringing together students, agents and essential student services such as health insurance into one platform. In December 2021, we acquired WPM Group Ltd. (WPM), a leading software provider that enables seamless and secure payment experiences for universities and colleges across the U.K.

Benefits of the Flywire Advantage to Our Clients and Their Customers

Flywire sits in between our clients, which include educational institutions, hospitals, travel providers, businesses, and their customers: students, patients, travelers, and businesses. We believe this two-sided relationship makes us strategically important for our clients–who rely on us for their complex accounts receivable needs, and for our clients’ customers–who rely on us to deliver their most important payments.

Benefits of the Flywire Advantage to Our Clients

We continuously apply our knowledge and domain expertise in education, healthcare, travel, and B2B payments to expand upon our solutions and meet the specific needs of our clients, while freeing them from cumbersome and legacy financial processes. For our clients, key benefits of our solutions include:

Benefits of the Flywire Advantage to Our Clients’ Customers

Our digital-first customer experience is designed to make the process of paying invoices simple. For our clients’ customers, key benefits of our solutions include:

How Our Flywire Advantage Works

Our clients’ needs extend beyond simple payment processing. Enabling our clients to use enhanced payment functionality to drive business value as well as streamlining and automating their domestic and cross-border payment operations, requires a specialized approach that combines a secure, reliable, and robust suite of payments and software solutions with a seamless customer experience.

To achieve this, we leverage our Flywire Advantage and its three core elements: (i) our next-gen payments platform; (ii) our proprietary global payment network; and (iii) our vertical-specific software backed by our deep industry expertise.

Next-Gen Payments Platform

Our next-gen payments platform is designed for payment processes and experiences that can deliver high-stakes, high-value payments. Through a single connection to our platform, we support the entire lifecycle of a domestic or cross-border transaction across online, mobile or in-person channels. This eliminates the need to work with multiple vendors and payment providers.

For the years ended December 31, 2023 and 2022, we enabled over $24.0 billion and approximately $18.1 billion, respectively, in total payment volume across multiple payment types, including local bank transfer, credit, debit and other alternative payment methods such as Alipay, Boleto, PayPal / Venmo, and Trustly. The majority of our payment volume is not card related and is completed over our global payment network. This reflects the myriad of payment options enabled by our global payment network that are critical for the larger, more complex payments that we handle.

We designed our next-gen payments platform to be:

By utilizing predictive analytics, ML and AI, we handle the complexities of money movement across borders while providing fast, compliant, and transparent receipt of payments. Our AI and ML enabled fraud detection risk engine has trained against millions of automated clearing house (ACH), check, card, and wire transactions. As a result, the enhanced power of our risk engine enables us to mitigate fraud.

Our comprehensive payments offering enables our clients to provide their customers a choice of cost-effective payment methods, currencies, and terms while enjoying a seamless digital experience. Our offering, supported by Flywire’s security, risk, and compliance monitoring tools, includes:

Below is a sample funds flow for a traveler from Australia taking a ski vacation in Japan paying in their local currency and with their preferred method of payment, such as a bank transfer of Australian Dollars to Japanese Yen, without incurring hidden fees, and with exchange rate protection. The illustration shows how our next-gen payments platform can be configured and activated at the client level, and deliver a seamless experience from any country of payment or receipt.

In addition to international expansion, we are accelerating the growth of our in-country domestic accounts receivable business, both by selling new solutions to existing clients and gaining new clients. Many of our clients who successfully use our payments platform to process cross-border payments require a similar solution for in-country domestic payments, which have similar challenges: they are reliant on home-grown or legacy solutions with limited or inflexible capabilities and often require time consuming manual updates. With our payments platform, clients are able to streamline payment processes and offer their customers flexible payment options, without the expense of building their own systems—for both in-country domestic and cross-border transactions.

Proprietary Global Payment Network

Our proprietary global payment network is comprised of global, regional and local banks and technology and payment partners around the world. We believe the extensive global reach and breadth of our network, serving more than 240 countries and territories, provides a strong competitive advantage. Additionally, we have local market knowledge and expertise to enable funds flow in some of the hardest to reach markets. We have also assembled redundant payment rails, wherever possible.

With Flywire’s network, our clients can take advantage of our “local-in / local-out strategy”—providing access to pay-in options, such as local bank transfers, card-based payments, and alternative payment methods, while enabling pay-out capabilities in our clients’ preferred local payment methods.

We believe our receive-side network sets us apart. Flywire clients, no matter the vertical or market they are in, can receive a single daily payment in their preferred currency that aggregates and reconciles all their customer payments made via Flywire from around the globe—across approximately 4,500 geographic corridors for 2023 representing transaction flows between payers and payees.

Once our clients are connected to our global payment network, they can leverage an extended range of services and capabilities, including:

Vertical-Specific Software Backed by Deep Industry Expertise

We tailor our software to meet the needs of each vertical market we serve. We do so by leveraging our industry expertise and knowledge to develop a comprehensive view of our clients’ complex business challenges. We learn to “speak our clients’ language” and tailor their invoicing processes and payment options to their specific situations.

We offer deep integration within our clients’ existing apps and workflows for seamless payment acceptance and reconciliation. Our integrations, supported by our application programming interfaces (APIs), include some of the largest and most recognized accounting and enterprise resource planning (ERP) systems, such as Ellucian Company, L.P. in education, Epic Systems Corporation in healthcare, Rezdy Pty Ltd in travel, and Oracle Corporation in B2B payments. Through these integrations, our clients are able to reduce the number of banks and technology and payment providers on which they rely, while achieving faster settlements and lower wire and transaction fees.

Specific features of our vertical-specific software include:

Below is an illustration of how a large hospital client utilizes our software to personalize patient engagement with payment options and billing conversations. We solve capacity to pay for our clients’ customers (with payment plans or other intelligent promotional financing) and we engage with them through their preferred communication methods (e.g., sms, chat, email, text, or phone). In turn, our clients are able to maximize yield on their accounts receivable potential, resulting in higher net payments, lower call volume, lower debt outstanding and most importantly, lower costs and happier patients.

Our Industry

We believe Flywire plays a critical role in helping digitize transactions in traditionally underserved markets, facilitating in-country domestic and cross-border invoicing and payments, automating reconciliation, and providing a seamless experience for our clients’ customers. Our ability to deliver the most important and complex payments both domestically and internationally has become increasingly valued by our clients due to the following trends:

Globalization—and the rise of a “borderless” economy—requires global, cross-border and local payment and regulatory expertise

As the world becomes more connected, it is both easier and harder to do business. Consumers want to make payments across borders with ease and want to have a personalized experience in their language and in their local currency. Businesses are attempting to satisfy this demand, but we believe they often struggle to deliver truly global capabilities. Providing a solution that meets the needs of our global client base extends beyond simple payment processing. Enabling, streamlining, and automating our clients’ in-country domestic and cross-border payment operations requires a specialized approach that combines a secure, reliable, and robust suite of payments and software solutions with a seamless customer experience. We believe we can deliver extensive global reach and bring local market knowledge and expertise to keep up with the rapidly changing payments landscape.

Globalization has also increased the complexity of the regulatory landscape that our clients need to navigate. Consumers and businesses are required to understand and adhere to extensive and often incongruous sets of laws and regulations in both local and cross-border regimes. For example, many countries with significant cross-border flows require distinct paperwork to be collected, validated and recorded as part of currency export compliance for high-value payments. Furthermore, we believe that clients often lack the policies, procedures and systems in order to implement and monitor strict compliance. We believe that the result is often costly and manual review processes, which can also increase the client’s risk of penalties and fines. We endeavor to actively manage the global complexities of regulation for our clients’ payments while implementing innovative solutions intended to make the entire process more efficient and user-friendly.

The shift to software-integrated digital payments is accelerating

As business and consumer transaction expectations shift with digitization, providers of modern payments platforms with industry-specific software have begun to displace legacy systems. Businesses and consumers have come to expect that all payment flows, especially for high-value services, are settled with the same ease as typical e-commerce purchases. We expect these trends will impact all industries and force many businesses to accept new digital payment methods. We believe fully integrated payments and software solutions, including those provided by us, enable businesses to offer seamless payment experiences, minimize friction at the point-of-sale and respond to evolving customer preferences.

Legacy payment and accounts receivable management infrastructure has significant limitations and is ripe for innovation

Even in some of the largest industries in the world, such as education, healthcare, and travel, legacy payment and accounts receivable infrastructure has not evolved to streamline complexities nor enhance efficiency as demanded by organizations or their customers. This legacy infrastructure has the following limitations:

Accelerating digitization of B2B payments

We believe the B2B payments market remains one of the largest untapped opportunities in the payments industry. Few payments and software companies have end-to-end integrated payments solutions including accounts receivable software, omni-channel offerings, cross-border capabilities and other value-added services. Most often, providers only offer one or two of these capabilities and require clients to employ other piecemeal point solutions. The unique combination of our next-gen payments platform, proprietary global payment network, and vertical-specific software enables us to design and deliver a comprehensive suite of solutions that help our business clients get paid by their customers.

Our Market Opportunity

We believe the trend of digitizing payments is inevitable across all industries. When businesses and consumers make payments, they expect a quick and easy process. On the receiving end, businesses expect to accept payments from different sources and countries, and reconcile them from within one system, but without added complexity or additional costs.

Many industries still lack the digital payments infrastructure that is necessary to meet customer demand and solve operational inefficiencies. For example, the majority of healthcare payments are still made by check. Likewise, in education, budget shortfalls, along with rising tuition costs, have added financial strain and created collections problems.

These inefficiencies are costly. According to a study by Deloitte, middle-market businesses incur $3.3 trillion in operational costs when reconciling invoices as a result of inadequate legacy solutions, such as disparate file formats and lack of back-office support for automated remittances.

Despite these shortfalls, the demand for domestic and cross-border money movement continues to accelerate and global payments present one of the largest market opportunities. For the primary industries we currently serve, we estimate the current addressable market for our solutions to be approximately $1.7 trillion in global payment volume, including education ($660 billion)(1), healthcare ($500 billion)(2) and travel (approximately $530 billion).(3)

Additionally, our B2B payments offering expands the addressable market for our solutions, which we estimate to be over $10 trillion in addressable B2B payment volume(4). Given Flywire’s existing penetration of key verticals, ability to integrate with a broad range of core systems and continued investments in our next-gen payments platform, proprietary global payment network, and vertical-specific software, we believe we have the opportunity to capture a meaningful share of this payment volume.

Our Growth Strategy

We believe we have a significant opportunity to build on our success and momentum to date. The key elements of our growth strategy include:

Expand Our Client Reach

Expand Our Ecosystem Through Channel Partnerships

While the majority of our clients to date have been acquired by our direct sales team, we expect that continued engagement with channel partners, including financial institutions and providers of enterprise software solutions in our key verticals, will enhance our client acquisition efforts and drive continued growth. We also believe our channel partners, which include consultants specialized in our industry verticals, will help amplify the reach and visibility of our solutions to clients worldwide.

Expand to New Verticals and Geographies

We leverage our Flywire Advantage to scale into new verticals and geographic markets. We have a strong track record of expanding efficiently into new verticals and geographic markets, as we have shown in healthcare, travel, and B2B payments and in the expanded reach of our global payment network. We see a large and significantly underserved opportunity for clients domestically and internationally to benefit from our payments platform, global payment network and vertical-specific software. Additionally, there are other industries, including real estate and government taxes, that we believe are poorly digitized and could benefit from our solutions.

Pursue Strategic and Value-Enhancing Acquisitions

We intend to continue to complement and accelerate our organic growth strategies through acquisitions. We have a successful record of identifying, executing, and integrating acquisitions, and we intend to continue to pursue acquisitions through a highly disciplined approach. We also have the scale to be an attractive and reputable consolidator in the payments markets as evidenced by our ability to retain nearly all of the clients and employees from our WPM, Cohort Go and StudyLink acquisitions. We believe our approach and breadth of experience in integrating culturally-aligned businesses position us to maximize the value we derive from future acquisitions.

Our Flywire Culture and Team

As an organization, our culture is founded on our shared experiences, unique and diverse backgrounds, and belief in our mission to deliver on the most important and complex payments. As a collective team of approximately 1,200 full-time employees and contractors, who we call FlyMates, we strive for excellence as one team, guided by our core values, including:

Our leadership team defines our culture and strategy and collectively has decades of experience leading companies through rapid growth at scale. Representing approximately 40 nationalities and spoken languages, our diverse team of FlyMates deliver critical domain expertise and regionally tailored skill sets to our clients 24x7. We believe our team’s relentless client focus and adherence to our shared values are evident in our NPS of 62 for the year ended December 31, 2022, and will continue to define our future success.

Our Business Model

We derive revenue from transactions and platform and usage-based fees. Each new student tuition bill, patient visit, travel journey and business invoice is an opportunity for us to generate fees.

Our revenue is highly re-occurring in nature due to the mission-critical nature of our solutions that are deeply integrated within our clients’ existing operating workflows and IT infrastructure. We believe the depth and breadth of our solutions help our clients get paid faster and with less friction. This enables us to develop long-standing relationships with our clients, which in turn also drive strong retention and significant cross-selling opportunities.

An Illustration of Our Solution

We simplify domestic and cross-border payment transactions for our clients by eliminating the need to work with disparate vendors for invoicing, global pay-in and pay-out, compliance and risk management and more. Through a single connection to Flywire, we enable our clients to securely accept and reconcile payments and engage with their customers. The illustrations below depict how Flywire manages both international and domestic payments for a representative education client.

International Payment Example: In the first example below, a Chinese student paying their tuition to a Canadian university experiences a seamless process from start to finish—choosing their preferred payment method and currency. For our client, the accounts receivable process is automated and streamlined from invoice to receipt and to reconciliation and real-time ERP updates. For our cross-border payments, we have short term foreign exchange exposure, typically between one and four days; we leverage our in-house currency hedging algorithms, and enter into non-deliverable forward foreign currency contracts, to mitigate the volatility related to fluctuations in the foreign exchange rates. For additional discussion about our foreign exchange exposure, please see “Management’s Discussion and Analysis of Financial Condition and Results of Operations - Quantitative and Qualitative Disclosures About Market Risk”.

Domestic Payment Example: The example below illustrates the process of offering payment plans to domestic students, which can be set up by either the school or the student.

From the same payments platform, we manage the entire payment process for our clients with the only difference being the type of payment offering selected to meet the needs of their customers, whether that be international or domestic.

Our Go-To-Market Strategy

Our direct sales channel is core to our go-to-market strategy. We believe that regional, vertical, and broader domain expertise, as well as continued client management, are critical to our sales success. Our regional sales teams are located in the United States, Canada, Latin America, Europe, and the Asia Pacific region including Singapore, Japan, and Australia. Our relationship management team augments direct sales capabilities by cultivating existing relationships and identifying cross-sell and up-sell opportunities of additional solutions, contributing to our strong dollar-based net retention rate. We believe that our ability to understand the nuanced pain points of education, healthcare, and travel accounts receivable is a strategic advantage enabling us to gain clients in those verticals, while our broader domain expertise in payments, treasury, and banking is critical to executing on our broader B2B payments expansion.

We focus our sales and marketing efforts on generating leads to develop our sales pipeline, building brand and vertical awareness, scaling our network of partners, and growing our business from our existing client base. Our sales leads primarily come through inbound digital channels including our website, content marketing efforts, lead generation and account-based marketing tactics, virtual events, and industry trade shows and associations.

We typically follow a “land-and-expand” strategy as our clients engage with us on more than one solution as we grow our partnership. For example, in education we have a high success rate expanding beyond solving cross-border payments needs, with clients also adopting our domestic solutions or full-suite enterprise solution. Once our clients experience the depth of our ability to handle their multi-faceted accounts receivable and payments needs, our relationship managers are able to successfully cross-sell and up-sell other solutions, creating a large avenue of revenue generation with minimal incremental acquisition cost.

We also reach clients indirectly through our channel partnerships, integrations with workflow software, and other technology providers. Our channel partners include financial institutions, such as Bank of America Corporation, as well as a number of referral partners such as Tribal Group and Cerner Corporation. Additionally, Flywire has integrations with leading accounting and ERP systems, such as Oracle Corporation, Ellucian Company, L.P., Epic Systems Corporation and Rezdy Pty Ltd.

Our Technology and Architecture

Our unified technology is at the core of our Flywire Advantage. The scale and complexity of the product implementation challenges that we address for our clients and their customers cannot easily be addressed through today’s legacy systems and outdated infrastructure. Instead, it requires our combination of a modern technology stack, cloud-native infrastructure, and investment in product and engineering management talent.

Our engineering approach includes a DevOps culture, microservice architecture, continuous delivery, and the use of containers to enable shorter development lifecycles. We also operate independently-deployable services that are critical to supporting verticals and reliability across operating environments. Our product and engineering leadership team has a long history of payments and payments technology experience, with domain expertise across our verticals.

Our technology stack is comprised of the following:

Payments-as-a-Service

Our next-gen payments platform includes the infrastructure required to support more than just simple money flows:

Software-as-a-Service

Our vertical-specific software leverages our payments platform to provide industry specific solutions and deliver “last mile” connectivity to our clients’ operating systems and their customers. Our applications address complex billing and domestic and cross-border payment processes, while delivering a near seamless payment experience. Additionally, our personalization engine, delivered as a software solution and leverages our AI and ML and deep analytics systems.

Public Application Programming Interface (API)

We recently launched a direct public API that sits on top of our payments platform. For organizations of all sizes, from smaller businesses to larger enterprises who want to control the customer experience, we can expose our API for easy integration, significantly reducing the time to realize advantages from the use of our solution. This public API capability significantly enhances our ability to scale and to execute on our growth strategies.

Our technology is designed for speed, resilience and reliability. We believe we demonstrated our ability to scale when we entered the broader B2B market and were able to leverage engineering solutions and APIs in our other verticals, including a native module integrated into NetSuite. Our technology enables us to process transactions in real-time, regardless of origin, destination or amount. For example, in education, our deep, customized integrations within our clients’ systems can lead to the difference between on-time enrollment or missed registrations—a difference that cannot be delivered through batch processes that are not posted instantaneously. We leverage Amazon Web Services (AWS) for our cloud redundancy, and tools such as Site24x7, Pingdom, Cloudflare, and PagerDuty for an uninterrupted experience for our clients.

Our Compliance and Risk Management Foundation

We have a dedicated compliance and risk management function. We have implemented the practices to help us protect our business and assure our clients and payment partners that our processes are compliant and meet or exceed their exacting standards, including advanced and agile practices for risk governance and a monitoring program that leverages key data inputs and software. We have robust AML, suspicious activity reports (SARs) and client KYC procedures. We also devote considerable resources to our data and cyber security. In addition, we possess key certifications across the verticals we serve, which we believe is an important aspect of why our clients choose to work with us. These audit-tested certifications and risk program features, which in many cases apply with specificity to the verticals we serve, include: third party certifications for Service Organization Control 2 (both SOC 1, Type II and SOC 2, Type II), Payment Card Industry Data Security Standard (PCI DSS), and Americans with Disabilities Act (ADA) compliance, as well as systems and processes designed to ensure compliance with the General Data Protection Regulation (GDPR) in Europe, the Data Security Law (DSL) and Personal Information Protection Law (PIPL) in China, the California Consumer Protection Act (CCPA), the Personal Information Protection and Electronic Documents Act in Canada, Family Educational Rights and Privacy Act (FERPA), and Health Insurance Portability and Accountability Act (HIPAA), among others.

Our experienced team, coupled with our advanced technology and software tools, helps us navigate the challenges of global payments in a compliant manner:

Locally, we often work with licensed and regulated payment service providers (PSPs) to bring more familiar solutions to our clients’ customers and to leverage their regulatory insight. This insight can be a valuable tool to deliver differentiated services to our clients to help them stay in front of laws that may impact their business. For example, in India, we addressed new tax withholding requirements for our clients’ customers and deployed a solution to help with their education-related payments.

To support these areas of focus, our risk and security team has developed a foundation resting on an appropriate governance and policy structure, robust and scalable security architecture and solutions, and an expansive and continuous cyber security and incident response framework. In addition, we have FlyMates in the compliance and risk management function located around the world where we have operations to address the needs of the business in real-time.

Competition

Our primary competition consists of legacy payment methods such as traditional bank wires provided by local, regional and global banks and money transfers from remittance companies. Other competitors include integrated payment providers focused on cross-border payments; B2B payments platforms; and vertical-specific software solutions offered by local niche players.

We believe many legacy payment providers are hindered by limitations such as antiquated technology systems, insufficient solution and service offerings, poor user experiences, and unsatisfactory client and customer support. Our modern technology stack, combined with our innovative and flexible suite of solutions, addresses many of the issues that clients face today, including:

We believe that we compete favorably on the basis of these factors.

Intellectual Property

We protect our intellectual property through a combination of trademark, copyright, and trade secret laws, as well as confidentiality procedures and contractual restrictions, to establish and protect our proprietary rights both domestically and abroad. These laws, procedures and restrictions provide only limited protection. We endeavor to enter into agreements with our FlyMates, consultants and contractors and with parties with whom we do business in order to acquire intellectual property rights developed as a result of service to Flywire, as well as to limit access to and disclosure of our proprietary information.

We actively pursue registration of our trademarks, logos, service marks, trade dress, and domain names in the United States and in other jurisdictions. As of December 31, 2023, we had 118 registered trademarks and trademark applications, and were the registered holder of a variety of U.S. and international domain names.

From time to time, we also incorporate certain intellectual property licensed from third parties. Even if any such third-party technology was not available to us on commercially reasonable terms, we believe that alternative technologies would be available as needed.

For additional information about our intellectual property and associated risks, see the section titled “Risk Factors–If we fail to adequately protect our proprietary rights, our competitive position could be impaired and we may lose valuable assets, generate less revenue and incur costly litigation to protect our rights.”

Regulation and Industry Standards

Various aspects of our business and service areas operate in a quickly evolving regulatory environment, and are subject to U.S. federal, state, and local regulation, as well as regulation outside the United States. Certain of our services also are subject to rules promulgated by various card networks and other authorities, as more fully described below. These descriptions are not exhaustive, and these laws, regulations and rules frequently change, are subject to differing interpretations or enforcement, and are increasing in number.

We are registered as a Money Service Business (MSB) with the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) and are subject to the Bank Secrecy Act of 1970, as amended by the USA PATRIOT Act of 2001, and its implementing regulations, collectively, the BSA, and certain obligations contained therein, including, among other things, certain record-keeping and reporting requirements, and examinations by FinCEN.

The BSA is the primary compendium of U.S. laws and regulations regarding AML and countering the financing of terrorism (CFT). As required under the BSA, we have implemented and continue to expand an AML and CFT program designed to prevent our payments platform from being used to facilitate money laundering, terrorist financing, and other financial crimes. Our program is also designed to prevent our payments platform and global payment network from being used to facilitate business with certain individuals, entities, countries, and territories that are subject to economic or trade sanctions that the U.S. Department of the Treasury’s Office of Foreign Assets Controls (OFAC) and various foreign authorities administer or enforce. Our AML and CFT compliance programs include policies, procedures, and controls that are designed to address these legal and regulatory requirements and to assist in detecting and preventing the use of our payments platform to engage in money laundering or terrorist financing activity. Program elements include, without limitation, the designation of a BSA/AML Officer to oversee the programs, KYC procedures, processes to detect and report suspicious activity, sanctions screening, employee training, annual third-party independent testing, and risk-based procedures for conducting ongoing customer due diligence.

If our compliance programs are found to be deficient, we could lose key relationships with banks, merchant acquirers, and other payment partners on which we rely to carry out our business. Fines, penalties or sanctions for the violation of AML and CFT laws and regulations may be severe and our efforts to remediate issues may be costly, may result in diversion of management and staff time and effort, and may still not guarantee compliance. In 2023, in the course of implementing geolocation data-based sanctions screening measures, we identified certain payments which, based on geolocation data, appear to have been initiated from Cuba, Iran, or Syria, in potential violation of applicable sanctions regimes. We have made a voluntary submission to OFAC to report the potential violations. Although the internal investigation completed to date suggests that any loss incurred as a result of this matter would not be material to our business, if OFAC ultimately concludes a violation has occurred, it could result in penalties, fines, costs, and restrictions on our ability to do business, which could also harm our operating results.

Most states in the United States require a license to offer money transmission services. We are in the process of procuring money transmitter licenses (or the statutory equivalent) in those U.S. jurisdictions that require them in order to be able to offer additional business lines in the future. We have procured and maintain money transmitter licenses in 42 U.S. jurisdictions, and actively work to comply with new license requirements as they arise. We have taken the position that Flywire’s business to date is exempt from licensure under various state money transmission laws, either expressly as a payment processor or agent of the payee, or pursuant to common law as an agent of the payee. We actively work to evaluate, and if applicable, comply with new license or regulatory requirements as they arise. Although we believe we have defensible arguments in support of our positions under the state money transmission statutes, we have not expressly obtained confirmation of such positions from all of the state banking departments who administer the state money transmission statutes. It is possible that certain state banking departments may determine that our activities are not exempt from licensure. In the past, certain competitors have been found to violate laws and regulations related to

money transmission, and they have been subject to fines and other penalties by regulatory authorities. Regulators and third-party auditors have also identified gaps in how similar businesses have implemented AML and CFT programs. The adoption of new money transmitter or MSB statutes, or changes in regulators’ interpretation of existing state and federal money transmitter or MSB statutes or regulations, could subject Flywire to new registration, licensing or other requirements. Any determination that Flywire is in fact required to be licensed under such state money transmission or MSB statutes may require substantial expenditures of time and money and could lead to liability in the nature of penalties or fines, as well as cause us to be required to cease operations in some of the U.S. jurisdictions we serve.

With respect to the money transmission licenses we maintain in U.S. jurisdictions, we are subjected to, among other things, record-keeping requirements, reporting requirements, bonding requirements, limitations on the investment of customer funds, and examination by state regulatory agencies. Any actual or perceived failure to comply with legal and regulatory requirements related to our money transmitter licenses may result in, among other things, revocation of required licenses, regulatory or governmental investigations, administrative enforcement actions, civil and criminal liability, and constraints on our ability to continue to operate.

Similar regulatory requirements exist in other markets where we do business. For example, local Flywire entities are licensed as Authorised Payments Institutions in each of the United Kingdom (U.K.) (regulated by the Financial Conduct Authority (FCA)) and Lithuania (regulated by the Bank of Lithuania (BOL)), and Australia (regulated by the Australian Securities & Investments Commission (ASIC)). In addition, we have secured approval for a Major Payment Institution license from the Monetary Authority of Singapore (MAS), and in Canada we are registered as an MSB with the Financial Transactions and Reports Analysis Centre of Canada. We are also registered as a foreign Electronic System Organizer in Indonesia. When serving clients in these regulated markets, we are generally required to implement governance structures, AML and CFT programs and KYC standards that are different from those in the U.S., and which incorporate local or European Economic Area (EEA) requirements. The FCA in particular has been an active regulator, and as a result of Brexit, we were able to both obtain a license from the BOL and continue to serve our EEA clients through the “passporting” principle without any interruption of service. In other non-U.S. markets, we are able to serve clients in locations that either do not require Flywire to obtain a license or pursuant to a specific exemption issued by the applicable regulator.

In addition, several jurisdictions where our clients’ customers reside impose currency export controls (e.g., China and India), taxation at source or other documentation requirements before money can be converted into destination currency and sent abroad. Generally, our local payment partners in these locations will assist in ensuring the customers meet these requirements, but it is often the case that we need to ensure that the Flywire payment experience accommodates the unique and ever-changing regulatory environments where our clients’ customers are located.

There are also a number of U.S. federal and state consumer finance and consumer protection laws that may impact Flywire’s business. States have a myriad of statutes and case law precedent addressing when credit card surcharges or convenience fees may be imposed by third-party service providers and under what circumstances they are prohibited. In addition, Dodd-Frank created the Consumer Financial Protection Bureau (CFPB), which has assumed responsibility for implementing and enforcing most federal consumer financial protection laws and a prohibition on unfair, deceptive and abusive acts and practices. Several of these laws apply to some of Flywire’s clients, and in some cases, Flywire is contractually obligated to ensure its services do not violate these laws, even though Flywire is not directly subject to them. For example, the Truth in Lending Act of 1968 (TILA) is a U.S. federal law that applies to creditors and is designed to promote the informed use of consumer credit. Although Flywire is not in the business of extending credit or charging interest on the payments it helps its clients collect, when Flywire clients extend credit subject to TILA, TILA may require our clients to provide disclosures to their customers about consumer credit terms and costs in a format specified by the CFPB. Our payment installment plan functionality utilized by our clients in healthcare and education often requires that our payment experience accommodate these disclosure obligations that attach to our clients. Our business may also be subject to the Fair Credit Reporting Act (FCRA) which regulates the use and reporting of consumer credit information and imposes disclosure requirements on entities that take adverse action based on information obtained from credit reporting agencies. We could be liable if our practices governed under the FCRA are not in compliance with the FCRA or its regulations.

The Electronic Fund Transfer Act (EFTA) also imposes substantive disclosure and error resolution obligations on entities that facilitate electronic fund transfers and international remittance transfers. We could be liable for violating EFTA if we fail to comply with these requirements when they apply to us. We do not believe other laws that are implemented by the CFPB, including the Equal Credit Opportunity Act and the Fair Debt Collection Practices Act apply to us. If these determinations are wrong, interpretations of these statutes change, or we expand or change our solutions, we may be

subject to the restrictions imposed by these laws. Should our business or solutions change in a way that did subject us to the CFPB’s jurisdiction, we would be subject to increased scrutiny of our business and consumer compliance practices.

Separately, the Telephone Consumer Protection Act of 1991 (TCPA) and similar state and federal laws contain extensive rules relating to communication by telephone, such as detailed requirements relating to granting and revocation of consent and “opt-in” or “opt-out” thresholds for receipt of communications, and these requirements are often changing and the subject of high-profile litigation. Our services include features regulated by the TCPA and similar laws (e.g., calls made from automated dialing systems, texts confirming receipt of payment, status updates or due dates, appointment reminders) and we can be liable for penalties, or subject to litigation or contractual indemnification obligations, if we do not comply with them.

Flywire is also required to navigate card network rules and other requirements of self-regulatory organizations, such as ACH payment networks. We rely on our varied network of merchant acquirer relationships to access the payment card networks such as Visa and Mastercard, which enable our acceptance of credit cards and debit cards. We pay fees to our merchant acquirers for such services.

Visa, Mastercard and other card networks set complex and evolving rules and standards with which we must comply—often referred to as “card network rules”. We also have relationships with American Express, Japan Credit Bureau (JCB) and China Unionpay, which impose similar obligations on us. The payment networks and their member financial institutions routinely update, generally expand and modify requirements applicable to merchant acquirers and their customers, including rules regulating data integrity, third-party relationships, merchant chargeback standards and compliance with the PCI DSS. PCI DSS is a set of requirements designed to ensure that all companies that process, store, or transmit payment card information maintain a secure environment to protect cardholder data. Under certain circumstances, we are required to report incidents to the card networks and other authorities within a specified time frame. Any changes in card network rules or standards that increase the cost of doing business or limit our ability to provide processing services to our merchants will adversely affect the operation of our business.

If we or our merchant acquirers fail to comply with the card network rules or other applicable rules and requirements of the card payment networks, Visa or Mastercard or our other card providers could suspend or terminate our registration. Further, our transaction processing capabilities, including with respect to settlement processes, could be delayed or otherwise disrupted, and recurring non-compliance could result in the payment networks seeking to fine us, or suspend or terminate our registrations which allow us to process transactions on their networks, which would make it impossible for us to conduct our business on its current scale.

Under certain circumstances specified in the card network rules, we may be required to submit to periodic audits, self-assessments, or other assessments of our compliance with the PCI DSS. Such activities may reveal that we have failed to comply with the PCI DSS. In addition, even if we comply with the PCI DSS, there is no assurance that we will be protected from a security breach or other cybersecurity incident.

The termination of our registration with the payment networks, or any changes in payment network or issuer rules that limit our ability to provide card payment alternatives to our clients’ customers could have an adverse effect on our payment processing volumes, revenues and operating costs. If we are unable to comply with the requirements applicable to our settlement activities, the payment networks may no longer allow us to provide these services and we would lose a substantial portion of our revenues.

We are also subject to the National Automated Clearing House Association (NACHA) operating rules. NACHA is a self-regulatory organization which administers and facilitates private-sector operating rules for ACH payments and defines the roles and responsibilities of financial institutions and other ACH network participants. The NACHA Rules and Operating Guidelines impose obligations on us and our partner financial institutions particularly when we instruct our partner institutions to debit a third party’s account. These obligations include audit and oversight by the financial institutions and the imposition of mandatory corrective action, including termination, for serious violations. If an audit or self-assessment of PCI DSS or NACHA compliance identifies any deficiencies that we need to remediate, the remediation efforts may distract our management team and other staff and be expensive and time consuming.

Similarly, our ACH sponsor banks have the right to audit our compliance with NACHA’s rules and guidelines and are given wide discretion to approve certain aspects of our business practices. Like the payment networks, NACHA may update its operating rules and guidelines at any time, which could require us to take more costly compliance measures or to develop more complex monitoring systems. The NACHA rules permit transactions to be returned under certain circumstances. If too many of our transactions are returned, our ability to access the ACH system could be impaired by our partner financial institutions. Our partner financial institutions could similarly change their interpretation of NACHA

requirements, which could require costly remediation efforts and could prevent us from continuing to provide services through such partner financial institutions until we remediate issues to their satisfaction.

We collect and use a wide variety of information (including personal information) for various purposes in our business, including: (i) to help ensure the integrity of our services, (ii) to meet KYC, transaction monitoring, AML and CFT standards, and (iii) to provide features and functionality to our clients and their customers. This aspect of our business, including the collection, use, disclosure, and protection of personal information we acquire in connection with the use of our services, is subject to numerous laws and regulations in the United States and globally. Regulation and proposed regulation in this area has increased significantly in recent years and is expected to continue to do so.

In addition to numerous privacy and data protection laws already in place, U.S. states are increasingly adopting laws modeled on the GDPR that impose comprehensive privacy and data protection obligations. For example, the CCPA, which became effective on January 1, 2020, gives California residents expanded rights to access and delete their personal information, opt out of certain personal information sharing and receive detailed information about how their personal information is used, and it imposes other requirements as well. The CCPA provides for civil penalties for violations, as well as a private right of action for data breaches. Colorado, Virginia, Utah and Oregon have recently joined California in enacting privacy and data protection legislation that impose additional obligations on businesses related to the collection, storage and utilization of third party information, as well as the reporting of data breaches. All 50 states, Puerto Rico, and the U.S. Virgin Islands (similar to many of the other countries where we do business), have passed laws regulating the actions that a business must take if it experiences a data breach, such as prompt disclosure to affected individuals, consumer reporting agencies, or governmental agencies. In addition, we are subject to laws in the U.S. and abroad restricting or placing conditions on our ability to collect and utilize certain specific types of information, such as Social Security and driver’s license numbers.

Many of the foreign jurisdictions where we or our customers do business, including the European Union (E.U.), have laws and regulations dealing with the processing of personal information, which in some cases are more restrictive than those in the United States. In addition to regulating the processing of personal information within the relevant jurisdictions, these legal requirements often also apply to the processing of personal information outside these jurisdictions, where there is some specified link to the relevant jurisdiction. For example, Flywire has multiple offices in Europe and serves clients and their customers throughout the E.U., where GDPR went into effect in 2018. The GDPR, which also is the law in Iceland, Norway, Liechtenstein, and—to a large degree—the U.K., has an extensive global reach and imposes robust obligations relating to the processing of personal information, including documentation requirements, greater control for data subjects (e.g., the “right to be forgotten” and data portability), security requirements, notice requirements, restrictions on sharing personal information, data governance obligations, data breach notification requirements, and restrictions on the export of personal information to most other countries. Fines of up to 20 million Euros or up to 4% of the annual global revenue of a noncompliant corporate family, whichever is greater, could be imposed for violations of certain of the GDPR’s requirements, and private claims also are possible.

Recent legal developments have created compliance uncertainty regarding some transfers of personal information from the U.K. and EEA to locations where we or our customers operate or conduct business, including the United States and potentially Singapore. Under the GDPR, such transfers can take place only if certain conditions apply or if certain data transfer mechanisms are in place. In July 2020, the Court of Justice of the E.U. ruled in its “Schrems II” decision (C-311/18), that the Privacy Shield, a transfer mechanism used by thousands of companies to transfer data between those jurisdictions and the United States (and also used by Flywire), was invalid and could no longer be used due to the strength of United States surveillance laws. In September 2020, the Federal Data Protection and Information Commissioner of Switzerland (where the law has a similar restriction on the export of personal information) issued an opinion concluding that the Swiss-U.S. Privacy Shield Framework does not provide an adequate level of protection for data transfers from Switzerland to the United States pursuant to Switzerland’s Federal Act on Data Protection. We and our customers continue to use alternative transfer strategies including the European Commission’s Standard Contractual Clauses (SCCs) while the authorities interpret the Schrems II decision and the validity of alternative data transfer mechanisms. The SCCs, though previously approved by the European Commission, have faced challenges in European courts (including being called into question in the Schrems II decision), and may be further challenged, suspended or invalidated for transfers to some or all countries. For example, guidance regarding Schrems II issued by the European Data Protection Board (which is comprised of representatives from every E.U. member state’s top data protection authority) have cast serious doubt on the validity of SCCs for most transfers of personal information to the United States. The Schrems II decision and related enforcement actions or other legal developments in this area could subject us to negative financial consequences, such as fines, penalties, loss of customers, and the need to engage in costly restructuring of our business and IT operations and restructuring of our relationships with service providers and other partners.

In Asia, there has been an increase in both regulation and enforcement of privacy laws. The Act on Protection of Personal Information originally enacted in June 2020 by the Japanese government, was amended and came into effect on April 1, 2022 (Amended APPI). Since the passage of the Amended APPI, a number of implementing regulations and supporting documents have been released, addressing the requirements for transferring personal data outside Japan, notifying security breaches and creating pseudonymous information exempt from certain obligations under the Amended APPI.

China passed its DSL and its PIPL in 2021. Both new laws impact every business operating in or doing business with China, coupling extensive obligations with respect to the processing of all types of data, with potentially significant penalties for noncompliance. With the promulgation of the DSL and PIPL, China has tightened up regulation on collection, processing, sharing and cross-border transfer of personal data and important data such as financial data. The data security regime has an extraterritorial effect and imposes additional compliance obligations with respect to processing (in and outside China) of personal data of Chinese individuals and other data which may be viewed sensitive or important. These regulations apply not only to our client’s payers who are Chinese nationals (such as students seeking to study abroad) but also China-based employees as well as third party business partners.

As a reaction to data security concerns, the Australian parliament, in 2022, approved a bill to amend the country's privacy legislation, significantly increasing the maximum penalties for companies and data controllers who suffer large-scale data breaches to the greater of: (i) AU$50 million, (ii) three times the value of any benefit obtained through the misuse of information, and (iii) 30% of a company's adjusted turnover in the relevant period. Previously, the penalty for severe data exposures was AU$2.22 million, considered by the current parliament to be wholly inadequate to incentivize companies to improve their data security mechanisms. The Office of the Australian Information Commissioner has new regulatory tools and flexibility that should, together with an ongoing focus on funding enforcement, see a more proactive regulator with capacity and capability to investigate and litigate more privacy incidents in Australia.

We have taken steps to address compliance obligations that apply to us under the Amended APPI, the DSL, the PIPL and Australian data security laws but cannot assure you that such steps will be effective, and we may face the risk of increased costs, liability and loss of business.

There are also regulations that require that access to websites be safe and accessible for people with disabilities. The ADA contains certain standards (most commonly referred to as Section 508 Standards) that apply to federal government websites as well as to websites that may be provided by institutions that are recipients of federal funding. Many of our clients (principally higher education clients in the U.S.) receive support from U.S. federal agencies, and require that our payment experience be accessible and conform to the Section 508 Standards and the World Wide Web Consortium (W3C) Web Content Accessibility Guidelines 2.0 Level AA. Our payment experience is ADA-compliant, and we arrange for third-party audits to ensure that we continually conform to these standards. As we modify our user interface to improve or add features and functionality to our payment experience, we must continue to account for ADA compliance when required.

Human Capital and Employees

As of December 31, 2023, we had approximately 1,200 full-time FlyMates. We also engage part-time and temporary FlyMates, as well as consultants as needed to support our operations. As an organization, our culture is founded on our shared experiences, unique and diverse backgrounds, and belief in our mission to deliver on the most important and complex payments. Our leadership team defines our culture and strategy and collectively has decades of experience leading companies through rapid growth at scale.

None of our FlyMates are represented by a labor union or covered by a collective bargaining agreement. We have not experienced any work stoppages and we consider our relations with our FlyMates to be good.

Our human capital resources objectives include, as applicable, identifying, recruiting, retaining, incentivizing and integrating our existing and additional FlyMates. The principal purposes of our equity incentive plans are to attract, retain and motivate selected FlyMates, consultants and directors through the granting of stock-based compensation awards and cash-based performance bonus awards.

Our Values

At Flywire, we commit to encourage and reward behaviors that are consistent with our culture, which is founded on our shared experiences, unique and diverse backgrounds, and belief in our mission to deliver on the most important and

complex payments. We seek to hold each other accountable when behaviors do not support the culture we aspire to. Our values include:

We define our values by the virtues and behaviors that shape them, as these values guide us in all that we do: in hiring, performance, and day-to-day interactions with both FlyMates and our clients and their customers.

Environmental, Social and Governance (ESG) Report

In December 2022, we released our inaugural ESG report, our first comprehensive summary of how we integrate social good initiatives into our business strategy. The report provides baseline metrics as well as a detailed overview of the core tenets of our ESG program, which are shaped by many defining principles - from social impact and community engagement, to diversity, equity and inclusion (DE&I), and much more. Our ESG report is based on global best practices, and aligns with metrics set forth by the Sustainability Accounting Standards Boards (SASB) standards as well as the Global Reporting Initiative (GRI) standards.

The ESG report details our investments across the following ESG disciplines, including:

In the past year, we have reinforced our commitment to ESG by:

Corporate Information

We were initially formed in July 2009 as peerTransfer Corporation, a Delaware corporation. We changed our name to Flywire Corporation in December 2016. Our principal executive offices are located at 141 Tremont St., #10, Boston, MA 02111. Our telephone number is (617) 329-4524. Our internet address is www.flywire.com. The information contained on, or that can be accessed through, our website is not a part of this Annual Report on Form 10-K. We have included our website address as an inactive textual reference only.

Flywire, the Flywire logo, and other registered or common law trade names, trademarks, or service marks of Flywire appearing in this Annual Report on Form 10-K are the property of Flywire. This Annual Report on Form 10-K contains additional trade names, trademarks, and service marks of ours and of other companies. We do not intend our use or display of other companies’ trade names, trademarks, or service marks to imply a relationship with, or endorsement or sponsorship of us, by these other companies. Other trademarks appearing in this Annual Report on Form 10-K are the property of their respective holders. Solely for convenience, our trademarks and tradenames referred to in this Annual Report on Form 10-K appear without the ® and ™ symbols, but those references are not intended to indicate, in any way, that we will not assert, to the fullest extent under applicable law, our rights, or the right of the applicable licensor, to these trademarks and tradenames.

Available Information

We make available free of charge, on our website (www.flywire.com), our annual report on Form 10-K, quarterly reports on Form 10-Q, current reports on Form 8-K, and amendments to those reports filed or furnished pursuant to Section 13(a) or 15(d) of the Exchange Act as soon as reasonably practicable after we electronically file such material with, or furnish it to, the SEC. The SEC maintains an internet site that contains reports, proxy and information statements, and other information regarding issuers that file electronically with the SEC at http://www.sec.gov.

Investors, the media, and others should note that we intend to announce material information to the public through filings with the SEC, the investor relations page on our website (https://ir.flywire.com), blog posts on our website, press releases, public conference calls, webcasts, and social media channels, including our X (formerly known as Twitter) feed (@flywire) and LinkedIn page (https://www.linkedin.com/company/flywire).

The information disclosed by the foregoing channels could be deemed to be material information. As such, we encourage investors, the media, and others to follow the channels listed above and to review the information disclosed

through such channels. Any updates to the list of disclosure channels through which we will announce information will be posted on the investor relations page on our website. The contents of the websites provided above are not incorporated into this filing or in any other report or document we file with the SEC. These website addresses are intended to be inactive textual references only.

Item 1A. Risk Factors

Investing in our common stock involves a high degree of risk. Before deciding whether to invest in shares of our common stock, you should consider carefully the risks and uncertainties described below, together with all of the other information in this Annual Report on Form 10-K, including “Management’s Discussion and Analysis of Financial Condition and Results of Operations” and our consolidated financial statements and the accompanying notes included elsewhere in this Annual Report on Form 10-K. The risks and uncertainties described below are not the only ones we face. Additional risks and uncertainties that we are unaware of or that we deem immaterial may also become important factors that adversely affect our business. If any of the following risks actually occur, our business, financial condition, liquidity, operating results, and prospects could be materially and adversely affected. In that event, the market price of our common stock could decline, and you could lose part or all of your investment. See “Special Note Regarding Forward-Looking Statements.”

Risk Factors Summary

The summary of risks below is intended to provide an overview of the risks we face and should not be considered a substitute for the more fulsome risk factors discussed immediately following this summary.

Risks Related to Our Business and Industry

Risks Related to Our Operations

Risks Related to Our Legal, Regulatory and Compliance Landscape

Risks Related to Being a Public Company

Risks Related to Ownership of Our Common Stock

Risks Related to Our Business and Industry

We have a history of operating losses and may not achieve or sustain profitability in the future.

We were incorporated in 2009 and although we have generated net income in prior periods, we incurred a net loss in the year ended December 31, 2023, have incurred net losses in the past, and may continue to incur net losses in the future. We generated net losses of $8.6 million, $39.3 million and $28.1 million for the years ended December 31, 2023, 2022 and 2021, respectively. In addition, as of December 31, 2023, we had an accumulated deficit of $173.8 million. We have experienced significant revenue growth in recent periods and we are not certain whether or when we will obtain a high enough volume of revenue to sustain or increase our growth or achieve or maintain profitability in the future. We also expect our costs and expenses to increase in future periods, which could negatively affect our future operating results if our revenue does not increase. In particular, we intend to continue to expend significant funds to further develop our solutions, including introducing new functionality, and to expand our marketing programs and sales teams to drive new client adoption, expand strategic partner integrations, and support international and industry expansion. Our operating results are also impacted by the mix of our revenue generated from our different revenue sources, which include transaction revenue and platform and usage-based fee revenue. Changes in our revenue mix from quarter to quarter, including those derived from cross-border or domestic currency transactions, will impact our margins, and we may not be able to grow our revenue margin adequately to achieve or sustain profitability. In addition, the mix of payment methods utilized by our clients’ customers may have an impact on our margins given that our costs associated with certain payment methods, such as credit cards, are higher than other payment methods accepted by our solutions, such as bank transfers. Due to the cross-border nature of much of our business, fluctuations in foreign currency exchange rates, slowdowns in international mobility and other regional considerations may affect our operating results. We will also face increased compliance and security costs associated with growth, the expansion of our client base, and being a public company. Our efforts to grow our business may be costlier than we expect, and we may not be able to increase our revenue enough to offset our increased operating expenses. We may incur significant losses in the future for several reasons, including the other risks described herein, and unforeseen expenses, difficulties, complications, delays, and other unknown events. If we are unable to achieve and sustain profitability, the value of our business and common stock may significantly decrease.

If the assumptions we use to plan our business are incorrect or change in reaction to changes in our markets, or if we are unable to maintain consistent revenue or revenue growth, it may be difficult to achieve and maintain profitability. Our financial results from any prior quarterly or annual periods should not be relied upon as an indication of our future revenue or growth in revenue, gross profit or volume of payments processed.

In addition, we expect to continue to expend substantial management time, financial and other resources on:

These investments may not result in increased revenue growth in our business. If we are unable to increase our revenue at a rate sufficient to offset the expected increase in our costs, our business, financial position and operating results will be harmed, and we may not be able to achieve or maintain profitability over the long term.

We have a short operating history at our current scale in a rapidly and significantly evolving industry and, as a result, our past results may not be indicative of future operating performance.

We have a short history operating at our current scale in a rapidly and significantly evolving industry that may not develop in a manner favorable to our business. This relatively short operating history makes it difficult to assess our future performance with certainty. You should consider our business and prospects in light of the risks and difficulties we may encounter.

Our future success will depend in large part upon our ability to, among other things:

If we fail to address the risks and difficulties that we face, including those associated with the challenges listed above as well as those described elsewhere in this section titled “Risk Factors”, our business and operating results will be adversely affected.

If we are unable to retain our current clients, attract new clients and increase the number of our clients’ customers that use our solutions or sell additional functionality to our clients, our revenue growth and operating results will be adversely affected.

To increase our revenue, in addition to acquiring new clients, we must continue to retain existing clients, increase the volume of payments made by our clients’ customers and sell additional functionality to our clients. We expect to derive a significant portion of our revenue from the renewal of existing clients’ contracts and sales of additional features and solutions to existing clients. As the market for our solutions matures, solutions evolve, and competitors introduce lower cost or differentiated products or services that are perceived to compete with our solutions, our ability to attract (and our clients’ ability to attract) new customers and maintain our current client base and clients’ customer usage could be hindered. As a result, we may be unable to retain existing clients or increase the usage of our solutions by them or their customers, which would have an adverse effect on our business, revenue, gross profit, gross margins, and other operating results, and accordingly, on the trading price of our common stock.

As the market for our solutions matures, or as new or existing competitors introduce new products or services that compete with our solutions, we may experience pricing pressure. This competition and pricing pressure could have an adverse effect on our ability to retain existing clients or attract new clients at prices that are consistent with our pricing model, operating budget and expected operating margins. In particular, it has become more common in the education sector for competitors to offer generous revenue sharing arrangements for clients we target. Our business could be adversely affected if clients or their customers perceive that features incorporated into alternative products reduce the need for our solutions or if they prefer to use competitive services. If we are unable to attract new clients and increase the number of our clients’ customers that use our solutions, our revenue growth and operating results will be adversely affected. Further, in an effort to attract new clients and increase usage by their customers, we may need to offer simpler, lower-priced payment options, which may reduce our revenue.

Our ability to sell additional functionality to our existing clients may require more sophisticated and costly sales efforts, especially for our larger clients with more senior management and established accounts receivable solutions. Similarly, the rate at which our clients deploy additional solutions from us depends on several factors, including general economic conditions, the availability of client technical personnel to implement our solutions, and the pricing of additional functionality. If our efforts to sell additional functionality to our clients are not successful, our business and growth prospects would suffer.

Contracts with our clients generally have a stated initial term of three years, are not subject to termination for convenience and automatically renew for one-year subsequent terms. Our clients may negotiate terms less advantageous to us upon renewal, which may reduce our revenue. If our clients fail to renew their contracts, renew their contracts upon terms less favorable to us or at lower fee levels or fail to purchase new solutions from us, our revenue may decline or our future revenue growth may be constrained. In addition, certain of our clients are subject to requirements to issue requests for proposals (RFPs) to open up competition for their ongoing business notwithstanding their satisfaction with our solutions. In order to retain their business, we may be required to accept terms or pricing conditions less favorable to us than would be the case with automatic renewal of an existing contract. Should any of our clients terminate their relationship with us after implementation has begun, we would not only lose our time, effort and resources invested in such implementation, but we would also have lost the opportunity to leverage those resources to build a relationship with other clients over that same period of time.

We may experience quarterly fluctuations in our operating results, as well as our key metrics, due to a number of factors which make our future results difficult to predict and could cause our operating results to fall below expectations or our guidance.

Our operating results, and key metrics, may fluctuate due to a variety of factors, many of which are outside of our control. As a result, comparing our operating results on a period-to-period basis may not be meaningful. Our past results should not be relied on as an indication of our future performance. If our revenue or operating results fall below the expectations of investors or securities analysts or below any guidance we may provide to the market, the price of our common stock could decline substantially.

Our operating results have varied in the past and are expected to continue to do so in the future. In addition to other risk factors listed in this section titled “Risk Factors”, factors that may affect our quarterly operating results, business and financial condition include the following:

In addition, we may in the future experience fluctuations in our gross and operating margins due to changes in the mix of our domestic and international payments and the mix of payment methods, including an increase in the use of credit cards, and currencies used by our clients’ customers to make payments.

Based upon the factors described above and those described elsewhere in this section titled “Risk Factors”, we have a limited ability to forecast the amount and mix of future revenues and expenses, which may cause our operating results to fall below our estimates or the expectations of public market analysts and investors.

We expect our revenue mix to vary over time, which could affect our gross profit, gross margin and results of operations.

We expect our revenue mix to vary over time due to a number of factors. Shifts in our business mix from quarter to quarter could produce substantial variation in revenue recognized. Further, our gross profit, gross margins and results of operations could be affected by changes in revenue mix and costs, together with numerous other factors, including payment methods and currencies, pricing pressure from competitors, increases in credit card usage on our solutions and associated network fees, changes in payment volume across verticals and the portion of such payment volume for which we perform foreign exchange. Any one of these factors or the cumulative effects of certain of these factors may result in significant fluctuations in our gross profit, gross margin and results of operations. This variability and unpredictability could result in our failure to meet internal expectations or those of securities analysts or investors for a particular period. If we fail to meet or exceed such expectations for these or any other reasons, the market price of our common stock could decline.

If our efforts to attract new clients and increase the number of our clients’ customers that use our solutions are unsuccessful, our revenue growth and operating results will be adversely affected.

Our future growth and profitability will depend in large part upon the effectiveness and efficiency of our efforts to attract new clients and increase the number of our clients’ customers that use our solutions. While we intend to dedicate resources to attracting new clients and increasing the number of our clients’ customers that use our solutions, our ability to do so depends in large part on the success of these efforts and the success of the marketing channels we use to promote our solutions. Our marketing channels include search engine optimization, search engine marketing, account-based direct marketing campaigns, industry events and association marketing relationships. If any of our current marketing channels become less effective, if we are unable to continue to use any of these channels, if the cost of using these channels were to significantly increase or if we are not successful in generating new channels, we may not be able to attract new clients in a cost-effective manner or increase the number of our clients’ customers that use our solutions. If we are unable to recover our marketing costs through increases in the number of clients and in the number of our clients’ customers that use our solutions, or if we discontinue our marketing efforts, it could have a material adverse effect on our business, prospects, results of operations, and financial condition.

If we are unable to expand our direct and channel sales capabilities, grow our marketing reach and increase sales productivity, we may not be able to generate increased revenues.

We believe that our future growth will depend on the continued development of our direct sales force and its ability to obtain new clients and to manage our existing client base. Our ability to increase our client base and achieve broader market acceptance of our solutions will depend to a significant extent on our ability to expand our sales and marketing organizations, and to deploy our sales and marketing resources efficiently. We intend to continue to increase our number of direct sales professionals and to expand our relationships with new strategic channel partners. These efforts will require us to invest significant financial and other resources. New hires require training and take time to achieve full productivity. Similarly, new channel partnerships often take time to develop and may never yield results, as they require new partners to understand the services and solutions we offer, and how to position our value within the market. We cannot be certain that recent and future new hires or partner relationships will become as productive as necessary or that we will be able to hire enough qualified individuals or build effective channel sales in the future. If we are unable to hire, develop, integrate, and retain talented and effective sales personnel, if our new and existing sales personnel are unable to achieve desired productivity levels, or if our sales, channel strategy and marketing programs and advertising are not effective, we may not be able to expand our business and grow our revenue, which may harm our business, operating results and financial condition.

Our business could be adversely affected if our clients or their customers are not satisfied with the timing or quality of implementation services provided by us or our partners.

Our business depends on our ability to satisfy our clients and their customers with respect to our solutions as well as the services that are performed to help our clients and their customers use the features and functions of our solutions. Services are usually performed by us, and are also on occasion provided together with a third-party partner. If our clients or their customers are not satisfied with the functionality of our solutions or the services that we or a third-party partner provide, such dissatisfaction could damage our ability to retain our current clients or expand our clients’ or their customers’ use of our solutions. In addition, any negative publicity and reviews that we may receive which is related to our client relationships may further damage our business and may invite enhanced regulatory scrutiny at the federal and state level in the United States as well as internationally.

Our financial and operating results are subject to seasonality and cyclicality.

Our financial and operating results are subject to seasonal trends. For example, the volume of education tuition processed typically increases in the northern hemisphere during the summer and early fall months, as well as at year end, as students and their families seek to pay tuition costs for the fall semester, the spring semester, or the entire academic year, respectively. We expect this seasonality of education tuition processing to continue and expect it to impact the amount of processing fees that we earn and the level of expenses we incur to generate tuition payment volume and process the higher volume activity in a particular fiscal quarter.

We are exposed to fluctuations in foreign currency exchange rates that could materially and adversely affect our results of operations.

A majority of the total payment volume we have historically processed is cross-border payments denominated in many foreign currencies, which subjects us to foreign currency risk. The strengthening or weakening of the U.S. dollar versus these foreign currencies impacts the translation of our net revenues generated in these foreign currencies into the U.S. dollar. For example, for the year ended December 31, 2023, as the U.S. dollar strengthened against several currencies, including the British Pound, relative to the same period in the prior year, these foreign exchange impacts reduced our reported revenue in U.S. dollars by approximately $1.4 million compared to the year ended December 31, 2022 on a constant currency basis. In connection with providing our solutions in multiple currencies, we may face financial exposure if we are unable to implement appropriate hedging strategies, negotiate beneficial foreign exchange rates, or as a result of fluctuations in foreign exchange rates between the times that we set them. We also have foreign exchange risk on our assets and liabilities denominated in currencies other than the functional currency of our subsidiaries. We also incur expenses for employee compensation and other operating expenses at our non-U.S. locations in the local currency. Fluctuations in the exchange rates between the U.S. dollar and other currencies could result in the dollar equivalent of our expenses being higher which may not be offset by additional revenue earned in the local currency. This could have a negative impact on our reported results of operations.

Periods of instability in the Eurozone, including fears of sovereign debt defaults, and stagnant growth generally, and of certain Eurozone member states in particular, have resulted in concerns regarding the suitability of a shared currency for the region, which could lead to the reintroduction of individual currencies for member states. If this were to occur, Euro-denominated assets and liabilities would be re-denominated to such individual currencies, which could result in a mismatch in the values of assets and liabilities and expose us to additional currency risks.

As our international operations continue to operate and grow, our risks associated with fluctuation in currency rates will become greater, and we will continue to reassess our approach to managing this risk, such as using foreign currency forward and option contracts to hedge certain exposures to fluctuations in foreign currency exchange rates. Our use of such hedging practices may not offset any, or more than a portion, of the adverse effects of unfavorable movements in foreign exchange rates. In addition, currency fluctuations or a weakening U.S. dollar can increase the costs of our international operations, and the strengthening U.S. dollar could slow international demand as solutions priced in the U.S. dollar become more expensive.

Certain of our key performance indicators are subject to inherent challenges in measurement, and real or perceived inaccuracies in such metrics may harm our reputation and negatively affect our business.

We track certain key performance indicators, including metrics such as total payment volume, revenue less ancillary services, adjusted gross profit, adjusted gross margin and adjusted EBITDA, with internal systems and tools and which may differ from estimates or similar metrics published by third parties due to differences in sources, methodologies, or the assumptions on which we rely. Our internal systems and tools have a number of limitations, and our methodologies for tracking these metrics may change over time, which could result in unexpected changes to our key performance indicators, including the metrics we publicly disclose, or our estimates. If the internal systems and tools we use to track these metrics undercount or overcount performance or contain algorithmic or other technical errors, the data we report may not be accurate. While these numbers are based on what we believe to be reasonable estimates for the applicable period of measurement, there are inherent challenges in measuring these metrics across our growing client base. If our key performance indicators are not accurate representations of our business, or if investors, clients or other stakeholders do not perceive our operating metrics to be accurate, or if we discover material inaccuracies with respect to these figures, our reputation may be significantly harmed, and our operating and financial results could be adversely affected.

Our business depends, in large part, on our proprietary network of global, regional and local banking partners.

To grow our business, we will need to maintain and expand our network of global, regional and local banking partners. Our proprietary network of strategic relationships with global, regional and local banking partners is a material asset to our business, which took more than a decade to build. Establishing and maintaining our strategic partner relationships, particularly with our banking partners entails extensive and highly specific efforts, with little predictability and various ancillary requirements. These partners and suppliers have contractual and regulatory requirements and conditions that we must satisfy and continue to comply with in order to continue and grow the relationships. For example, our financial institution partners generally require us to submit to an exhaustive security audit including adherence to AML policies and KYC procedures. If we are not able to comply with those obligations or if our agreements with our banking partners or our network partners are terminated for any reason, we could experience service interruptions as well as delays and additional expenses in arranging new services, potentially interfering with our existing client relationships or making us less attractive to potential new clients.

In addition, our existing banking partners may at any time and from time to time cease serving certain categories of payments due to perceived risk or similar reasons as well as payments originating from, or being paid to, certain high risk jurisdictions. These partners may also impose additional requirements on Flywire, or with respect to their own internal procedures, as a condition of processing such payments in partnership with us. If we cease to be able to process payments from corridors or within certain of our verticals, or we are unable to comply with new requirements or only at considerable expense, our client relationships and ability to grow our revenue could be adversely affected.

Instability and volatility in the banking and financial services sectors, including bank failures, have increased and may in the future increase uncertainty in the global economy and the risk of a global recession. Volatility in the banking and financial services sectors may adversely impact our bank partnerships and could negatively impact our business. We may face difficulty establishing or maintaining banking relationships due to instability in the global banking system and increasing regulatory uncertainty and scrutiny. If these financial institutions are subject to suspension of operations, receivership, closure or similar action, or if our banking relationships become severely limited or unavailable in a certain country, there could be temporary delays in or unavailability of services in such country that are critical to our or our clients' operations. This could potentially lead to reduced use of our platform and lower payment volume which may adversely impact our business, operating results, and financial condition.

We may not be able to attract new network partners to our existing network of global, regional and local banking partners, which could adversely affect our ability to expand to additional countries and territories and transact in additional currencies. In addition, our potential partners may choose to work with our competitors’ or choose to compete with our solutions directly, which could have an adverse effect on our business, financial position, and operating results. Further, many of our network partners have greater resources than we do and could choose to develop their own solutions to replace or compete with ours. If we are unsuccessful in establishing, growing, or maintaining our relationships with network partners, our ability to compete or to grow our revenue could be impaired, and our results of operations may suffer.

Our growth depends in part on the success of our relationships with other (non-banking) third parties.

We have established relationships with a number of other companies, including financial institutions, processors, other financial services suppliers, channel sales partners, providers of electronic health records (EHR) services, implementation partners, technology and cloud-based hosting providers, and others. In order to grow our business, we will need to continue to establish and maintain relationships with these types of third parties, and negotiating and documenting relationships with them requires significant time and resources. Our competitors may be more effective in providing incentives to third parties to favor their products or services. If we are unsuccessful in establishing or maintaining our relationships with third parties, our ability to compete in the marketplace or to grow our revenues could be impaired and our operating results could suffer. Even if our strategic relationships are successful, we cannot assure you that these relationships will result in increased client usage of our solutions or increased revenues.

The markets in which we participate are competitive, and if we do not compete effectively, our operating results could be harmed.

The market for payments solutions is fragmented, competitive, and constantly evolving. Our competitors range from legacy payment methods, such as traditional bank wires, to integrated payment providers that focus on cross-border payments. With the introduction of new technologies and market entrants, we expect that the competitive environment will remain intense going forward. Our competitors that offer legacy payment methods or integrated cross-border payment platforms may develop products that compete with ours. Financial institutions that choose to enter into and compete in our

market may have the operating flexibility to bundle competing solutions with other offerings, including offering them at a lower price or for no additional cost to clients as part of a larger sale. In addition, new entrants not currently considered to be competitors may enter the market through acquisitions, partnerships, or strategic relationships. Many of our domestic and foreign competitors have greater resources, experience or more developed customer relationships than we do. For example, foreign competitors may seek to leverage local or common language relationships to cater to potential customers of our clients. There are new market entrants with innovative revenue sharing and other pricing arrangements that are able to attract customers that we compete to serve. Our competitors vary in size, breadth, and scope of the solutions offered. Some of our competitors and potential competitors have greater name recognition, longer operating histories, more established client relationships, larger marketing budgets, and greater resources than us. Our competitors may be able to respond more quickly and effectively than we can to new or changing opportunities, technologies, standards, and client requirements. For example, an existing competitor or new entrant could introduce new technology that reduces demand for our solutions.

For these reasons, we may not be able to compete successfully against our current or future competitors, and this competition could result in the failure of our solutions to continue to achieve or maintain market acceptance, any of which would harm our business, operating results, and financial condition.

Our estimates of market opportunity and our ability to capture a meaningful share of this payment volume may prove to be inaccurate, and even if the market in which we compete achieves the forecasted growth, our business could fail to grow at similar rates, if at all.

Our market opportunity estimates, including those we have generated ourselves and our ability to capture a meaningful share of this payment volume, are subject to significant uncertainty and are based on assumptions and estimates that may not prove to be accurate. The variables that go into the calculation of our market opportunity are subject to change over time, and there is no guarantee that any payment volumes covered by our market opportunity estimates will materialize in clients using our solutions as anticipated or generate any particular level of revenue for us. Any expansion in our market depends on a number of factors, including the cost, performance, and perceived value associated with our business and those of our competitors. Even if the market in which we compete meets the size estimates and growth forecasted, our business could fail to grow at similar rates, if at all. Our growth is subject to many factors, including our success in implementing our business strategy, which is subject to many risks and uncertainties.

Our clients in the education sector may be adversely affected by decreases in enrollment, pressure on tuition costs, or increased operating expenses, which may reduce demand for our solutions.

We are reliant on our education clients, including colleges, universities and other education-related organizations that include language schools, boarding schools, summer programs, and others, to drive enrollment at their schools and maintain tuition costs. Factors outside of our control will affect enrollments and tuition costs, including the following:

International cross-border transaction revenue represents a significant part of our revenue; international regulations and restrictions that inhibit cross-border travel and relocation of international students, as well as ongoing political friction between China and the U.S. that have slowed the growth of Chinese students studying in the U.S. and may have resulted in changes in Chinese student education destinations, have had and may continue to have an impact on our revenue growth. More recently, the Canadian government announced it will set a cap on international student permit applications for the years 2024 and 2025, motivated in part by housing shortages. This could adversely impact our business, operating results, and financial condition.

In addition, some clients’ customers may find that higher education is an unnecessary investment during uncertain economic times and defer enrollment in educational institutions until the economy grows at a stronger pace, or they may turn to less costly forms of secondary education, thus decreasing our education payment volumes. A significant decrease in the payment volume and resulting revenue from clients and their customers in this market would have an adverse effect on our business, operating results and financial condition.

The healthcare industry is rapidly evolving and the market for technology-enabled payment services that empower healthcare clients and their customers is relatively immature and unproven. If we are not successful in promoting the benefits of our solutions, our growth may be limited.

The market for our payment solutions is subject to rapid and significant changes. The market for technology-enabled payment services that empower healthcare clients and their customers is characterized by rapid technological change, new product and service introductions, increasing patient financial responsibility, consumerism and engagement, the ongoing shift to value-based care and reimbursement models, and the entrance of non-traditional competitors. In addition, there may be a limited-time opportunity to achieve and maintain a significant share of this market due in part to the rapidly evolving nature of the healthcare and technology industries and the substantial resources available to our existing and potential competitors. The market for technology-enabled payment services that empower healthcare clients and their customers is relatively new and unproven, and it is uncertain whether this market will achieve and sustain high levels of demand and market adoption.

In order to remain competitive, we are continually involved in a number of projects to compete with these new market entrants by developing new solutions, growing our client base and penetrating new markets. Some of these projects include the expansion of our integration capabilities and the expansion of our mobile solutions. These projects carry risks, such as cost overruns, delays in delivery, performance problems and lack of acceptance by our clients. Our integration partners may also decide to develop and offer their own patient engagement solutions that are similar to our solutions. In addition, the decisions we make on allocation of engineering resources, reliance on, integration with or discontinuance of, legacy systems or those acquired in acquisition, or the pace at which we remain technologically current within our internal systems and customer payment platforms, may negatively affect the morale of our engineering teams and the payment experiences our clients wish to feature to their customers. We may lose engineering talent or healthcare clients as a result, which could have a material adverse effect on our business and results of operations.

Our success depends on providing high-quality payment solutions that healthcare clients use to improve their financial and operational performance, allowing them to collect payments and enhance their revenue lifecycle management objectives. If we cannot adapt to rapidly evolving industry standards and technology and increasingly sophisticated and varied healthcare client and customer payment needs, our existing technology could become undesirable, obsolete or harm our reputation. We must continue to invest significant resources in our personnel and technology in a timely and cost-effective manner in order to enhance our existing solutions and introduce new high-quality solutions that existing clients and potential new clients will want. Our operating results would also suffer if our innovations are not responsive to the needs of our existing clients or potential new clients, are not appropriately timed with market opportunity, are not effectively brought to market or significantly increase our operating costs. If our new or modified product and service innovations are not responsive to the preferences of healthcare clients and their customers, emerging industry standards or regulatory changes, are not appropriately timed with market opportunity or are not effectively brought to market, we may lose existing clients or be unable to obtain new clients and our results of operations may suffer.

We believe demand for our payment solutions in the healthcare industry has been driven in large part by more patient responsibility for out-of-pocket spend, a trend towards higher deductibles for health care services, increased

digitization in payments, and the tailoring of payment offers and increased patient engagement. Our success also depends to a substantial extent on the ability of our solutions to increase the volume of our clients’ customers payments, and our ability to demonstrate the value of our solutions to our clients. If our existing clients do not recognize or acknowledge the benefits of our solutions or our solutions do not drive payment volume, then the market for our solutions might not develop at all, or it might develop more slowly than we expect, either of which could adversely affect our operating results. A significant decrease in the payment volume and resulting revenue from our clients and their customers in the healthcare industry may have an adverse effect on our business, operating results and financial condition.

In addition, we have limited insight into trends that might develop and affect our healthcare business. We might make errors in predicting and reacting to relevant business, legal and regulatory trends and healthcare reform, which could harm our business. If any of these events occur, it could materially adversely affect our business, financial condition or results of operations.

Finally, our competitors, including major EHR providers, may have the ability to devote more financial and operational resources than we can to developing new technologies and services, including services that provide improved operating functionality, and adding features to their existing service offerings. Relationships with companies in the EHR space and business focused on revenue lifecycle management are critical to leverage if we are to add to our healthcare customer portfolio. However, intense competition and rising costs experienced by certain major EHR providers has resulted, in certain cases, in increased financial strain on these businesses, and in at least one notable instance, an action to seek bankruptcy protection. To the extent we have outstanding amounts owed to us by companies that seek bankruptcy protection or cease operations, it may become difficult for us to be paid in full in a timely manner, if at all. Many of these companies may offer products and services similar to ours and may have greater name recognition, longer operating histories, stronger and more dependent client relationships, larger marketing budgets, and greater resources than us. If successful, their development efforts could render our solutions less desirable, resulting in the loss of our existing clients or a reduction in the fees we generate from our solutions.

Our business serving clients in the travel sector may be sensitive to events affecting the travel industry in general.

Events like regional or larger scale conflicts, war or other military conflict, including the conflicts between Russia and Ukraine, and Israel and Hamas, terrorist attacks, mass shooting incidents, natural disasters, such as hurricanes, earthquakes, fires, droughts, floods and volcanic activity, including events resulting from climate change, and travel-related health events, such as the COVID-19 pandemic, have had a negative impact on the travel industry and affect travelers’ behavior by limiting their ability or willingness to visit certain locations. In addition, the travel industry can be negatively impacted by adverse economic conditions in the United States and globally, including economic slowdown and inflation. We are not in a position to evaluate the net effect of these circumstances on our business as these events are largely unpredictable; however, we believe there has been negative impact to our business due to such events. Furthermore, in the longer term, our business might be negatively affected by financial pressures on or changes to the travel industry. For example, certain jurisdictions, particularly in Europe, have implemented or are considering implementing regulations intended to address the issue of “overtourism” including by restricting access to city centers or popular tourist destinations or limiting accommodation offerings in surrounding areas, such as by restricting construction of new hotels or the renting of homes or apartments. Such regulations could adversely affect travel and the volume of travel related payments that we process for our clients. The United States has implemented or proposed, or is considering, various travel restrictions and actions that could affect U.S. trade policy or practices, which could also adversely affect travel to or from the United States. If such events result in a long-term negative impact on the travel industry, such impact could have a material adverse effect on our business. The payment volume from our travel vertical represents less than 10% of our total payment volume. Because we seek to grow the payment volume and the revenue from this vertical in the future, failure to grow our payment volume and resulting revenue from this industry, may have an adverse effect on our business, operating results and financial condition.

With respect to the COVID-19 pandemic specifically, our 2020 financial results related to serving our existing travel clients and growing our client base in the travel sector were negatively impacted. During the years ended December 31, 2021, 2022 and 2023, we witnessed recoveries in our financial results and growth in revenue and payment volumes in our travel payment vertical. While improvements have been noted, sustaining this trend will in part be dependent on future developments that cannot be accurately predicted at this time, including, but not limited to, the emergence of variants and sub-variants, international regulations and restrictions that inhibit cross-border travel, global availability of vaccines and administration of vaccination, the rate of “herd immunity”, and the impact of these and other factors on travel behavior.

If we are unable to enter or expand new client verticals or sub-verticals, including our relatively new B2B payment vertical, or if our solutions for any new vertical fail to achieve market acceptance, our operating results could be adversely affected and we may be required to reconsider our growth strategy.

Our growth strategy is influenced, in part, on our ability to expand into new client verticals and sub-verticals, including our relatively new B2B payment vertical. The B2B payment vertical represents a relatively new market for us, and we have limited prior experience with the key ERP platforms that are critical to the B2B payment vertical. Accordingly, our lack of experience in the B2B payment vertical and with the key ERP platforms may result in operational difficulties, which could cause a delay or failure to integrate and realize the benefits of entering into this vertical. In addition, B2B payments carry a higher risk profile than education or healthcare receivables, and we will be required to devote more resources to manage the increased risk inherent in these payments. Banking and other payment services partners may be more reluctant to support B2B payment flows, and countries with currency controls are less likely to permit payments of a B2B nature. The payment volume and resulting revenue from our B2B payment vertical represents, and is expected for the foreseeable future to represent, less than 10% of our total payment volume and revenue. We expect both the payment volume and the revenue from this vertical to grow over time. As such, failure to grow our payment volume and resulting revenue from our B2B payment vertical may have an adverse effect on our business, operating results and financial condition.

We may be unable to identify new verticals or sub-verticals that meet our criteria for selecting industries that our solutions are ideally suited to address. In addition, our market validation process may not support entry into selected verticals due to our perception of the overall market opportunity or of the willingness of market participants within those verticals to adopt our solutions.

Even if we choose to enter new verticals or sub-verticals, our market validation process does not guarantee our success. We may be unable to tailor our solutions for a new vertical or, in the event that we enter a new vertical by way of a strategic acquisition, we may be unable to leverage the acquired platform in time to take advantage of the identified market opportunity, and any delay in our time-to-market could expose us to additional competition or other factors that could impede our success. In addition, any solution we develop or acquire for a new vertical may not provide the functionality required by potential clients or their customers and, as a result, may not achieve widespread market acceptance within the new vertical. To the extent we choose to enter new verticals, whether organically or via strategic acquisition, we may invest significant resources to develop and expand the functionality of our solutions to meet the needs of customers in those verticals, which investments will occur in advance of our realization of revenue from them.

Consolidation in the payment processing or enablement industry could have a material adverse effect on our business, financial condition and results of operations.

Many payment processing or enablement industry participants are consolidating to create larger and more integrated financial processing systems with greater market power. We expect regulatory and economic conditions to result in additional consolidation in the healthcare industry in the future. As consolidation accelerates, the economies of scale of our clients’ organizations may grow. If a client experiences sizable growth following consolidation, it may determine that it no longer needs to rely on us and may reduce its demand for our solutions. In addition, as payment processing providers consolidate to create larger and more integrated systems with greater market power, these providers may try to use their market power to negotiate fee reductions for our solutions. Finally, consolidation may also result in the acquisition or future development by our clients of products and services that compete with our solutions. Any of these potential results of consolidation could have a material adverse effect on our business, financial condition and results of operations.

We may be adversely affected by global economic and political instability.

As we seek to continue to operate and expand our business, our overall performance will depend in part on worldwide economic and geopolitical conditions. Economies domestically and internationally have been affected from time to time by falling demand for a variety of goods and services, restricted credit, poor liquidity, reduced corporate profitability, employment pressures in services sectors, volatility in the banking ecosystem or credit, equity and foreign exchange markets, bankruptcies, as well as war, terrorist activity, political or social unrest, civil strife and other geopolitical uncertainty, including the effects of ongoing United States-China and Canada-India diplomatic and trade friction, and the resulting impact on business continuity and travel, supply chain disruptions, inflation, security issues, and overall uncertainty with respect to the economy, including with respect to tariff and trade issues. To the extent that inflationary pressures and other global factors lead to an economic recession, demand for our solutions, our business and financial condition could be negatively impacted. In addition, from time to time we have reduced expenses and needed to

restructure or reorganize certain portions of our operations in order to align our business with market conditions and our strategies, any of which can result in near term expense and harm to our growth prospects.

For example, on February 24, 2022, Russian military forces invaded Ukraine, and continued conflict and disruption in the region is likely, and on October 7, 2023, Hamas terrorists infiltrated Israel’s southern border from the Gaza Strip and conducted a series of attacks on civilian and military targets. Hamas also launched extensive rocket attacks on the Israeli population and industrial centers located along Israel’s border with the Gaza Strip and in other areas within the State of Israel. On October 8, 2023, Israel formally declared war on Hamas, and thereafter commenced military operations against Hamas in Gaza and the armed conflict is ongoing as of the date of this filing. Although the length, impact and outcome of the ongoing conflicts in Ukraine and Israel are highly unpredictable, these conflicts could lead to significant market and other disruptions, including significant volatility in commodity prices and supply of energy resources, instability in financial markets, supply chain interruptions, political and social instability, changes in consumer or purchaser preferences as well as an increase in cyberattacks and espionage.

We are actively monitoring the situations in Ukraine and Israel and assessing any potential impact on our business, but to date have not experienced any material impact. We have no way to predict the progress or outcome of the conflicts in Ukraine and Israel as the conflicts, and any resulting government reactions, continue to develop beyond our control and can quickly change. The extent and duration of the military action, sanctions and resulting market disruptions could be significant and could potentially have a substantial impact on the global economy and our business for an unknown period of time. As the adverse effects of these conflicts continue to develop and potentially spread, both in Europe, the Middle East and through the rest of the world, our customers, and customer behavior, may be negatively impacted, which could negatively affect sales and sales cycles and overall demand for our solutions. Further or prolonged impacts on the global economy could also cause businesses to curtail business expenses, which could hinder our ability to attract new clients or result in a decrease in payment volume. It is not possible to predict the ultimate broader consequences of these conflicts and any of the abovementioned factors could have a material adverse effect on our business, financial condition and results of operations, particularly to the extent the conflict escalates to involve additional countries, further economic sanctions and wider military conflicts. Any such disruptions could also magnify the impact of other risks described in this Annual Report on Form 10-K.

In addition, political instability or adverse political developments and new or continued economic deterioration in any of the countries in which we operate could harm our business, results of operations and financial condition.

Inflation and interest rate increases have and may in the future result in decreased demand for our solutions, increases in our operating costs including our labor costs, constrained credit and liquidity, and volatility in financial markets and the banking ecosystem. During 2023, the United States Federal Reserve raised, and may in the future raise, interest rates in response to concerns over inflation risk. There continues to be uncertainty in the changing market and economic conditions, including the possibility of additional measures that could be taken by the Federal Reserve and other government agencies, related to concerns over inflation risk. A sharp rise in interest rates could have an adverse impact on the fair market value of securities we may invest in as part of our portfolio investments, which could adversely affect our financial results. In addition, 2024 is a presidential election year in the U.S., and political conditions may contribute to economic uncertainty or volatility, irrespective of electoral outcomes, which could adversely affect our business, results of operations and financial condition.

We have an office in Tel Aviv, Israel. Conditions in Israel, including the recent attack by Hamas and other terrorist organizations from the Gaza Strip and Israel’s war against them, may affect our operations.

Because we have an office in Tel Aviv, Israel, our business and operations are directly affected by economic, political, geopolitical and military conditions in Israel. Since the establishment of the State of Israel in 1948, a number of armed conflicts have occurred between Israel and its neighboring countries and terrorist organizations active in the region. These conflicts have involved missile strikes, hostile infiltrations and terrorism against civilian targets in various parts of Israel, which have negatively affected business conditions in Israel.

On October 7, 2023, Hamas terrorists infiltrated Israel’s southern border from the Gaza Strip and conducted a series of attacks on civilian and military targets. Hamas also launched extensive rocket attacks on Israeli population and industrial centers located along Israel’s border with the Gaza Strip and in other areas within the State of Israel. On October 8, 2023, Israel formally declared war on Hamas, and thereafter commenced military operations against Hamas in Gaza and the armed conflict is ongoing as of the date of this filing, and has resulted in extensive deaths, injuries and kidnapping of civilians and soldiers. Moreover, the clash between Israel and Hezbollah in Lebanon, may escalate in the future into a greater regional conflict.

Although we currently do not expect the ongoing conflict to materially affect our business, financial condition and results of operations, there can be no assurances that further unforeseen events will not have a material adverse effect on our business, financial condition and results of operations in the future.

The Israel Defense Force (IDF), the national military of Israel, is a conscripted military service, subject to certain exceptions. Since October 7, 2023, the IDF has called up more than 350,000 of its reserve forces to serve. It is possible that there will be further military reserve duty call-ups in the future, which may affect our business due to a shortage of skilled labor and loss of institutional knowledge, and necessary mitigation measures we may take to respond to a decrease in labor availability, such as overtime and third-party outsourcing, for example, may have unintended negative effects and adversely impact our business, financial condition and results of operations.

Shelter-in-place and work-from-home measures, government-imposed restrictions on movement and travel and other precautions taken to address the ongoing conflict may temporarily disrupt our employees’ ability to effectively perform their daily tasks.

It is currently not possible to predict the duration or severity of the ongoing conflict or its effects on our business, operations and financial conditions. The ongoing conflict is rapidly evolving and developing, and could disrupt our business and operations, interrupt our sources and availability of supply and hamper our ability to raise additional funds or sell our securities, among others.

Risks Related to Our Operations

We may not be able to scale our business quickly enough to meet our growing client base, and if we are not able to grow efficiently, our operating results could be harmed.

As usage of our solutions grows and we sign additional clients and technology partners, we will need to devote additional resources to improving and maintaining our infrastructure and global payments network and integrating with third-party applications to maintain the performance of our solutions. In addition, we will need to appropriately scale our internal business systems, including client support, our 24x7 multilingual support to clients’ customers and risk and compliance operations, to serve our growing client base.

Any failure of or delay in these efforts could result in interruptions to our solutions, impaired system performance, and reduced client satisfaction, resulting in decreased sales to clients, lower renewal rates by existing clients, the issuance of service credits, or requested refunds, all of which could hurt our revenue growth. If sustained or repeated, these performance issues could reduce the attractiveness of our solutions to clients and their customers and could result in lost client opportunities and lower renewal rates, any of which could hurt our revenue growth, client loyalty, and our reputation. Even if we are successful in these efforts to scale our business, they will be expensive and complex, and require the dedication of significant management time and attention. We could also face inefficiencies or service disruptions as a result of our efforts to scale our internal infrastructure. We cannot be sure that the expansion and improvements to our internal infrastructure will be effectively implemented on a timely basis, if at all, and such failures could adversely affect our business, operating results, and financial condition.

We enable the transfer of large sums of funds to our clients daily, and are subject to the risk of errors, which could result in financial losses, damage to our reputation, or loss of trust in our brand, which would harm our business and financial results.

For the year ended December 31, 2023, we processed over $24.0 billion in payments on our solutions, compared to approximately $18.1 billion for the year ended December 31, 2022, and approximately $13.2 billion for the year ended December 31, 2021. We have grown rapidly and seek to continue to grow, and our business is subject to the risk of financial losses as a result of chargebacks for client-related losses, credit losses, operational errors, software defects, service disruption, employee misconduct, security breaches, or other similar actions or errors in our solutions. As a provider of accounts receivable and other payment solutions, we enable the transfer of funds to our clients from their customers. Software errors in our solutions, including as a result of ordinary course updates to our software and systems, and operational errors by our FlyMates and business partners may also expose us to losses. In our business model, subject to certain exceptions, we function as a merchant of record in connection with the receipt of payments by our clients’ customers, which subjects us to chargeback risk in the event a client’s customer cancels or otherwise does not receive the services for which such customer paid. Although our client contracts allow us to pass such chargeback risk to our client, if a client has gone out of business, we are unable to collect on the chargeback and will bear the economic loss, which can negatively impact our business.

Moreover, our trustworthiness and reputation are fundamental to our business. As a global payments enablement and software company, the occurrence of any credit losses, operational errors, software defects, service disruption, employee misconduct, security breaches, or other similar actions or errors in our solutions could result in financial losses to our business and our clients, loss of trust, damage to our reputation, or termination of our agreements with strategic partners, each of which could result in:

There can be no assurance that the insurance we maintain to cover losses resulting from our errors and omissions will cover all losses or our coverage will be sufficient to cover our losses. If we suffer significant losses or reputational harm as a result, our business, operating results, and financial condition could be adversely affected.

Our management of our operating funds and client funds may be reliant on a limited number of our banking partners and other financial institutions.

As to certain verticals that we may choose to serve, as well as in selected geographical locations, our network of banking and other financial institution partners may be limited. As a result, although we seek to distribute financial and credit risk among multiple financial institutions, from time to time there may be a concentration of operating funds or client fund flows among a more limited number of financial institution partners. These partners are generally heavily regulated by national and local governments, and in some locations may be involved in a multitude of related businesses or part of larger, higher-profile financial conglomerates. These partners and suppliers are often subject to strict regulatory requirements and enforcement actions or may experience failures to satisfy capital adequacy conditions that result in a suspension of operations, seizure of assets or closure, which could materially impact the safeguarding of our operating funds or client funds. If we are not able to access our own funds or if client funds were in any way impacted, we could be adversely impacted, including by experiencing reputational damage and claims for restitution, potentially interfering with our existing client relationships or making us less attractive to potential new clients.

Volatility in the banking and financial services ecosystems may impact our bank partnerships and relationships, which could adversely affect our operations and liquidity.

Instability and volatility in the banking and financial services ecosystems, including limited liquidity, defaults, non-performance or other adverse developments that affect the banking ecosystem, or concerns or rumors about any such events or other similar risks, has and may in the future increase uncertainty in the global economy and the risk of a recession. Volatility in the banking and financial services sectors may impact our bank partnerships and relationships, which could adversely affect our operations and liquidity.

Our cash equivalents include money market funds, which are AAA-rated and comprised of liquid, high-quality debt securities issued by the U.S. government. Our access to our cash and cash equivalents and client funds could be significantly impacted in volatile markets given our concentration in government money market funds or impaired by the financial institutions with which we have arrangements directly, if such financial institutions are facing liquidity constraints or failures. We regularly maintain cash balances at third-party financial institutions in excess of the Federal Deposit Insurance Corporation (FDIC) insurance limit. A failure of a depository institution to return these deposits, or if a depository institution is subject to other adverse conditions in the financial or credit markets, could further impact access to our invested cash or cash equivalents and could adversely impact our operating liquidity, financial performance and ability to recover or repay client funds. If one or more of our bank partners were to fail and enter receivership proceedings, we may not be able to withdraw our or our clients' funds in excess of FDIC insurance limits, or may not be able to withdraw such funds in a timely manner, which could adversely affect our brand, business and results of operations, and may lead to regulatory or other claims or litigation, which may be costly to address.

In addition, investor concerns regarding the U.S. or international financial systems could result in less favorable commercial financing terms, including higher interest rates or costs and tighter financial and operating covenants, or

systemic limitations on access to credit and liquidity sources, thereby making it more difficult for us to acquire financing on acceptable terms or at all. Any material decline in available funding or our ability to access our cash and cash equivalents could adversely impact our ability to meet our operating expenses, result in breaches of our contractual obligations or result in violations of federal or state wage and hour laws, any of which could have material adverse impacts on our operations and liquidity.

If we are unable to maintain or expand our ability to offer a variety of local and international payment methods for our clients to make available to their customers, or if we fail to continue to grow and develop preferred payment choices, our business may be materially and adversely affected.

The continued growth and development of our proprietary global payments network will also depend on our ability to anticipate and adapt to changes in client and customer behavior. For example, behavior may change regarding the use of credit and debit card transactions, including the relative increased use of cash, crypto-currencies, other emerging or alternative payment methods and credit card systems that may include strong regional preferences that we or our processing partners do not adequately support. Any failure to timely integrate emerging payment methods into our solutions, anticipate behavior changes, or contract with payment processing partners that support such emerging payment technologies could cause our clients to use our solutions less, resulting in a corresponding loss of revenue, in the event such methods become popular among their customers.

The number and variety of the payment methods we offer or currencies we are able to service may not meet client expectations, or the costs borne by our clients’ customers in completing payments may become unsuitable. Accordingly, we may need to change our pricing strategies or reduce our prices, which could harm our revenue, gross profit, and operating results.

We utilize a number of payment providers to clear and settle transactions for our clients, including payments providers such as China UnionPay Co. Ltd. and Adyen N.V. If the services provided by these partners become unavailable due to extended outages or interruptions or because they are no longer available on commercially reasonable terms or prices, or due to regulatory restrictions or for any other reason, our expenses could increase and our ability to process certain payments could be materially interrupted, all of which could harm our business, financial condition, and results of operations. In addition, our agreements with these providers include certain terms and conditions. These providers have broad discretion to change their terms of service and other policies with respect to our business, and those changes may be unfavorable to us. Therefore, we believe that maintaining successful partnerships with these payment providers is critical to our success.

We, our strategic partners and our clients obtain and process large amounts of personal and sensitive data. Any real or perceived improper or unauthorized use of, disclosure of, or access to such data could harm our reputation as a trusted brand, as well as have a material adverse effect on our business.

We, our strategic partners and our clients, and the third-party vendors that we use, obtain and process large amounts of sensitive data, including personally identifiable information, also referred to as “personal data,” and other potentially sensitive data related to our clients, their customers and each of their transactions, as well as a variety of such data relating to our own workforce and internal operations. We face risks, including to our reputation as a trusted brand, in the handling and protection of this data, and these risks will increase as our business continues to expand to include new solutions and technologies.

We are responsible for data security for ourselves and for third parties with whom we partner and under the rules and regulations established by the payment networks, such as Visa, Mastercard and American Express, and debit card networks and by industry regulations and standards that may be promulgated by organizations such as NACHA, which manages the governance of the ACH network in the United States. These third parties include our distribution partners and other third-party service providers and agents. We and other third parties collect, process, store and/or transmit personal and sensitive data, such as names, addresses, social security numbers, credit or debit card numbers and expiration dates, driver’s license numbers and bank account numbers. We have ultimate liability to the payment networks and to our customers for our failure or the failure of third parties with whom we contract to protect this data in accordance with PCI DSS and network requirements. The loss, destruction or unauthorized modification or disclosure of merchant or cardholder data by us or our contracted third parties could result in significant fines, sanctions, claims, litigation and proceedings or actions against us by the payment networks, governmental entities, clients, client customers or others and damage our reputation.

Similarly, there are existing regulatory regimes designed to protect the privacy of categories of personal or otherwise sensitive data. Relevant U.S. federal privacy laws include the FERPA, the Gramm-Leach-Bliley Act (GLBA), and HIPAA.

We also are subject to stringent contractual obligations relating to the handling of such data, including obligations that are more restrictive than legally required. For example, under HIPAA, the information we collect during the payment experience may include protected health Information (PHI), and as such, we are considered a “business associate” of the U.S. healthcare clients we serve, and we are required to enter into a business associate agreement (BAA) with these clients. The BAAs largely mirror some of the statutory obligations contained in HIPAA, but many contain additional contractual undertakings that give these clients additional remedies in the event of a breach of our obligations to protect the confidentiality of the client’s PHI or otherwise meet our contractual obligations. Privacy laws impose a variety of compliance burdens on us and our clients, such as requiring notice to individuals of privacy practices, providing individuals with certain rights to prevent the use and disclosure of protected information, and also imposing requirements for safeguarding and proper destruction of personal information through the issuance of data security standards or guidelines. Privacy laws grant audit rights to our regulators and those of our clients. Any unauthorized disclosure of PHI or other data we are obligated to protect by regulation or contract could result in significant fines, sanctions, or requirements to take corrective action and could materially adversely affect our reputation and business.

Threats may derive from human error, fraud, or malice on the part of employees or third parties, or from accidental technological failure. For example, certain of our FlyMates have access to personal and sensitive data that could be used to commit identity theft or fraud. Concerns about security increase when we transmit information electronically because such transmissions can be subject to attack, interception, or loss. Also, computer viruses can be distributed and spread rapidly over the Internet and could infiltrate our systems or those of our contracted third parties. Denial of service or other attacks could be launched against us for a variety of purposes, including interfering with our solutions or to create a diversion for other malicious activities. These and other types of actions and attacks could disrupt our delivery of solutions or make them unavailable. Any such actions or attacks against us or our contracted third parties could impugn our reputation, force us to incur significant expenses in remediating the resulting impacts, expose us to uninsured liability, result in the loss of our bank sponsors or our ability to participate in the payment networks, increase our risk of regulatory scrutiny and the costs associated with such scrutiny, subject us to lawsuits, fines or sanctions, distract our management, or increase our costs of doing business.

We and our contracted third parties could be subject to security breaches by hackers. Our encryption of data and other protective measures may not prevent unauthorized access to or use of personal and sensitive data. A breach of a system may subject us to material losses or liability, including payment network fines, assessments and claims for unauthorized purchases with misappropriated credit, debit or card information, impersonation, or other similar fraud claims. A misuse of such data or a cybersecurity breach could harm our reputation and deter clients and their customers from using electronic payments generally and our solutions specifically, thus reducing our revenue. In addition, any such misuse or breach could cause us to incur costs to correct the breaches or failures, expose us to uninsured liability, increase our risk of regulatory scrutiny and the costs associated with such scrutiny, subject us to lawsuits, and result in the imposition of material penalties and fines under state and federal laws or by the payment networks. The insurance coverage we maintain to cover cyber risks may be insufficient to cover all losses. In addition, a significant cybersecurity breach of our systems or communications could result in payment networks prohibiting us from processing transactions on their networks or the loss of our bank sponsors that facilitate our participation in the payment networks, either of which could materially impede our ability to conduct business.

Additionally, it is also possible that unauthorized access to sensitive customer and business data may be obtained through inadequate use of security controls by our customers, suppliers or other vendors. While we are still not currently aware of any impact that the SolarWinds supply chain attack had on our business, the scope of the attack is still undetermined. Therefore, there is residual risk that we could experience a security breach arising from the SolarWinds supply chain attack.

We have administrative, technical, and physical security measures in place, and we have policies and procedures in place to both evaluate the security protocols and practices of our vendors and to contractually require service providers to whom we disclose personal data to implement and maintain privacy and security measures. However, we cannot provide assurance that the contractual requirements related to security and privacy that we impose on our service providers will be followed, or that those requirements, or our internal measures, will be adequate to prevent the unauthorized use or disclosure of data. If our privacy protection or security measures or those of the previously mentioned third parties are inadequate or are breached as a result of third-party action, employee or contractor error, malfeasance, malware, phishing, hacking attacks, system error, software bugs or defects in our solutions, trickery, process failure, or otherwise, and, as a result, there is improper disclosure of, or someone obtains unauthorized access to or extract funds or sensitive information, including personally identifiable information, on our systems or our partners’ systems, or if we suffer a ransomware or advanced persistent threat attack, or if any of the foregoing is reported or perceived to have occurred, our reputation and business could be damaged. Recent high-profile security breaches and related disclosures of personal and

sensitive data by large institutions suggest that the risk of such events is significant, even if privacy protection and security measures are implemented and enforced. If personal or sensitive information is lost or improperly disclosed or threatened to be disclosed, we could incur significant costs associated with remediation and the implementation of additional security measures, including costs to deploy additional personnel and protection technologies, train employees, and engage third-party experts and consultants. In addition, we may incur significant liability and financial loss and may be subject to regulatory scrutiny, investigations, proceedings, and penalties and our reputation may be harmed. Additional risks will emerge to the extent we incorporate artificial intelligence in our solutions. Artificial intelligence algorithms or automated processing of data may be flawed, and datasets may be insufficient or may use third party artificial intelligence with unclear intellectual property rights or interests. Inappropriate or controversial data practices by us or others could subject us to lawsuits, regulatory investigations, legal and financial liability, or reputational harm. Additionally, our use of artificial intelligence may create additional cybersecurity risks or increase cybersecurity risks, including risks of security breaches and incidents.

Under our terms of service and our contracts with strategic partners and clients, if there is a breach of payment information that we store, we could be liable for their losses and related expenses. Additionally, if our own confidential business information were improperly disclosed, our business could be materially and adversely affected. A core aspect of our business is the reliability and security of our solutions. Any perceived or actual breach of security, regardless of how it occurs or the extent of the breach, could have a significant impact on our reputation as a trusted brand, cause us to lose existing partners or clients, prevent us from obtaining new partners, clients or customers, require us to expend significant funds to remedy problems caused by breaches and implement measures to prevent further breaches, and expose us to legal risk and potential liability including those resulting from governmental or regulatory investigations, class action litigation, and costs associated with remediation, such as fraud monitoring and forensics. Any actual or perceived security breach at a company providing services to us or our clients could have similar effects.

We cannot be certain that our insurance coverage will be adequate for data handling or data security liabilities actually incurred, that insurance will continue to be available to us on economically reasonable terms, or at all, or that any insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have a material adverse effect on our business, including our financial condition, operating results, and reputation.

Cyberattacks and security vulnerabilities can disrupt our business and harm our competitive position.

Cyber incidents have been increasing in sophistication and frequency and can include third parties gaining access to employee or customer data using stolen or inferred credentials, computer malware, viruses, spamming, phishing attacks, ransomware, card skimming code, and other deliberate attacks and attempts to gain unauthorized access. Providers of payment and accounts receivable software have frequently been targeted by such attacks and due to the wars in the Ukraine and Gaza and continued political uncertainty involving Russia and Ukraine, and Israel and Hamas, respectively, and potentially other regions of Europe and the Middle East, there is an increased likelihood that escalation of tensions could result in cyberattacks that could either directly or indirectly impact our operations. Because of this, we face additional cybersecurity challenges, including threats to our own IT infrastructure or those of our clients, our customers’ clients, and/or third-party providers, that may take a variety of forms ranging from stolen bank accounts, business email compromise, client employee fraud, account takeover, or check fraud, to “mega breaches” targeted against payment and accounts receivable software, which could be initiated by individual or groups of hackers or sophisticated cyber criminals using any of the methods described above. A cybersecurity incident or breach could result in disclosure of confidential information and intellectual property, or cause production downtimes and compromised data. We have in the past experienced cybersecurity incidents of limited scale, and we may in the future experience other data security incidents or breaches affecting personally identifiable information or other confidential business information. We may be unable to anticipate or prevent techniques used in the future to obtain unauthorized access or to sabotage systems because they change frequently and often are not detected until after an incident has occurred. As we increase our client base and our brand becomes more widely known and recognized, third parties may increasingly seek to compromise our security controls or gain unauthorized access to our sensitive corporate information or our clients’ (or our clients’ customers’) data.

Our business policies and internal security controls may not keep pace with these evolving threats. Despite the internal control measures, and security procedures we employ to safeguard our systems, we may still be vulnerable to a security breach, intrusion, or loss or theft of personal or sensitive data, which may harm our business, reputation and future financial results. The lost revenue and containment, remediation, investigation, legal and other costs could be significant and may exceed our insurance policy limits or may not be covered by insurance at all. Further, we may be subject to regulatory enforcement actions and litigation that could result in financial judgments or the payment of

settlement amounts and disputes with insurance carriers concerning coverage. In addition, sufficient insurance coverage may become increasingly expensive to maintain as incidents increase globally.

Our risk management efforts may not be effective to prevent fraudulent activities by our customers, FlyMates or other third parties, which could expose us to material financial losses and liability and otherwise harm our business.

Our software provides payment facilitation solutions for a large number of our clients and their customers. We are responsible for performing KYC reviews of our clients, sanctions screening their customers, and monitoring transactions for fraud. We have been and may continue to be targeted by parties who seek to commit acts of financial fraud using techniques such as stolen identities and bank accounts, compromised business email accounts, employee or insider fraud, account takeover, false applications, and fake invoicing. We may suffer losses from acts of financial fraud committed by our clients, our clients’ customers and purported customers, our FlyMates and payment partners or third parties.

The techniques used to perpetrate fraud are continually evolving and we may not be able to identify all risks created by new solutions or functionality. Our risk management policies, procedures, techniques, and processes may not be sufficient to identify all of the risks to which we are exposed, to enable us to prevent or mitigate the risks we have identified, or to identify additional risks to which we may become subject in the future. Furthermore, our risk management policies, procedures, techniques, and processes may contain errors or our FlyMates or agents may commit mistakes or errors in judgment as a result of which we may suffer large financial losses. The software-driven and highly automated nature of our solutions could enable criminals and those committing fraud to steal significant amounts of money accessing our solutions. As greater numbers of our clients' customers use our solutions, and we serve clients in industries that are at higher risk for fraudulent activity, our exposure to material risk losses from a single client, or from a small number of clients, will increase. In addition, our clients or their customers may suffer losses from acts of financial fraud by third parties posing as us through account takeover, credential harvesting, use of stolen identities and various other techniques, which could harm our reputation, consume significant time of our compliance, security and client relations teams to investigate and remediate, or prompt us to reimburse our clients for such losses in order to maintain client business relationships.

Our current business, the changing and uncertain economic, geopolitical and regulatory environment, and our anticipated domestic and international growth will continue to place significant demands on our risk management and compliance efforts. As our business grows and becomes more complex, we will need to continue developing and improving and investing in our risk management infrastructure, policies, procedures, techniques, and processes. As techniques used to perpetrate fraud on our solutions evolve, we may need to modify our solutions to mitigate fraud risks. As our business grows and becomes more complex, we may be less able to forecast and carry appropriate reserves in our books for fraud related losses. Further, these types of fraudulent activities targeting our solutions can also expose us to civil and criminal liability, governmental and regulatory sanctions as well as potentially cause us to be in breach of our contractual obligations to our clients and partners.

If we fail to adapt and respond effectively to rapidly and significantly changing technology, evolving industry standards, changing regulations, and changing business needs, requirements, or preferences, or if we fail to continue to grow and develop our payments solutions, our business may be materially and adversely affected.

Our future success depends in large part on the continued growth and development of our payments solutions. If such activities are limited, restricted, curtailed or degraded in any way, or if we fail to continue to grow and develop our payments solutions, our business may be materially and adversely affected. The market for payments enablement solutions is relatively new and subject to changes in technology, regulatory regimes, industry standards, payment methods, regulations and client and customer needs. Rapid and significant technological changes, evolving industry standards, changing regulations and business needs continue to confront the verticals in which we operate, including developments in digital banking, open banking, mobile financial apps, as well as developments in cryptocurrencies and in tokenization (e.g., replacing sensitive data such as payment card information) with symbols (tokens) to keep the data safe), blockchain, and artificial intelligence, including machine learning. The success of our business will depend, in part, on our ability to adapt and respond effectively to these changes through methods which include launching new solutions and incorporating new technologies, such as generative artificial intelligence, into our solutions.

The success of any new product and service, or any enhancements or modifications to existing solutions, depends on several factors, including the timely completion, introduction, and market acceptance of such solutions, enhancements, and modifications. Our engineering and software development teams operate in different locations across the globe (including teams in Spain, Romania, the United States, Israel and Australia), which can create logistical challenges. If we

are unable to effectively coordinate with our global technology and development teams to enhance our solutions, add new payment methods or develop new solutions that keep pace with technological and regulatory changes to achieve market acceptance, or if new technologies emerge that are able to deliver competitive solutions that are more effective, secure, convenient or cost effective than our solutions, our business, operating results, and financial condition would be adversely affected. Furthermore, modifications to our existing solutions or technology will increase our technology and development expenses. Any failure of our solutions to operate effectively with existing or future network solutions and technologies could reduce the demand for our solutions, result in clients or clients' customer dissatisfaction and adversely affect our business.

Artificial intelligence presents risks and challenges that can impact our business including by posing security risks to our confidential information, proprietary information, and personal data.

Issues in the development and use of artificial intelligence, combined with an uncertain regulatory environment, may result in reputational harm, liability, or other adverse consequences to our business operations. As with many technological innovations, artificial intelligence presents risks and challenges that could impact our business. We may adopt and integrate generative artificial intelligence tools into our systems for specific use cases reviewed by legal and information security. Our vendors may incorporate generative artificial intelligence tools into their offerings without disclosing this use to us, and the providers of these generative artificial intelligence tools may not meet existing or rapidly evolving regulatory or industry standards with respect to privacy and data protection and may inhibit our or our vendors’ ability to maintain an adequate level of service and experience. If we, our vendors, or our third-party partners experience an actual or perceived breach or privacy or security incident because of the use of generative artificial intelligence, we may lose valuable intellectual property and confidential information and our reputation and the public perception of the effectiveness of our security measures could be harmed. Further, bad actors around the world use increasingly sophisticated methods, including the use of artificial intelligence, to engage in illegal activities involving the theft and misuse of personal information, confidential information, and intellectual property. Any of these outcomes could damage our reputation, result in the loss of valuable property and information, and adversely impact our business.

Changes to payment card networks fees or rules could harm our business.

We are required to comply with Mastercard, American Express, and Visa payment card network operating rules and the rules of other regional card (such as China UnionPay or JCB) or payment providers, in connection with our solutions. We have agreed to reimburse our merchant acquirers for any fines they are assessed by payment card networks as a result of any rule violations by us. We may also be directly liable to the payment card networks for rule violations. The payment card networks set and interpret the card operating rules. The payment card networks could adopt new operating rules or interpret or reinterpret existing rules that we or our processors might find difficult or even impossible to follow, or costly to implement. For example, the card networks could adopt new rules or reinterpret existing rules to substantially modify how we offer credit card payment methods to our clients, or impose new fees or costs that could negatively impact our margins. Card networks also could modify security or fraud detection methodologies that could have a downstream impact on our business, and force us to change our solutions, payment experience or security protocols, which may increase our operating costs. We also may seek to introduce other card-related solutions in the future, which would entail additional operating rules. As a result of any violations of rules, new rules being implemented, or increased fees, we could lose our ability to offer certain cards as a payment method to our clients’ customers, or such payments could become prohibitively expensive for us or for our clients. Additionally, from time to time, card networks, including Visa and Mastercard, increase the fees that they charge processors. We could attempt to pass these increases along to our clients and their customers, but this strategy might result in the loss of clients to our competitors who do not pass along the increases. If competitive practices prevent us from passing along the higher fees to our clients and their customers in the future, we may have to absorb all or a portion of such increases, which may increase our operating costs and reduce our profit margins. If we are unable to offer credit cards as a payment method to our clients’ customers, our business would be adversely affected.

If we do not or cannot maintain the compatibility of our solution with evolving software solutions used by our clients, or the interoperability of our solutions with those of our third-party payment providers, payment networks and key software vendors, our business may be materially and adversely affected.

Our solutions integrate with ERP systems, such as Ellucian Company, L.P. in education, Epic Systems Corporation in healthcare, Rezdy Pty Ltd in travel and Oracle Corporation in B2B payments. We automatically synchronize suppliers, clients, client customers, invoices, and payment transactions between our solutions and these systems. This two-way sync eliminates duplicate data entry and provides the basis for managing cash-flow through an integrated solution for accounts receivable, and payments.

In addition, we are subject to certain standard terms and conditions with these partners. These partners have broad discretion to change their terms of service and other policies, and those changes may be unfavorable to us. Therefore, we believe that maintaining successful partnerships with these providers is critical to our future success.

We also rely on our proprietary global payment network comprised of leading global, regional and local banks and technology and payment partners. If we do not or cannot maintain the interoperability of their products or services or the products or our key software vendors that are integral to our solutions, our business may be materially and adversely affected. These third parties periodically update and change their systems, and although we have been able to adapt our solutions to their evolving needs in the past, there can be no guarantee that we will be able to do so in the future. In particular, if we are unable to adapt to such changes, we may not be able to utilize these strategic partners and we may lose access to large numbers of clients as a result.

If any of the third party software providers change the features of their APIs, discontinue their support of such APIs, restrict our access to their APIs, or alter the terms governing their use in a manner that is adverse to our business, we will not be able to provide synchronization capabilities, which could significantly diminish the value of our solutions and harm our business, operating results, and financial condition.

If we fail to maintain, protect and enhance our brand, our ability to expand our client base will be impaired and our business, operating results, and financial condition may suffer.

We believe that further developing, maintaining, protecting and enhancing our brand domestically and on a global basis is important to support the marketing and sale of our existing and future solutions to new clients and to attracting additional and strategic partners. Successfully further developing, maintaining and enhancing our brand will depend largely on the effectiveness of our marketing and demand generation efforts, our ability to provide reliable and seamless solutions that continue to meet the needs of our clients and their customers at competitive prices, our ability to maintain our clients’ trust, our ability to continue to develop new functionality, solutions, and our ability to successfully differentiate solutions from competitive solutions. Our brand promotion activities may not generate client awareness or yield increased revenue, and even if they do, any increased revenue may not offset the expenses we incur in building our brand. If we fail to successfully promote and maintain our brand or if we incur excessive expenses in this effort, our business could suffer.

The introduction and promotion of new solutions, as well as the promotion of existing solutions, may be partly dependent on our visibility on third-party advertising platforms, such as Google, LinkedIn, Facebook, or X. Changes in the way these platforms operate or changes in their advertising prices, data use practices or other terms could make the maintenance and promotion of our products and services and our brands more expensive or more difficult. If we are unable to market and promote our brands on third-party platforms effectively, our ability to acquire new clients would be materially harmed.

Harm to our brand can arise from many sources, including failure by us or our partners and service providers to satisfy expectations of service and quality; inadequate protection or misuse of sensitive information; fraud committed by third parties using our solutions; compliance failures and claims; litigation, regulatory and other claims; errors caused by us or our partners; and misconduct by our partners, service providers, or other counterparties. In addition, negative statements about us can cause and have caused a decline in the market price of our common stock, divert our management’s attention and resources, and could cause other adverse impacts to our business. Partners with whom we maintain relationships could engage in behavior or use their platforms to communicate directly with our clients and their customers in a manner that reflects poorly on our brand and such behavior or communications may adversely affect us. Further, negative publicity or commentary regarding the partners who are, or are perceived to be, affiliated with us may also damage our reputation, even if the negative publicity or commentary is not directly related to us. Any negative publicity about the industries we operate in or our company, the quality and reliability of our solutions, our risk management processes, changes to our products and services, our ability to effectively manage and resolve customer complaints, our privacy, data protection, and information security practices, litigation, regulatory activity, policy positions, and the experience of our customers with us, our products or services could adversely affect our reputation and the confidence in and use of our solutions. If we do not successfully maintain, protect or enhance our brands, our business could be materially and adversely affected.

If we lose key members of our management team or are unable to attract and retain executives and employees we need to support our operations and growth, our business may be harmed.

Our success and future growth depend upon the continued services of our management team and other key employees. Our Chief Executive Officer, Michael Massaro, and our President and Chief Operating Officer, Rob Orgel, are critical to our overall management, as well as the continued development of our solutions, strategic partnerships, culture,

relationships with financial institutions, and strategic direction. From time to time, there may be changes in our management team resulting from the hiring or departure of executives and key employees, which could disrupt our business. Our senior management and key employees are employed on an at-will basis. In August 2023, we announced that Michael Ellis, our Chief Financial Officer, would be transitioning from such position in 2024, and we recently announced the appointment of Cosmin Pitigoi as our new Chief Financial Officer to join in March 2024. This or other changes in our senior management may be disruptive to our business, and, if we are unable to manage an orderly transition, our business may be adversely affected. We currently have “key person” insurance on our Chief Executive Officer, Michael Massaro, but not for any of the other members of our management team. Certain of our key employees have been with us for a long period of time and have fully vested stock options or other long-term equity incentives that are or may become valuable and are publicly tradable subject to Rule 144 limitations, which may reduce the incentive for each of these key employees to remain at our Company. We cannot ensure that we will be able to retain the services of any members of our senior management or other key employees or that we would be able to timely replace members of our senior management or other key employees should any of them depart. The loss of our Chief Executive Officer, or our President and Chief Operating Officer, or one or more of our senior management, or other key employees could harm our business, and we may not be able to find adequate replacements.

The failure to attract and retain additional qualified personnel could prevent us from executing our business strategy and growth plans.

To execute our business strategy, we must attract and retain highly qualified personnel. Competition for executive officers, software developers, compliance and risk management personnel and other key employees in our industry and locations is intense and increasing, especially in the U.S., where wage inflation has been increasing. We compete with many other companies for software developers with high levels of experience in designing, developing, and managing payment systems, as well as for skilled legal and compliance and risk operations professionals. Many of the companies with which we compete for experienced personnel have greater resources than we do and can frequently offer such personnel substantially greater compensation than we can offer. If we fail to identify, attract, develop and integrate new personnel, or fail to retain and motivate our current personnel, our growth prospects would be adversely affected.

If we cannot maintain our company culture as we grow, our success and our business may be harmed.

We believe our culture has been a key contributor to our success to date and that the critical nature of the solutions that we provide promotes a sense of greater purpose and fulfillment in our FlyMates. Any failure to preserve our culture could negatively affect our ability to retain and recruit personnel, which is critical to our growth, and to effectively focus on and pursue our corporate objectives. As we grow and develop the infrastructure of a public company, we may find it difficult to maintain these important aspects of our culture. If we fail to maintain our culture, our business and competitive position may be adversely affected.

Our sales cycles may be long and vary.

We devote significant resources to establish relationships with new clients and deepen relationships with existing clients. The sales cycles of our solutions tend to vary depending on the client industry sector which may make forecasting more complex and uncertain.

In addition, sales and sale cycles may be based in part or entirely on factors, or perceived factors, not directly related to the features of our solutions, including, among others, a client or prospective client’s projection of business growth, uncertainty about economic conditions (including as a result of increased inflationary conditions, recession concerns and the escalation of hostilities between Russia and Ukraine, and Israel and Hamas), capital budgets, anticipated cost savings from the implementation of our solution, potential preference for internally-developed software solutions, perceptions about our business and solutions, more favorable terms offered by potential competitors, and previous technology investments. Mid-market and large enterprises tend to have more complex operating environments than smaller businesses, making it often more difficult and time-consuming for us to demonstrate the value of our solutions to prospective clients. The decision to use our solutions may also be an enterprise-wide decision, and require us to provide greater levels of education regarding the use and benefits of our solutions, which may result in additional time, effort, and money spent on our sales cycle without any assurance that our efforts will be successful in generating any sales. Often, major hospital systems and national or state higher education systems will solicit service offers by issuing RFPs, which are generally a time- and resource-intensive process, with no assurances of being selected as a vendor after the RFP process is completed. Additionally, large enterprises typically have longer implementation cycles, especially hospital and education systems, require greater product functionality and scalability and a broader range of services, demand that vendors take on a larger share of risks, sometimes require longer testing periods that delay general availability of our solutions, and expect greater payment flexibility from vendors. All of these factors can add further risk to

business conducted with these clients. If we fail to realize an expected sale from a large end-client in a particular quarter or at all, our business, operating results, and financial condition could be materially and adversely affected.

In addition, we may face unexpected deployment challenges with enterprise clients. It may be difficult to deploy our software solutions if a client has unexpected database, hardware or software technology issues, or if a client insists on a more customized or unique solution that is time intensive or that we have little prior experience in delivering. Decisions on timing of deployments may also be impacted by cost and availability of personnel. Any difficulties or delays in the initial implementation could cause clients to reject our solutions or lead to the delay or non-receipt of future orders, in which case our business, operating results and financial condition would be harmed.

We typically incur significant upfront costs in our client relationships, and if we are unable to develop or grow these relationships over time, we are unlikely to recover these costs and our operating results may suffer.

We devote significant resources to establish relationships with new clients and deepen relationships with existing clients. Our sales cycle for our solutions can be variable, typically ranging from three to nine months from initial contact to contract execution. However, there is potential for our sales cycle to extend beyond three to nine months. During the period of our sales cycle, our efforts involve educating our clients about the use, technical capabilities and benefits of our solutions. Our operating results depend in substantial part on our ability to deliver a successful client experience and persuade our clients to grow their relationship with us over time. As we expect to grow rapidly, our client acquisition costs could outpace our build-up of recurring revenue, and we may be unable to reduce our total operating costs through economies of scale such that we are unable to achieve or maintain profitability. Any increased or unexpected costs or unanticipated delays, including delays caused by factors outside of our control, could cause our operating results to suffer.

If we fail to offer high-quality client support, or if our support is more expensive than anticipated, our business and reputation could suffer.

Our clients and their customers rely on our support services to resolve issues and realize the full benefits provided by our solutions. High-quality support is also important for the expansion of the use of our solutions with existing clients and their customers. We provide multilingual support over chat, email or via telephone. The number of our clients, and the number of their customers utilizing our solutions, has grown significantly and such growth, as well as any future growth, will put additional pressure on our client service organization. If we do not help our clients and their customers quickly resolve issues and provide effective ongoing support, or if our support personnel or methods of providing support are insufficient to meet the needs of our clients and their customers, our ability to retain clients and their customers and acquire new clients and customers could suffer, and our reputation with existing or potential clients could be harmed. Providing an exceptional client experience requires significant time and resources from our client service team. Therefore, failure to scale our client service organization adequately may adversely impact our business results and financial condition.

In addition, as we continue to operate and grow our operations and continue to expand to new jurisdictions, we need to be able to provide efficient client service that meets our clients’ needs globally at scale. In geographies where we sell through our channel partners, if we are unable to provide a high quality client experience tailored to the language and culture of the applicable jurisdiction, our business operations and reputation may suffer.

We may require additional capital to support the growth of our business, and this capital might not be available on acceptable terms, if at all.

We have funded our operations since inception primarily through equity and debt financings, sales of our solutions, and fees. We cannot be certain when or if our operations will generate sufficient cash to fully fund our ongoing operations or the growth of our business. We intend to continue to make investments to support our business, which may require us to engage in equity or debt financings to secure additional funds. Additional financing may not be available on terms favorable to us, if at all. If adequate funds are not available on acceptable terms, we may be unable to invest in future growth opportunities, which could harm our business, operating results, and financial condition. If we incur additional debt, the debt holders would have rights senior to holders of common stock to make claims on our assets, and the terms of any debt could restrict our operations, including our ability to pay dividends on our common stock. Furthermore, if we issue additional equity securities, stockholders will experience dilution, and the new equity securities could have rights senior to those of our common stock. Because our decision to issue securities in the future will depend on numerous considerations, including factors beyond our control, we cannot predict or estimate the amount, timing, or nature of any future issuances of debt or equity securities. As a result, our stockholders bear the risk of future issuances of debt or equity securities reducing the value of our common stock and diluting their interests.

Our business could be harmed as a result of the risks associated with our acquisitions.

As part of our business strategy, we have in the past and intend to continue to seek to acquire or invest in businesses, products or technologies that could complement or expand our business, enhance our technical capabilities or otherwise offer growth opportunities by providing us with additional intellectual property, client relationships and geographic coverage. The pursuit of potential acquisitions may divert the attention of management and cause us to incur various expenses in identifying, investigating, and pursuing suitable acquisitions, whether or not such acquisitions are completed. In addition, we can provide no assurances that we will be able to find and identify desirable acquisition targets or that we will be successful in entering into a definitive agreement with any one target. In addition, even if we reach a definitive agreement with a target, there is no assurance that we will complete any future acquisition or if we do acquire additional businesses, we may not be able to integrate them effectively following the acquisition or effectively manage the combined business following the acquisition.

Any acquisitions we undertake or have recently completed, including the acquisitions of StudyLink in November 2023 and Cohort Go in July 2022, will likely be accompanied by business risks which may include, among other things:

These factors could harm our business, results of operations or financial condition.

In addition to the risks commonly encountered in the acquisition of a business or assets as described above, we may also experience risks relating to the challenges and costs of closing a transaction. The risks described above may be exacerbated as a result of managing multiple acquisitions at once.

Systems failures and resulting interruptions in the availability of our solutions could harm our business.

Our systems and those of our service providers and partners have experienced from time to time, and may experience in the future, service interruptions or degradation because of hardware and software defects or malfunctions, distributed denial-of-service and other cyberattacks, insider threats, human error, earthquakes, hurricanes, floods, fires, and other natural disasters, including events resulting from climate change, war or other military conflict, including an escalation of the conflicts between Russia and Ukraine, and Israel and Hamas, respectively, power losses, disruptions in telecommunications services, fraud, computer viruses or other malware, or other events. Some of our systems are not fully redundant, and our disaster recovery planning may not be sufficient for all possible outcomes or events. In addition, as a provider of payments solutions targeted to highly regulated clients in industries such as education and healthcare, we are subject to heightened scrutiny by regulators that may require specific business continuity, resiliency and disaster

recovery plans, and more rigorous testing of such plans, which may be costly and time-consuming to implement, and may divert our resources from other business priorities.

A prolonged interruption in the availability, speed, or functionality of our solutions or payment methods could materially harm our business. Frequent or persistent interruptions in our solutions could cause current or potential clients and their customers to believe that our systems are unreliable, leading them to switch to our competitors or to avoid or reduce the use of our solutions, and could permanently harm our reputation and brand. Moreover, if any system failure or similar event results in damages to our clients or their customers and business partners, these clients, customers or partners could seek significant compensation or contractual penalties from us for their losses, and those claims, even if unsuccessful, would likely be time-consuming and costly for us to address.

We have undertaken and continue to make certain technology and network upgrades and redundancies which are designed to improve the reliability of our solutions. These efforts are costly and time-consuming, involve significant technical risk and may divert our resources from new features and solutions, and there can be no guarantee that these efforts will succeed. Because we are a regulated payments institution in certain jurisdictions, frequent or persistent interruptions could lead to regulatory scrutiny, significant fines and penalties, and mandatory and costly changes to our business practices, and ultimately could cause us to lose existing licenses that we need to operate or prevent or delay us from obtaining additional licenses that may be required for our business.

We use public cloud hosting with AWS and depend on AWS’ ability to protect their data centers against damage or interruption from natural disasters, power or telecommunications failures, criminal acts, and similar events. Our operations depend on protecting the cloud infrastructure hosted by AWS by maintaining the configuration, architecture, and interconnection specifications, as well as the information stored in these virtual data centers and transmitted by third-party internet service providers. In limited occasions, we have experienced service disruptions in the past, and may experience interruptions or delays in our solutions in the future. We may also incur significant costs for using alternative equipment or taking other actions in preparation for, or in reaction to, events that damage the data storage services we use. Although we have disaster recovery plans that utilize various data storage locations, any incident affecting our data storage or internet service providers’ infrastructure that may be caused by fire, flood, severe storm, earthquake, power loss, telecommunications failures, unauthorized intrusion, computer viruses and disabling devices, natural disasters, war or other military conflict, including an escalation of the conflict between Russia and Ukraine, terrorist attacks, negligence, and other similar events beyond our control could negatively affect our solutions. Any prolonged service disruption affecting our solutions could damage our reputation with current and potential clients, expose us to liability, cause us to lose clients, or otherwise harm our business. In the event of damage or interruption to our solutions, our insurance policies may not adequately compensate us for any losses that we may incur.

In addition, we may experience financial losses due to a number of factors, including:

Our solutions are accessed by many of our clients and their customers, often at the same time. As we continue to expand the number of clients that we serve and solutions that we are able to offer to our clients and their customers, we may not be able to scale our technology to accommodate the increased capacity requirements, which may result in interruptions or delays in service. In addition, the failure of data centers, internet service providers, or other third-party service providers to meet our capacity requirements could result in interruptions or delays in access to our solutions or impede our ability to grow our business and scale our operations. If our third-party infrastructure service agreements are terminated, or there is a lapse of service, interruption of internet service provider connectivity, or damage to data centers,

we could experience interruptions in access to our solutions as well as delays and additional expense in arranging new facilities and services.

We also rely on components, applications, and services supplied by third parties, including payment service providers and merchant acquirer partners which subjects us to risks. If these third parties experience operational interference or disruptions, breach their agreements with us, fail to perform their obligations and meet our expectations, or experience a cybersecurity incident, our operations could be disrupted or otherwise negatively affected, which could result in client dissatisfaction, regulatory scrutiny, and damage to our reputation and brand, and materially and adversely affect our business.

In addition, we are continually improving and upgrading our systems and technologies. Implementation of new systems and technologies is complex, expensive, and time-consuming. If we fail to timely and successfully implement new systems and technologies, or improvements or upgrades to existing information systems and technologies, or if such systems and technologies do not operate as intended, this could have an adverse impact on our business, internal controls (including internal controls over financial reporting), results of operations, and financial condition.

Risks Related to Our Legal, Regulatory and Compliance Landscape

We currently handle cross-border and domestic payments and plan to expand our solutions to new clients, to accept and settle payments in new countries and in new currencies, and to increase our global network to allow us to offer local and alternative payment methods, creating a variety of operational challenges; additionally, our domestic and international operations subject us to increased risks, which could harm our business.

Our business is subject to risks inherent in conducting business globally, including cross-border payments and domestic payments in the United States and certain other markets. Our handling of domestic and cross-border payments to our clients generates a significant portion of our revenues, with a substantial portion of such revenues coming from payments processed from Asia (including India, China and Korea). We expect that international revenues will continue to account for a significant percentage of total net revenues for the foreseeable future, and that in particular, the proportion of our revenue from Asia will continue to increase. Current events, including the possibility of renegotiated trade deals and international tax law treaties, United States-China and Canada-India diplomatic and trade friction, heightened tensions between China and Taiwan and the escalation of the conflicts between Russia and Ukraine, and Israel and Hamas, respectively, create a level of uncertainty, and potentially increased complexity, for multinational companies. These uncertainties could have a material adverse effect on our business and our results of operations and financial condition. In addition, international operations are subject to various risks which could have a material adverse effect on those operations or our business as a whole, including:

Foreign operations may also expose us to political, social, regulatory and economic uncertainties affecting a country or region, or to political hostility to investments by foreign or private equity investors. Many financial markets are not as developed or as efficient as those in the United States, and as a result, liquidity may be reduced and price volatility may be higher in those markets than in more developed markets. The legal and regulatory environment may also be different, particularly with respect to bankruptcy and reorganization, and may afford us less protection as a creditor than we may be entitled to under U.S. law. Financial accounting standards and practices may differ, and there may be less publicly available information in respect of such companies.

Restrictions imposed or actions taken by foreign governments could include exchange controls, seizure or nationalization of foreign deposits and adoption of other governmental restrictions which adversely affect the prices of securities or the ability to repatriate profits. For instance, we process a substantial amount of payments from China. The Chinese government imposes controls on the convertibility of the Renminbi the currency of China, into foreign currencies and, in certain cases, the remittance of currency out of China. The Chinese government may at its discretion further restrict access in the future to foreign currencies for current account transactions, or impose regulatory requirements that may require modifications to our business model for our clients' payors located in China. In addition, income received by us from sources in some countries may be reduced by withholding and other taxes. Any such taxes paid by us will reduce the net income or return from such investments. While we will take these factors into consideration in making investment decisions, including when hedging positions, no assurance can be given that we will be able to fully avoid these risks or generate sufficient risk-adjusted returns.

Violations of the complex foreign and U.S. laws, rules and regulations that apply to our cross-border operations may result in fines, criminal actions, or sanctions against us, our officers, or FlyMates; prohibitions on the conduct of our business; and damage to our reputation. Although we have implemented policies and procedures designed to promote

compliance with these laws, there can be no assurance that our FlyMates, contractors, or agents will not violate our policies. These risks are inherent in our cross-border operations and expansion, may increase our costs of doing business internationally, and could harm our business.

Payments and other financial services-related regulations and oversight are material to our business. Our failure to comply could materially harm our business.

The local, state, and federal laws, rules, regulations, licensing schemes, and industry standards in the United States and other jurisdictions in which we operate that govern our business include, or may in the future include, those relating to consumer finance and consumer protection, cross-border and domestic money transmission, foreign exchange, payments services (such as money transmission, payment processing, and settlement services), AML and CFT, escheatment, international sanctions regimes, and compliance with the PCI DSS. These laws, rules, regulations, licensing schemes, and standards are enforced by multiple authorities and governing bodies in the United States, including the Department of the Treasury, the Federal Deposit Insurance Corporation, the SEC, CFPB, the Federal Trade Commission, self-regulatory organizations, and numerous state and local regulators and law enforcement agencies. Our clients also have their own regulatory obligations, and they expect our solutions to comply with the regulatory requirements that are applicable to their businesses. For additional discussion about the regulatory environment that we and our clients operate in, please see “Business–Regulation and Industry Standards”. As we expand into new jurisdictions, the number of foreign laws, rules, regulations, licensing schemes, and standards governing our business will expand as well. In addition, as our business and solutions continue to develop and expand, we may become subject to additional laws, rules, regulations, licensing schemes, and standards. We may not always be able to accurately predict the scope or applicability of certain laws, rules, regulations, licensing schemes, or standards to our business, particularly as we expand into new areas of operations, which could have a significant negative effect on our existing business and our ability to pursue future plans.

Certain of our subsidiaries are registered with FinCEN. Our subsidiary Flywire Global Corp. has obtained licenses to operate as a money transmitter (or the statutory equivalent) in 42 U.S. jurisdictions, and is in the process of applying for a license in, to the best of our knowledge, all U.S. states and territories where such licensure or registration is required in order to be able to offer additional business lines in the future. As a licensed money transmitter, we are (and in the states where we are awaiting licensure, will be) subject to obligations and restrictions with respect to the investment of client funds, reporting requirements, bonding requirements, minimum capital requirements, and inspection by state regulatory agencies concerning various aspects of our business. Evaluation of our compliance efforts, as well as the questions of whether and to what extent our solutions are considered money transmission, are matters of regulatory interpretation and could change over time. In addition, there are substantial costs involved in maintaining and renewing our licenses, certifications, and approvals, and we could be subject to fines or other enforcement action if we are found to violate disclosure, reporting, AML, CFT, capitalization, corporate governance, or other requirements of such licenses.

If we fail to predict how a U.S. law or regulation or a law or regulation from another jurisdiction in which we operate will be applied to us, we could be subject to additional licensure requirements and/or administrative enforcement actions. This could also require changes to the manner in which we conduct some aspects of our business or potential product changes, and require us to pay fines, penalties, or compensation to clients for past non-compliance. At the federal level, we are registered as a MSB with FinCEN. For additional discussion of the requirements of our MSB registration, please see “Business – Regulation and Industry Standards.” At the state level, we rely on various exemptions from state money transmitter licensing requirements, and regulators may find that we have violated applicable laws or regulations because we are not licensed or registered as a money transmitter in all of the U.S. jurisdictions we service. We believe, based on our business model, that we have valid exemptions from licensure under various state money transmission laws, either expressly as a payment processor or agent of the payee, or pursuant to common law as an agent of the payee. While we believe we have defensible arguments in support of our positions under the state money transmission statutes, we have not expressly obtained confirmation of such positions from the state banking departments who administer the state money transmission statutes. It is possible that certain state banking departments may determine that our activities are not exempt. Any determination that we are in fact required to be licensed under the money transmission statute of a state where we are not yet licensed may require substantial expenditures of time and money to remediate and could lead to liability in the nature of penalties or fines, costs, legal fees, reputational damage or other negative consequences. We could be required to cease operations in some or all of the U.S. jurisdictions we service and where we are not yet licensed, which determination would have a materially adverse effect on our business, including our financial condition, operating results, and reputation. In the past, certain competitors have been found to violate laws and regulations related to money transmission, and they have been subject to fines and other penalties by regulatory authorities.

The adoption of new money transmitter or MSB statutes in jurisdictions or changes in regulators’ interpretation of existing state and federal money transmitter or MSB statutes or regulations could subject us to new registration or

licensing requirements. There can be no assurance that we will be able to obtain or maintain any such licenses in all of the jurisdictions we service, and, even if we were able to do so, there could be substantial costs and potential product changes involved in maintaining such licenses, which could have a material and adverse effect on our business. These factors could impose substantial additional costs, involve considerable delay to the development or provision of our solutions, require significant and costly operational changes, or prevent us from providing our solutions in any given market.

The regulatory environment in which we operate is subject to constant change, and new regulations could make aspects of our business as currently conducted no longer possible.

In the future, as a result of the regulations applicable to our business, we could be subject to investigations and resulting liability, including governmental fines, restrictions on our business, or other sanctions, and we could be forced to cease conducting certain aspects of our business with residents of certain jurisdictions, be forced to change our business practices in certain jurisdictions, or be required to obtain additional licenses or regulatory approvals. For example, because a majority of voters in the U.K. approved an exit from the E.U. (commonly referred to as Brexit), we were required to obtain a license from a member state of the EEA which would allow us to continue to provide our solutions to clients located in the EEA under a principle known as “passporting”. We were able to obtain a license as an authorized payment institution from the Bank of Lithuania in September 2019 and subsequently obtained the right to passport our solutions to other EEA member states.

Government agencies may impose new or additional rules on money transmission, which may increase our costs of doing business, including, but not limited to regulations that:

We are subject to governmental laws and requirements regarding economic and trade sanctions, AML and CFT that could impair our ability to compete in international markets or subject us to criminal or civil liability if we violate them.

We are currently required to comply with U.S. economic and trade sanctions administered by OFAC and we have processes in place to comply with the OFAC regulations as well as similar requirements in the foreign jurisdictions in which we already operate. As part of our compliance efforts, we scan our clients and their customers against watch lists promulgated by OFAC and certain other international agencies. Our application can be accessed from nearly anywhere in the world, and if our service is accessed from a sanctioned country or otherwise accessed or used in violation of applicable trade and economic sanctions, we could be subject to fines or other enforcement actions. In the course of

implementing geolocation data-based sanctions screening measures, we identified certain payments which, based on geolocation data, appear to have been initiated from Cuba, Iran, or Syria, in potential violation of applicable sanctions regimes. We have made a voluntary submission to OFAC to report the potential violations. Although the internal investigation completed to date suggests that any loss incurred as a result of this matter would not be material to our business, if OFAC ultimately concludes any violation has occurred in connection with these or other transactions, it could result in penalties, fines, costs, and restrictions on our ability to do business, which could also harm our operating results.

We are also subject to various AML and CFT laws and regulations around the world that prohibit, among other things, our involvement in transferring the proceeds of criminal or terrorist activities. In the United States, most of our solutions are subject to AML laws and regulations, including the BSA, and similar laws and regulations. The BSA, among other things, requires MSBs to develop and implement risk-based AML programs, to report large cash transactions and suspicious activity, and in some cases, to collect and maintain information about clients who use their services and maintain other transaction records. Regulators and third-party auditors have identified gaps in how similar businesses have implemented AML programs, and we could likewise be subject to significant fines, penalties, inquiries, audits, investigations, enforcement actions, and criminal and civil liability if our AML program is found to be insufficient by a regulator.

Our business operations in other parts of the world such as the U.K., Lithuania, Canada, Australia, New Zealand and Singapore are subject to similar laws and requirements. Regulators in the United States and globally continue to increase their scrutiny of compliance with these obligations, which may require us to further revise or expand our compliance program, including the procedures we use to verify the identity of our clients and to monitor transactions on our system, including payments to persons outside of the United States. Regulators regularly re-examine the transaction volume thresholds at which we must obtain and keep applicable records or verify identities of clients, and any change in such thresholds could result in greater costs for compliance. Similarly, as a condition to doing business with us, our banking and other strategic partners also impose ongoing obligations on us related to AML and CFT and sanctions screening. Any failure on our part to maintain the necessary processes and policies to comply with these regulations and requirements, or to adapt our processes and policies to changes in laws, would subject us to penalties, fines, or loss of key relationships which would have a material adverse effect on our business and results of operations. Furthermore, government sanctions imposed with respect to Russia's invasion of Ukraine in early 2022 are impacting our ability to offer our services in the region, and additional sanctions could be imposed in the future. Further instability or tension in Russia, Ukraine, and the surrounding region could also cause us to adjust our operating model, which would increase our costs of operations.

Any actual or perceived failure to comply with governmental regulation and other legal obligations, particularly those related to privacy, data protection, and information security, could harm our business. Compliance with such laws could also result in additional costs and liabilities to us or inhibit sales of our solutions.

Our clients and their customers store personal and business information, financial information and other sensitive information through our solutions. In addition, we collect, store, and process personal and business information and other data from and about actual and prospective clients, their customers, our FlyMates and our service providers and other business partners, as well as their personnel. Our handling of data is subject to a variety of laws and regulations, including regulation by various government agencies, such as the U.S. Federal Trade Commission (FTC), and various state, local, and foreign agencies. Our data handling is also subject to contractual obligations and industry standards.

The U.S. federal and various state and foreign governments have adopted or proposed limitations on the collection, distribution, use, and storage of data relating to individuals and businesses, including the use of contact information and other data for marketing, advertising, and other communications with individuals and businesses. In the United States, various laws and regulations apply to the collection, processing, disclosure, and security of certain types of data, including the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the Gramm Leach Bliley Act, FERPA, HIPAA, and the now in question E.U.-U.S. and Swiss—U.S. Privacy Shield protections, as well as state laws relating to privacy and data security. Additionally, the FTC and many state attorneys general are interpreting federal and state consumer protection laws as imposing standards for the online collection, use, dissemination, and security of data. For example, California enacted the CCPA, which took effect on January 1, 2020 and became enforceable by the California Attorney General on July 1, 2020, and broadly defines personal information. The CCPA creates new individual privacy rights for consumers (as that term is broadly defined) and places increased privacy and security obligations on entities handling personal data of consumers or households. The CCPA requires covered companies to provide certain disclosures to California consumers about its data collection, use and sharing practices, provide such consumers with ways to opt-out of certain sales or transfers of personal information, provides for civil penalties for violations, and allows for a new private right of action for data breaches that has resulted in an increase in data breach litigation. It remains unclear, however, how the CCPA will be interpreted. As currently written, it will likely impact our business activities and

exemplifies the vulnerability of our business to not only cyber threats but also the evolving regulatory environment related to personal data and protected health information. On August 24, 2022, the California Attorney General announced the entry of a final judgment enforcement action resulting in a fine and settlement under the CCPA, as the defendant was ordered to pay a $1.2 million penalty and, among other things, implement a monitoring and reporting program to demonstrate its ongoing compliance with the CCPA.

Additionally, the California Privacy Rights Act (CPRA), which was passed in November 2020 and became effective on January 1, 2023, imposed additional obligations on companies covered by the legislation and significantly modified the CCPA, including by expanding consumers’ rights with respect to certain sensitive personal information. The CPRA also created a new state agency that will be vested with authority to implement and enforce the CCPA and the CPRA. The effects of the CCPA and the CPRA are potentially significant and may require us to modify our data collection or processing practices and policies and to incur substantial costs and expenses in an effort to comply and increase our potential exposure to regulatory enforcement and/or litigation.

The laws and regulations relating to privacy and data security are evolving, can be subject to significant change, and may result in ever-increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions. The CCPA, in particular, has prompted a number of proposals for new federal and state-level privacy legislation, which could increase our potential liability and adversely affect our business. Several states in the U.S. have proposed or enacted laws that contain obligations similar to the CCPA and CPRA that have taken effect or will take effect in coming years. The U.S. federal government also is contemplating federal privacy legislation. The effects of recently proposed or enacted legislation potentially are far-reaching. Such legislation may add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment of resources in compliance programs, impact strategies and the availability of previously useful data and could result in increased compliance costs and/or changes in business practices and policies.

Many of the foreign jurisdictions where we or our clients operate or conduct business, including the E.U., have laws and regulations dealing with the collection, use, storage, and disclosure and other handling (collectively, processing) of personal information, which in some cases are more restrictive than those in the U.S. In addition to regulating the processing of personal information within the relevant jurisdictions, these legal requirements often also apply to the processing of personal information outside these jurisdictions, where there is some specified link to the relevant jurisdiction. For example, we have multiple offices in Europe and serves clients and their customers throughout the E.U., where the GDPR went into effect in 2018. The GDPR, which is also the law in Iceland, Norway, Liechtenstein, and—to a large degree—the U.K., has an extensive global reach and imposes robust obligations relating to the processing of personal information, including documentation requirements, greater control for data subjects (e.g., the “right to be forgotten” and data portability), security requirements, notice requirements, restrictions on sharing personal information, data governance obligations, data breach notification requirements, and restrictions on the export of personal information to most other countries. The solutions that we currently offer subject us to many of these laws and regulations in many of the foreign jurisdictions where we operate or conduct business, and these laws and regulations may be modified or subject to new or different interpretations, and new laws and regulations may be enacted in the future.

Legal developments have created compliance uncertainty regarding some transfers of personal information from the U.K. and EEA to locations where we or our clients operate or conduct business, including the United States and potentially Singapore, particularly with respect to cross-border transfers. Under the GDPR, such transfers can take place only if certain conditions apply or if certain data transfer mechanisms are in place. In July 2020, the Court of Justice of the E.U. ruled in its “Schrems II” decision (C-311/18), that the Privacy Shield, a transfer mechanism used by thousands of companies to transfer data between those jurisdictions and United States (and also used by us), was invalid and could no longer be used due to the strength of United States surveillance laws. In September 2020, the Federal Data Protection and Information Commissioner of Switzerland (where the law has a similar restriction on the export of personal information) issued an opinion concluding that the Swiss-U.S. Privacy Shield Framework does not provide an adequate level of protection for data transfers from Switzerland to the United States pursuant to Switzerland’s Federal Act on Data Protection. We and our clients continue to use alternative transfer strategies, including SCCs, while the authorities interpret the Schrems II decision and the validity of alternative data transfer mechanisms. The SCCs, though previously approved by the European Commission, have faced challenges in European courts (including being called into question in the Schrems II decision), and may be further challenged, suspended or invalidated for transfers to some or all countries. For example, guidance regarding Schrems II issued by the European Data Protection Board (which is comprised of representatives from every E.U. member state’s top data protection authority) have cast serious doubt on the validity of SCCs for most transfers of personal information to the United States. At present, there are few if any viable alternatives to the Privacy Shield and the SCCs, so such developments may necessitate further expenditures on local infrastructure,

changes to internal business processes, changes to clients and clients' customer facing solutions, or may otherwise affect or restrict our sales and operations.

On June 4, 2021, the European Commission released the final Implementing Decision on SCCs (New SCCs) for the transfer of personal data from the E.U. to “third countries” such as the US. The New SCCs will repeal and replace the existing SCCs (dating from 2001, 2004 and 2010) and address the entry into force of the GDPR) and the July 2020 decision of the CJEU in Schrems II, which invalidated the E.U.-U.S. Privacy Shield. The New SCCs broadly follow the draft implementing decision on standard contractual clauses (Draft SCCs) issued by the European Commission on November 12, 2020, but there are some material differences. The Draft SCCs’ significant and extensive new requirements for data importers that act as controllers (for example, obligations to give notice to data subjects and to notify personal data breaches to EU authorities) remain, but have been aligned more closely with the GDPR requirements. While the New SCCs are not immediately in force, compliance with them will be required for new transfer agreements entered into from late September 2021. SCCs then in effect were required to be replaced with the New SCCs by December 27, 2022.

On July 10, 2023, the European Commission formally approved the new EU-U.S. Data Privacy Framework (the “Framework”), under which European entities will now be able to transfer personal data to Framework participants in the U.S. without having to put in place additional data protection safeguards or use the Standard Contractual Clauses for data transfers. We are in the process of evaluating how we may self-certify as a participating organization with the U.S. Department of Commerce.

E.U. data protection authorities have the power to impose administrative fines for violations of the GDPR of up to a maximum of €20 million or 4% of a corporate family’s total worldwide global turnover for the preceding fiscal year, whichever is higher. Such penalties are in addition to any civil litigation claims by clients, data subjects or other third parties. We believe that the solutions that we currently offer subject us to the GDPR and other laws and regulations relating to privacy, data protection, and information security, and these may be modified or subject to new or different interpretations in the future. We will need to take steps to address compliance obligations in this rapidly evolving legal environment, but we cannot assure you that we will be able to implement changes in a timely manner or without significant disruption to our business, or that such steps will be effective, and we may face the risk of liability and loss of business.

In addition, further to the U.K. exit from the E.U. on January 31, 2020, the GDPR ceased to apply in the U.K. at the end of the transition period on December 31, 2020. However, as of January 1, 2021, the U.K.’s European Union (Withdrawal) Act 2018 incorporated the GDPR (as it existed on December 31, 2020 but subject to certain U.K. specific amendments) into U.K. law (referred to as the U.K. GDPR). The U.K. GDPR and the U.K. Data Protection Act 2018 set out the U.K.’s data protection regime, which is independent from but aligned to the E.U.’s data protection regime. Non-compliance with the U.K. GDPR may result in monetary penalties of up to £17.5 million or 4% of worldwide revenue, whichever is higher. Like the GDPR, the U.K. GDPR restricts personal data transfers outside the U.K. to countries not regarded by the U.K. as providing adequate protection (this means that personal data transfers from the U.K. to the EEA remain free flowing).

On June 28, 2021, the European Commission adopted an adequacy decision under the GDPR, thereby recognizing that the U.K.’s data protection system continues to provide the same protections with respect to personal data as when it was an EU member state, and enabling the continued exchange of personal data between the E.U. and the U.K. The adequacy decision facilitates the implementation of the E.U.-U.K. Trade Cooperation Agreement, which foresaw the need for bilateral data flow and continued cooperation. The adequacy decision does, however, include a ‘sunset clause’, limiting its duration to four years, at which point the European Commission will need to once again review the safeguards in place in the U.K.’s post-Brexit legal system and decide if the adequacy decision may be renewed.

This lack of clarity on future U.K. laws and regulations and their interaction with E.U. laws and regulations could add legal risk, uncertainty, complexity and cost to our handling of E.U. personal information and our privacy and data security compliance programs. It is possible that over time the U.K. Data Protection Act 2018 could become less aligned with the GDPR, which could require us to implement different compliance measures for the U.K. and the E.U. and result in potentially enhanced compliance obligations for E.U. personal data.

In Asia, there has been an increase in both regulation and enforcement of privacy laws. The Act on Protection of Personal Information originally enacted in June 2020 by the Japanese government, was amended and came into effect on April 1, 2022 (Amended APPI). Since the passage of the Amended APPI, a number of implementing regulations and supporting documents have been released, addressing the requirements for transferring personal data outside Japan, notifying security breaches and creating pseudonymous information exempt from certain obligations under the Amended

APPI. We have taken steps to address compliance obligations that apply to us under the Amended APPI, but cannot assure you that such steps will be effective, and we may face the risk of increased costs, liability and loss of business.

China (home to the most online users in the world) passed its DSL and its PIPL in 2021. The DSL applies to a wide range of data processing activities including, but not limited to, processing personal information. With extraterritorial scope and severe fines and penalties, these laws are set to impose an increasingly complex and comprehensive legal framework for processing personal information when doing business in China. The PIPL is enforced and administered by the Cyberspace Administration of China and relevant state and local government departments. The law draws from the GDPR, with heavy penalties up to the greater of 5% of the previous year’s revenue (possibly global) or $7.7 million. Chinese authorities have demonstrated a willingness to impose significant fines for violations of PIPL and other privacy laws, as evidenced by enforcement actions against Alibaba Group Holding Ltd and Didi Global Inc. in 2022.

As a reaction to data security concerns, in 2022, the Australian parliament approved a bill to amend the country's privacy legislation, significantly increasing the maximum penalties for companies and data controllers who suffer large-scale data breaches to the greater of: (i) AU$50 million, (ii) three times the value of any benefit obtained through the misuse of information, and (iii) 30% of a company's adjusted turnover in the relevant period. Previously, the penalty for severe data exposures was AU$2.22 million, considered by the current parliament to be wholly inadequate to incentivize companies to improve their data security mechanisms. The Office of the Australian Information Commissioner has new regulatory tools and flexibility that should, together with an ongoing focus on funding enforcement, see a more proactive regulator with capacity and capability to investigate and litigate more privacy incidents in Australia.

We have taken steps to address compliance obligations that apply to us under the Amended APPI, the DSL, the PIPL and applicable Australian regulations, but cannot assure you that such steps will be effective, and we may face the risk of increased costs, liability and loss of business.

In addition to government regulation, privacy advocates and industry groups may propose new and different self-regulatory standards that, if adopted, may apply to us, or which clients or clients' customers may require us to adopt. Because the interpretation and application of privacy and data protection laws, regulations, rules, and other standards are still uncertain, it is possible that these laws, rules, regulations, and other actual or alleged legal obligations, such as contractual or self-regulatory obligations, may be interpreted and applied in a manner that is inconsistent with our existing data management practices or the functionality of our solutions. If so, in addition to the possibility of fines, lawsuits and other claims, we could be required to fundamentally change our business activities and practices or modify our software, which could have an adverse effect on our business. Any failure or perceived failure by us to comply with laws, regulations, policies, legal, or contractual obligations, industry standards, or regulatory guidance relating to privacy or data security, may result in governmental investigations and enforcement actions, litigation, fines and penalties, or adverse publicity, and could cause our clients and partners to lose trust in us, which could have an adverse effect on our reputation and business. We expect that there will continue to be new proposed laws, regulations, and industry standards relating to privacy, data protection, marketing, consumer communications, and information security, and we cannot determine the impact such future laws, regulations, and standards may have on our business. Future laws, regulations, standards, and other obligations or any changed interpretation of existing laws or regulations could impair our ability to develop and market new functionality and maintain and grow our client base and increase revenue. Future restrictions on the collection, use, sharing, or disclosure of data, or additional requirements for express or implied consent of our clients, partners, or end users for the use and disclosure of such information could require us to incur additional costs or modify our solutions, possibly in a material manner, and could limit our ability to develop new functionality.

If we are not able to comply with these laws or regulations, or if we become liable under these laws or regulations, we could be directly harmed, and we may be forced to implement new measures to reduce our exposure to this liability. This may require us to expend substantial resources or to discontinue certain solutions, which would negatively affect our business, financial condition, and operating results. In addition, the increased attention focused upon liability issues as a result of lawsuits and legislative proposals could harm our reputation or otherwise adversely affect the growth of our business. Furthermore, any costs incurred as a result of this potential liability could harm our operating results.

We are subject to anti-corruption, anti-bribery, and similar laws, and non-compliance with such laws can subject us to criminal or civil liability and harm our business.

We are subject to the FCPA, the U.K. Bribery Act, U.S. domestic bribery laws, and other anti-corruption laws. Anti-corruption and anti-bribery laws have been enforced aggressively in recent years and are interpreted broadly to generally prohibit companies, their employees, and their third-party intermediaries from authorizing, offering, or providing, directly or indirectly, improper payments or benefits to recipients in the public sector. These laws also require that we keep accurate books and records and maintain internal controls and compliance procedures designed to prevent any such actions. We

maintain operations and serve clients in several countries around the world. Although we do not target government entities as clients, some of our clients may receive funding or other support from local, state, provincial or national governments. As we maintain and seek to increase our international cross-border business and expand operations abroad, we may engage with business partners and third-party intermediaries to market our services and to obtain necessary permits, licenses, and other regulatory approvals. In addition, we or our third-party intermediaries may have direct or indirect interactions with officials and employees of government agencies or state-owned or affiliated entities. We can be held liable for the corrupt or other illegal activities of these third-party intermediaries, our FlyMates, representatives, contractors, partners, and agents, even if we do not explicitly authorize such activities.

While we maintain policies and training programs for our FlyMates related to anti-corruption, anti-bribery and gift giving, and include representations regarding legal compliance in our contracts with vendors and strategic partners, there can be no assurances that these policies, training programs or contractual provisions will be observed or enforceable. We cannot assure you that all of our FlyMates and agents will not take actions in violation of our policies and applicable law, for which we may be ultimately held responsible. As we increase our international business, our risks under these laws may increase.

Detecting, investigating, and resolving actual or alleged violations of anti-corruption laws can require a significant diversion of time, resources, and attention from senior management. In addition, noncompliance with anti-corruption or anti-bribery laws could subject us to whistleblower complaints, investigations, sanctions, settlements, prosecution, enforcement actions, fines, damages, other civil or criminal penalties, injunctions, suspension or debarment from contracting with certain persons, reputational harm, adverse media coverage, and other collateral consequences. If any subpoenas are received or investigations are launched, or governmental or other sanctions are imposed, or if we do not prevail in any possible civil or criminal proceeding, our business, operating results, and financial condition could be materially harmed. In addition, responding to any action will likely result in a materially significant diversion of management’s attention and resources and significant defense costs and other professional fees.

In February 2022, following Russia’s invasion of Ukraine, the United States and other countries announced sanctions against Russia. The sanctions by the United States and other countries against Russia to date include restrictions on selling or importing goods, services or technology in or from affected regions, travel bans and asset freezes impacting connected individuals and political, military, business and financial organizations in Russia, severing Russia’s largest bank from the U.S. financial system, barring some Russian enterprises from raising money in the U.S. market and blocking the access of Russian banks to financial markets. The United States and other countries could impose wider sanctions and take other actions should the conflict further escalate. While it is difficult to anticipate the impact the sanctions announced to date may have on us, any further sanctions imposed or actions taken by the United States or other countries, and any retaliatory measures by Russia in response, could increase our costs, reduce our sales and earnings or otherwise have an adverse effect on our operations.

If we fail to adequately protect our proprietary rights, our competitive position could be impaired and we may lose valuable assets, generate less revenue and incur costly litigation to protect our rights.

Our success is dependent, in part, upon protecting our proprietary technology. We rely on a combination of copyrights, trademarks, service marks, trade secret laws, the domain name dispute resolution mechanism, confidentiality procedures, and contractual provisions to establish and protect our proprietary rights. However, effective protection of intellectual property rights is expensive, both in terms of application and maintenance costs, as well as the costs of defending and enforcing those rights, and the steps we take to protect our intellectual property may be inadequate. We do not have patents covering any of our technology and do not actively pursue patents. Any of our trademarks, or other intellectual property rights may be challenged or circumvented by others, or narrowed or invalidated through administrative process or litigation. There can be no guarantee that others will not independently develop similar solutions or duplicate any of our solutions. Furthermore, legal standards relating to the validity, enforceability, and scope of protection of intellectual property rights are uncertain. Despite our precautions, it may be possible for unauthorized third parties to copy our solutions and use information that we regard as proprietary to create solutions that compete with ours.

We pursue registration of copyrights, trademarks, and domain names in the United States and in certain jurisdictions outside of the United States, but doing so may not always be successful or cost-effective. We may be unable or, in some instances, choose not to obtain legal protection for our intellectual property, and our existing and future intellectual property rights may not provide us with competitive advantages or distinguish our solutions from those of our competitors. The laws of some foreign countries may not protect our intellectual property rights to the same extent as the laws of the United States, and effective intellectual property protection and mechanisms may be uncertain or unavailable in those jurisdictions. We may need to expend additional resources to defend our intellectual property in such countries, and the

inability to do so could impair our business or adversely affect our international expansion. Particularly given the international nature of the Internet, the rate of growth of the Internet, and the ease of registering new domain names, we may not be able to detect unauthorized use of our intellectual property or take prompt enforcement action. Furthermore, the growing use of generative artificial intelligence presents an increased risk of unintentional and/or unauthorized disclosure or use of our intellectual property rights.

We endeavor to enter into agreements with our FlyMates, consultants and contractors and with parties with whom we do business in order to acquire intellectual property rights developed as a result of service to us, as well as to limit access to and disclosure of our proprietary information. No assurance can be given that our intellectual property related agreements with our FlyMates, consultants, contractors clients, their customers, or strategic partners and others will be effective in controlling access to and distribution of our solutions and proprietary information, potentially resulting in the unauthorized use or disclosure of our trade secrets and other intellectual property, including to our competitors, which could cause us to lose any competitive advantage resulting from this intellectual property. Further, these agreements do not prevent our competitors or partners from independently developing technologies that are substantially equivalent or superior to our solutions. In addition, individuals not subject to invention assignment agreements may make adverse ownership claims to our current and future intellectual property.

To protect our intellectual property rights, we may be required to spend significant resources to monitor, protect and defend these rights. Litigation may be necessary in the future to enforce our intellectual property rights and to protect our trade secrets. Such litigation could be costly, time consuming, and distracting to management and could result in the impairment or loss of portions of our intellectual property. Furthermore, our efforts to enforce our intellectual property rights may be met with defenses, counterclaims, and countersuits attacking the validity and enforceability of our intellectual property rights. Our inability to protect our proprietary technology against unauthorized copying or use, as well as any costly litigation or diversion of our management’s attention and resources, could delay further sales or the implementation of our solutions, impair the functionality of our solutions, delay introductions of new features, integrations, and capabilities, result in our substituting inferior or more costly technologies into our solutions, or injure our reputation. In addition, we may be required to license additional technology from third parties to develop and market new features, integrations, and capabilities, and we cannot be certain that we could license that technology on commercially reasonable terms or at all, and our inability to license this technology could harm our ability to compete.

We may in the future be subject to intellectual property disputes, which are costly and may subject us to significant liability and increased costs of doing business.

We may in the future become subject to intellectual property disputes. Lawsuits are time-consuming and expensive to resolve and they divert management’s time and attention. We cannot predict the outcome of lawsuits and cannot assure you that the results of any such actions will not have an adverse effect on our business, operating results, or financial condition. During litigation, we may become subject to provisional rulings, including preliminary injunctions requiring us to cease some or all of our operations. We may decide to settle legal disputes on terms that are unfavorable to us. Furthermore, such disputes, even those without merit, may subject us to an unfavorable judgment that we may not choose to appeal or that may not be reversed upon appeal. In such a situation, we could be required to pay substantial damages or license fees to third party patent owners. In addition, we may also be required to modify, redesign, reengineer, or rebrand our solutions, or stop making, licensing, or providing solutions that incorporate the asserted intellectual property. Alternatively, we may enter into a license agreement to continue practices found to be in violation of a third party’s rights. If we are required, or choose to enter into, royalty or licensing arrangements, such arrangements may not be available on reasonable terms or at all. In addition, we may also be contractually obligated to indemnify our clients in the event of infringement of a third party’s intellectual property rights.

Our use of “open source” software could negatively affect our ability to offer and sell access to our solutions and subject us to possible litigation.

We use open source software in our solutions and expect to continue to use open source software in the future. There are uncertainties regarding the proper interpretation of and compliance with open source licenses, and there is a risk that such licenses could be construed in a manner that imposes unanticipated conditions or restrictions on our ability to use such open source software, and consequently to provide or distribute our solutions. Although use of open source software has historically been free, recently several open source providers have begun to charge license fees for use of their software. If our current open source providers were to begin to charge for these licenses or increase their license fees significantly, this would increase our research and development costs and have a negative impact on our results of operations and financial condition.

Additionally, we may from time to time face claims from third parties claiming ownership of, or seeking to enforce the terms of, an open source license, including by demanding release of source code for the open source software, derivative works or our proprietary source code that was developed using, or that is distributed with, such open source software. These claims could also result in litigation and could require us to make our proprietary software source code freely available, require us to devote additional research and development resources to change our solutions or incur additional costs and expenses, any of which could result in reputational harm and would have a negative effect on our business and operating results. In addition, if the license terms for the open source software we utilize change, we may be forced to reengineer our solutions or incur additional costs to comply with the changed license terms or to replace the affected open source software. Further, use of certain open source software can lead to greater risks than use of third-party commercial software, as open source licensors generally do not provide warranties or controls on the origin of software or indemnification for third party infringement claims. Although we have implemented policies to regulate the use and incorporation of open source software into our solutions, we cannot be certain that we have not incorporated open source software in our solutions in a manner that is inconsistent with such policies.

Indemnity and liability provisions in various agreements potentially expose us to substantial liability for intellectual property infringement, data protection, and other losses.

Our agreements with some of our technology partners and certain clients include indemnification provisions under which we agree to indemnify them for losses suffered or incurred as a result of claims of intellectual property infringement, data protection, damages caused by us to property or persons, or other liabilities relating to or arising from our solutions or other contractual obligations. Some of these indemnity agreements provide for uncapped liability and some indemnity provisions survive termination or expiration of the applicable agreement. Large indemnity payments could harm our business, operating results, and financial condition. We may incur substantial liability, and we may be required to cease use of certain functions of our solutions, as a result of intellectual property related claims. Any dispute with a client or technology partner with respect to these obligations could have adverse effects on our relationship with that client or technology partner and other existing or new clients or technology partners, and harm our business and operating results. In addition, although we carry insurance, our insurance may not be adequate to indemnify us for all liability that may be imposed, or otherwise protect us from liabilities or damages with respect to claims alleging compromises of client or clients' customer data, and any such coverage may not continue to be available to us on acceptable terms or at all.

New or revised tax regulations, unfavorable resolution of tax contingencies or changes to enacted tax rates could adversely affect our tax expense.

As a multinational organization, we may be subject to taxation in several jurisdictions around the world with increasingly complex tax laws, the application, interpretation and enforcement of which can be uncertain. Changes in tax laws or their interpretations could result in changes to enacted tax rates and may require complex computations to be performed that were not previously required, significant judgments to be made in interpretation of the new or revised tax regulations and significant estimates in calculations, as well as the preparation and analysis of information not previously relevant or regularly produced. Future changes in enacted tax rates could negatively affect our results of operations.

For example, the Inflation Reduction Act of 2022 includes a minimum tax equal to fifteen percent of the adjusted financial statement income of certain corporations as well as a one percent excise tax on share buybacks, effective for tax years beginning in 2023. When effective, it is possible that the minimum tax could result in an additional tax liability over the regular federal corporate tax liability in a given year based on differences between book and taxable income (including as a result of temporary differences).

The vast majority of states have considered or adopted laws that impose tax collection obligations on out-of-state companies. States where we have nexus may require us to calculate, collect, and remit taxes on sales in their jurisdiction. Additionally, the Supreme Court of the United States ruled in South Dakota v. Wayfair, Inc. et al (Wayfair) that online sellers can be required to collect sales and use tax despite not having a physical presence in the buyer’s state. In response to Wayfair, or otherwise, states or local governments may enforce laws requiring us to calculate, collect, and remit taxes on sales in their jurisdictions. We may be obligated to collect and remit sales and use tax in states in which we have not collected and remitted sales and use tax. A successful assertion by one or more states requiring us to collect taxes where we historically have not or presently do not do so could result in substantial tax liabilities, including taxes on past sales, as well as penalties and interest. The imposition by state governments or local governments of sales tax collection obligations on out-of-state sellers could also create additional administrative burdens for us, put us at a perceived competitive disadvantage if they do not impose similar obligations on our competitors, and decrease our future sales, which could adversely affect our business and operating results.

Relevant foreign taxing authorities may disagree with our determinations as to whether we have established a taxable nexus, often referred to as a “permanent establishment”, or the income and expenses attributable to specific jurisdictions. In addition, these authorities may take aggressive tax recovery positions that the funds flows we process are subject to value added tax or goods and services tax. If disagreements with relevant taxing authorities on other unknown matters were to occur, and our position was not sustained, we could be required to pay additional taxes, interest and penalties, which could result in one-time tax charges, higher effective tax rates, reduced cash flows and lower overall profitability of our operations.

Our tax returns and positions are subject to review and audit by federal, state, local and international taxing authorities. An unfavorable outcome to a tax audit could result in higher tax expense, thereby negatively affecting our results of operations and cash flows. We have recognized estimated liabilities on the balance sheet for material known tax exposures relating to deductions, transactions and other matters involving some uncertainty as to the proper tax treatment of the item. These liabilities reflect what we believe to be reasonable assumptions as to the likely final resolution of each issue if raised by a taxing authority. While we believe that the liabilities are adequate to cover reasonably expected tax risks, there can be no assurance that, in all instances, an issue raised by a tax authority will be finally resolved at a financial amount no more than any related liability. An unfavorable resolution, therefore, could negatively affect our financial position, results of operations and cash flows in the current and/or future periods.

Our ability to use our net operating losses (NOL) to offset future taxable income may be subject to certain limitations.

As of December 31, 2023, we had U.S. federal NOL carryforwards of approximately $86.3 million and state NOL carryforwards of approximately $101.4 million. The federal and material state NOL carryforwards will begin to expire in 2032 and 2024, respectively. In general, under Sections 382 and 383 of the United States Internal Revenue Code of 1986, as amended (Code), a corporation that undergoes an “ownership change” is subject to limitations on its ability to utilize its pre-change NOLs and other tax attributes such as research tax credits to offset future taxable income. An “ownership change” pursuant to Section 382 of the Code generally occurs if one or more stockholders or groups of stockholders who own at least 5% of the company’s stock increase their ownership by more than 50 percentage points over their lowest ownership percentage within a rolling three-year period. Future changes in our stock ownership, many of which are outside of our control, could result in an ownership change under Sections 382 or 383 of the Code. Furthermore, our ability to utilize NOLs of companies that we may acquire in the future may be subject to limitations.

During 2022, the Company completed a Section 382 study and as a result of the ownership changes identified, $1.6 million of Flywire’s NOLs and $0.2 million of Simplee’s NOLs will expire unutilized, assuming sufficient taxable income is generated in the future. The Company is in the process of updating its Section 382 study and preliminary indications show there will be no additional limitations in using Federal and State NOL carryforwards.

Under the Tax Cuts and Jobs Act enacted in 2017 as modified by the Coronavirus Aid, Relief, and Economic Security Act enacted in 2020, U.S. federal NOL carryforwards generated in taxable periods beginning after December 31, 2017 may be carried forward indefinitely, but the deductibility of such NOL carryforwards in taxable years beginning after December 31, 2020 is limited to 80% of taxable income. In addition, federal NOLs arising in tax years ending after December 31, 2017 can be carried forward indefinitely, but carryback is generally prohibited. NOLs generated in tax years beginning before January 1, 2018 will not be subject to the taxable income limitation, and NOLs generated in tax years ending before January 1, 2018 will continue to have a two-year carryback and twenty-year carryforward period. Deferred tax assets for NOLs will need to be measured at the applicable tax rate in effect when the NOL is expected to be utilized. Similar rules may apply under state tax laws. The changes in the carryforward/carryback periods as well as the new limitation on use of NOLs may significantly impact our valuation allowance assessments for NOLs generated after December 31, 2017.

Risks Related to Being a Public Company

As a public company, we are obligated to develop and maintain proper and effective internal control over financial reporting, and if we fail to develop and maintain an effective system of disclosure controls and internal control over financial reporting, our ability to produce timely and accurate financial statements or comply with applicable laws and regulations could be impaired.

As a public company, we are subject to the reporting requirements of the Securities Exchange Act of 1934, as amended (the Exchange Act), the Sarbanes-Oxley Act of 2002 (Sarbanes-Oxley Act), the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank), the listing requirements of The Nasdaq Global Select Market (Nasdaq), and other applicable securities rules and regulations. Compliance with these rules and regulations will increase

our legal and financial compliance costs, make some activities more difficult, time consuming, or costly, and increase demand on our systems and resources. The Exchange Act requires, among other things, that we file annual, quarterly, and current reports with respect to our business and operating results. The Sarbanes-Oxley Act requires, among other things, that we maintain effective disclosure controls and procedures and internal control over financial reporting. It may require significant resources and management oversight to maintain and, if necessary, improve our disclosure controls and procedures and internal control over financial reporting to meet this standard. As a result, management’s attention may be diverted from other business concerns, which could adversely affect our business and operating results. To comply with these requirements, we may need to hire more employees in the future or engage outside consultants, which would increase our costs and expenses.

As a "large accelerated" filer, we are required, pursuant to Section 404 of the Sarbanes-Oxley Act (Section 404), to furnish a report by management on, among other things, the effectiveness of our internal control over financial reporting. Effective internal control over financial reporting is necessary for us to provide reliable financial reports and, together with adequate disclosure controls and procedures, are designed to prevent fraud. Any failure to implement required new or improved controls, or difficulties encountered in their implementation, could cause us to fail to meet our reporting obligations. Ineffective internal controls could also cause investors to lose confidence in our reported financial information, which could have a negative effect on the trading price of our common stock.

This assessment includes disclosure of any material weaknesses identified by our management in our internal control over financial reporting and our independent registered public accounting firm will be required to issue an opinion on the effectiveness of our internal control over financial reporting. We expect to incur significant expenses and devote substantial management effort toward ensuring compliance with the auditor attestation requirements of Section 404. Furthermore, we will also have to file a more expansive proxy statement and are subject to shorter filing deadlines, which will require additional time and expense as well.

An independent assessment of the effectiveness of our internal controls could detect problems that our management’s assessment might not. Undetected material weaknesses in our internal controls could lead to financial statement restatements and require us to incur the expense of remediation. We are required to disclose changes made in our internal control and procedures on a quarterly basis. To comply with the requirements of being a public company, we have undertaken and expect to need to continue to undertake various actions, such as implementing new internal controls and procedures, hiring risk professionals, accounting and internal audit staff, and engaging outside consultants, which will increase our operating expenses.

We are actively engaged in the ongoing costly and challenging process of performing the evaluation needed to comply with Section 404. We may not be able to complete our evaluation, testing, and any required remediation in a timely fashion. During the evaluation and testing process, if we identify material weaknesses in our internal control over financial reporting, we will be unable to assert that our internal control over financial reporting is effective.

If we are unable to assert that our internal control over financial reporting is effective, or if our independent registered public accounting firm is unable to express an opinion on the effectiveness of our internal control, including as a result of a material weakness, we could lose investor confidence in the accuracy and completeness of our financial reports, which could cause the price of our common stock to decline, and we may be subject to investigation or sanctions by the SEC. In addition, if we are unable to continue to meet these requirements, we may not be able to remain listed on Nasdaq.

Increased scrutiny from investors and others or changes in regulations regarding our environmental, social, governance, or sustainability responsibilities could result in additional costs or risks and adversely impact our reputation, employee retention, and willingness of partners, clients or our clients’ customers to do business with us.

Investor advocacy groups, certain institutional investors, investment funds, other market participants, stockholders, and consumer groups have focused increasingly on ESG or “sustainability” practices of companies. These parties have placed increased importance on the implications of the social cost of their investments. We have convened a cross-functional working group to further enhance our commitment to sustainability and ESG, and recognize the importance of communicating our progress on ESG to our stakeholders. As part of its responsibilities, our ESG working group is assessing opportunities for communicating progress on our priority initiatives. However, if our ESG practices do not meet (or are viewed as not meeting) investor or other industry stakeholder expectations and standards, which continue to evolve, our brand, reputation and employee retention may be negatively impacted, including based on an assessment of our ESG practices. Any sustainability report that we publish or sustainability disclosure we make may include our policies and practices on a variety of social and ethical matters, including corporate governance, community involvement,

environmental compliance, employee health and safety practices, cybersecurity and privacy, human capital management, and workforce equity, inclusion and diversity. It is possible that stakeholders may not be satisfied with our ESG practices or the speed of their adoption. We could also incur additional costs and require additional resources to monitor, report, and comply with various ESG practices. Also, our failure, or perceived failure, to meet the standards included in any sustainability disclosure could negatively impact our reputation, employee retention, and the willingness of our partners, clients or our clients’ customers to do business with us.

In addition, increasing governmental interest in, and public awareness of, the impacts and effects of climate change and greater emphasis on sustainability by federal, state, and international governments could lead to further regulatory efforts to address the carbon impact of housing and travel. In particular, the current regulatory landscape regarding climate change (including disclosure requirements and requirements regarding energy and water use and efficiency), both within the United States and in many other locations where we operate worldwide, is evolving at a pace, and is likely to continue to develop in ways, that require our business to adapt. Many U.S. states, either individually or through multi-state regional initiatives, have begun to address greenhouse gas emissions, including disclosure requirements relating thereto, and some U.S. states have also adopted various ESG-related efforts, initiatives and requirements. As a result, governments may enact new laws and regulations and/or view matters or interpret laws and regulations differently than they have in the past, including laws and regulations which are responsive to ESG trends or otherwise seek to reduce the carbon emissions relating to travel and set minimum energy efficiency requirements, which could materially adversely affect our business, results of operations, and financial condition. The legislative landscape continues to be in a state of constant change as well as legal challenge with respect to these laws and regulations, making it difficult to predict with certainty the ultimate impact they will have on our business in the aggregate.

We will continue to incur increased costs as a result of operating as a public company, and our management will be required to devote substantial time to compliance with our public company responsibilities and corporate governance practices.

As a public company, we will continue to incur significant legal, accounting, and other expenses as a result of operating as a public company, which increased during 2023 as a result of becoming a "large accelerated" filer. The Sarbanes-Oxley Act, Dodd-Frank, the listing requirements of the Nasdaq, and other applicable securities rules and regulations impose various requirements on public companies. Our management and other personnel devote a substantial amount of time to compliance with these requirements and interacting with public company investors and securities analysts. These obligations and constituents require significant attention from our management team and could divert their attention away from the day-to-day management of our business, which could harm our business, operating results, and financial condition. Moreover, these rules and regulations will increase our legal and financial compliance costs and will make some activities more time-consuming and costly. We cannot predict or estimate the amount of additional costs we will incur as a public company or the specific timing of such costs.

Risks Related to Ownership of Our Common Stock

The price of our common stock may be volatile or may decline regardless of our operating performance and you may not be able to resell your shares at or above the price you paid for them.

An active or liquid market in our common stock may not be sustainable.

The market price of our common stock may fluctuate significantly in response to numerous factors, many of which are beyond our control, including:

In addition, the stock markets have experienced extreme price and volume fluctuations that have affected and continue to affect the market prices of equity securities of many companies.

Concerns over economic recession, interest rate increases and inflation, supply chain delays and disruptions, policy priorities of the U.S. presidential administration and Congress, trade wars, unemployment, or prolonged government shutdown may contribute to increased volatility and diminished expectations for the economy and markets. Additionally, concern over geopolitical issues may also contribute to prolonged market volatility and instability. For example, the conflict between Russia and Ukraine could lead to disruption, instability and volatility in global markets and industries. The U.S. government and other governments in jurisdictions have imposed severe economic sanctions and export controls against Russia and Russian interests, have removed Russia from the SWIFT system, and have threatened additional sanctions and controls. The full impact of these measures, as well as potential responses to them by Russia, is unknown.

Stock prices of many companies, and technology companies in particular, have fluctuated in a manner unrelated or disproportionate to the operating performance of those companies. In the past, stockholders have filed securities class action litigation following periods of market volatility. If we were to become involved in securities litigation, it could subject us to substantial costs, divert resources and the attention of management from our business and adversely affect our business.

Raising additional capital may cause dilution to our existing stockholders, restrict our operations or require us to relinquish rights to our intellectual property on unfavorable terms to us.

Until such time, if ever, as we can generate substantial revenue, we may finance our cash needs through a combination of equity offerings, government or private party grants, debt financings and strategic partnership agreements. We may seek additional capital through a variety of means, including through strategic partnership arrangements, public or private equity or debt financings, third-party funding and marketing and distribution arrangements, as well as other strategic alliances and licensing arrangements or any combination of these approaches. However, disruptions in the

capital markets, particularly with respect to financial technology companies, could make any financing more challenging, and there can be no assurance that we will be able to raise capital on commercially reasonable terms or at all. To the extent that we raise additional capital through the sale of equity or convertible debt securities, your ownership interest will be diluted, and the terms may include liquidation preferences or other rights, powers or preferences that may adversely affect your rights as a stockholder. To the extent that debt financing is available, and we choose to raise additional capital in the form of debt, such debt financing may involve agreements that include covenants limiting or restricting our ability to take certain actions, such as incurring additional debt, making capital expenditures or declaring dividends. If we raise additional capital pursuant to collaborations, licensing arrangements or other strategic partnerships, such agreements may require us to relinquish rights to our technologies.

If we are unable to raise additional funds through equity or debt financing or through collaborations or strategic partnerships when needed, we may be required to delay, limit, reduce or terminate the development of our solutions or commercialization efforts.

We may allocate our cash and cash equivalents in ways that you and other stockholders may not approve.

Our management has broad discretion in the application of our cash and cash equivalents. Because of the number and variability of factors that determine our use of our cash and cash equivalents, their ultimate use may vary substantially from their currently intended use. Our management might not apply cash and cash equivalents in ways that ultimately increase the value of your investment. The failure by our management to apply these funds effectively could harm our business. Pending their use, we may invest our cash and cash equivalents in short-term, investment-grade, interest-bearing securities. These investments may not yield a favorable return to our stockholders. If we do not invest or apply our cash and cash equivalents in ways that enhance stockholder value, we may fail to achieve expected financial results, which could cause our stock price to decline.

If securities or industry analysts do not publish research or publish inaccurate or unfavorable research about our business, our stock price and trading volume could decline.

The trading market for our common stock depends in part on the research and reports that securities or industry analysts publish about us or our business. If industry analysts cease coverage of us, the trading price for our common stock would be negatively affected. If one or more of the analysts who cover us downgrade our common stock or publish inaccurate or unfavorable research about our business, our common stock price would likely decline. If one or more of these analysts cease coverage of us or fail to publish reports on us regularly, demand for our common stock could decrease, which might cause our common stock price and trading volume to decline.

Sales of substantial amounts of our common stock in the public markets could cause the market price of our common stock to decline.

The price of our common stock could decline if there are substantial sales of our common stock, particularly sales by our directors, executive officers and significant stockholders, or if there is a large number of shares of our common stock available for sale and the market perceives that sales will occur. We had a total of 120,695,162 shares of our voting common stock and 1,873,320 shares of our non-voting common stock outstanding as of December 31, 2023. Other than shares held by directors, executive officers and other affiliates that are subject to volume limitations under Rule 144 under the Securities Act and various vesting agreements, these shares of common stock generally are freely tradable without restrictions or further registration under the Securities Act.

Certain of our stockholders will have rights, subject to some conditions, to require us to file registration statements covering their shares or to include their shares in registration statements that we may file for ourselves or our stockholders, subject to market standoff and lock-up agreements. We registered shares of common stock that we have issued and may issue under our equity incentive plans. These shares will be able to be sold freely in the public market upon issuance, subject to securities laws.

The market price of the shares of our common stock could decline as a result of the sale of a substantial number of our shares of common stock in the public market or the perception in the market that the holders of a large number of shares intend to sell their shares.

The concentration of our stock ownership will likely limit your ability to influence corporate matters, including the ability to influence the outcome of director elections and other matters requiring stockholder approval.

As of December 31, 2023, our current executive officers, directors and the holders of more than 5% of our outstanding voting and non-voting common stock, in the aggregate, beneficially owned a significant percentage of our outstanding voting and non-voting common stock. As a result, these stockholders, acting together, will have significant influence over all matters that require approval by our stockholders, including the election of directors and approval of significant corporate transactions. Corporate actions might be taken even if other stockholders oppose them. This concentration of ownership might also have the effect of delaying or preventing a change of control of our company that other stockholders may view as beneficial.

We do not intend to pay dividends on our common stock and, consequently, your ability to achieve a return on your investment will depend on appreciation in the price of our common stock.

We have never declared or paid any cash dividend on our common stock and do not currently intend to do so for the foreseeable future. We currently anticipate that we will retain future earnings for the development, operation and expansion of our business and do not anticipate declaring or paying any cash dividends for the foreseeable future. In addition, our senior secured revolving credit syndication loan currently prohibits us from paying dividends on our equity securities, and any future debt financing arrangement may contain terms prohibiting or limiting the amount of dividends that may be declared or paid on our common stock. Any return to stockholders will therefore be limited to the appreciation of their stock. Therefore, the success of an investment in shares of our common stock will depend upon any future appreciation in their value. There is no guarantee that shares of our common stock will appreciate in value or even maintain the price at which our stockholders have purchased their shares.

Delaware law and provisions in our amended and restated certificate of incorporation and amended and restated bylaws could make a merger, tender offer or proxy contest difficult, thereby depressing the trading price of our common stock.

Our status as a Delaware corporation and the anti-takeover provisions of the Delaware General Corporation Law (DGCL) may discourage, delay or prevent a change in control by prohibiting us from engaging in a business combination with an interested stockholder for a period of three years after the person becomes an interested stockholder, even if a change of control would be beneficial to our existing stockholders. In addition, our amended and restated certificate of incorporation and amended and restated bylaws contain provisions that may make the acquisition of our company more difficult, including the following:

In addition, as a Delaware corporation, we are subject to Section 203 of the DGCL. These provisions may prohibit large stockholders, in particular those owning 15% or more of our outstanding voting stock, from merging or combining with us for a certain period of time. A Delaware corporation may opt out of this provision by express provision in its original certificate of incorporation or by amendment to its certificate of incorporation or bylaws approved by its stockholders. However, we have not opted out of this provision.

These and other provisions in our amended and restated certificate of incorporation, amended and restated bylaws and Delaware law could make it more difficult for stockholders or potential acquirors to obtain control of our board of directors or initiate actions that are opposed by our then-current board of directors, including delay or impede a merger, tender offer or proxy contest involving our company. The existence of these provisions could negatively affect the price of our common stock and limit opportunities for you to realize value in a corporate transaction.

Our amended and restated certificate of incorporation provides that the Court of Chancery of the State of Delaware and the federal district courts of the United States will be the exclusive forum for substantially all disputes between us and our stockholders, which could limit our stockholders’ ability to obtain a favorable judicial forum for disputes with us or our directors, officers or FlyMates.

Our amended and restated certificate of incorporation provides that the Court of Chancery of the State of Delaware is the exclusive forum for any derivative action or proceeding brought on our behalf, any action asserting a breach of fiduciary duty, any action asserting a claim against us arising pursuant to the DGCL, our certificate of incorporation or our bylaws or any action asserting a claim against us that is governed by the internal affairs doctrine. This provision would not apply to claims brought to enforce a duty or liability created by the Exchange Act or any other claim for which the federal courts have exclusive jurisdiction. Our amended and restated certificate of incorporation provides further that the federal district courts of the United States will be the exclusive forum for resolving any complaint asserting a cause of action arising under the Securities Act. These choices of forum provisions may limit a stockholder’s ability to bring a claim in a judicial forum that it finds favorable for disputes with us or our directors, officers or other FlyMates and may discourage these types of lawsuits. Furthermore, the enforceability of similar choice of forum provisions in other companies’ certificates of incorporation has been challenged in legal proceedings, and it is possible that a court could find these types of provisions to be inapplicable or unenforceable. While the Delaware courts have determined that such choice of forum provisions are facially valid, a stockholder may nevertheless seek to bring a claim in a venue other than those designated in the exclusive-forum provisions, and there can be no assurance that such provisions will be enforced by a court in those other jurisdictions. If a court were to find the exclusive-forum provision contained in our amended and restated certificate of incorporation to be inapplicable or unenforceable in an action, we may incur additional costs associated with resolving such action in other jurisdictions, which could harm our business.

Item 1B. Unresolved Staff Comments

None.

Item 1C. Cybersecurity

Flywire recognizes the critical importance of developing, implementing and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data.

Risk Management and Strategy

Managing Material Risks and Integrated Overall Risk Management

Flywire has strategically integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes at every level. Our security and risk management team works closely with our IT department to continuously evaluate and address cybersecurity risks in alignment with our business objectives and operational needs.

Engage Third-parties on Risk Management

Recognizing the complexity and evolving nature of cybersecurity threats, Flywire engages with a range of external experts, including cybersecurity assessors, consultants and auditors in evaluating and testing our risk management systems. These partnerships enable us to leverage specialized knowledge and insights, ensuring our cybersecurity strategies and processes remain at the forefront of industry best practices. Our collaboration with these third-parties includes regular audits, threat assessments and consultation on security enhancements.

Oversee Third-party Risk

Flywire implements stringent processes to oversee and manage the risks associated with third-party service providers. We conduct thorough security assessments of all third-party providers before engagement and maintain ongoing monitoring to ensure compliance with our cybersecurity standards. The monitoring includes annual assessments by our Chief Information Security Officer (CISO) and on an ongoing basis by our security and risk management team and our security engineers. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third-parties.

Risks from Cybersecurity Threats

We have not encountered cybersecurity challenges that have materially impaired our operations or financial standing.

Governance

Our Board of Directors is acutely aware of the critical nature of managing risks associated with cybersecurity threats. Our Board has established robust oversight mechanisms to ensure effective governance in managing risks associated with cybersecurity threats because we recognize the significance of these threats to our operational integrity and stakeholder confidence.

Board of Directors Oversight

Our Audit Committee is central to the Board’s oversight of cybersecurity risks and bears the primary responsibility for this domain. The Audit Committee is composed of board members with diverse expertise including risk management, technology and finance, which we believe equips them to oversee cybersecurity risks effectively.

Management’s Role Managing Risk

The CISO, General Counsel & Chief Compliance Officer (GC & CCO), Chief Operating Officer (COO) and the Chief Executive Officer (CEO) play a pivotal role in informing the Audit Committee on cybersecurity risks. They provide comprehensive briefings to the Audit Committee on a quarterly basis. These briefings encompass a broad range of topics, including:

In addition to our scheduled meetings, the Audit Committee, CISO, GC & CCO, COO and CEO maintain an ongoing dialogue regarding emerging or potential cybersecurity risks. Together, they receive updates on any significant developments in the cybersecurity domain, ensuring the Board’s oversight is proactive and responsive. The Audit Committee actively participates in strategic decisions related to cybersecurity, offering guidance and approval for major initiatives. This involvement ensures that cybersecurity considerations are integrated into the broader strategic objectives of Flywire. Our Audit Committee conducts an annual review of our cybersecurity posture and the effectiveness of its risk management strategies. This review helps in identifying areas for improvement and ensuring the alignment of cybersecurity efforts with the overall risk management framework.

Risk Management Personnel

Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with the CISO. With over 30 years of experience in the field of cybersecurity, the CISO brings a wealth of expertise to her role. Her background includes extensive experience as an enterprise CISO and is well-recognized within the industry. Her in-depth knowledge and experience are instrumental in developing and executing our cybersecurity strategies. Our CISO oversees our governance programs, tests our compliance with standards, remediates known risks, and leads our employee training program.

Monitor Cybersecurity Incidents

The CISO is continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation and remediation of cybersecurity incidents. The CISO implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the CISO is equipped with a well-defined incident response plan. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents and is subject to periodic testing for effectiveness of response and remediation.

Reporting to Board of Directors

Our CISO, in her capacity, regularly informs our Chief Financial Officer (CFO), GC & CCO, COO and CEO of all aspects related to cybersecurity risks and incidents. This ensures that the highest levels of management are kept abreast of the cybersecurity posture and potential risks facing Flywire. Furthermore, our CISO reports to the Board of Directors at a minimum twice a year, ensuring that they have comprehensive oversight and can provide guidance on significant cybersecurity matters, and strategic risk management decisions.

Item 2. Properties

Our corporate headquarters are located in Boston, Massachusetts, where we occupy facilities totaling approximately 10,946 square feet under a lease that expires in June 2027. We use these facilities for administration, finance, legal, compliance, human resources, global payments, IT, sales and marketing, engineering, and customer success.

We maintain other leased locations in the United States and throughout the world. We intend to procure additional space as we add FlyMates and expand geographically. We believe that our facilities are adequate to meet our needs for the immediate future, and that, should it be needed, suitable additional space will be available to accommodate any such expansion of our operations.

Item 3. Legal Proceedings

From time to time, we may be subject to legal proceedings and claims in the ordinary course of business, including patent, commercial, product liability, employment, class action, whistleblower, and other litigation and claims, as well as

governmental and other regulatory investigations and proceedings. In addition, third parties may from time to time assert claims against us in the form of letters and other communications. We are not currently a party to any legal proceedings that we believe to be material, individually or in the aggregate, to our business or consolidated financial statements. The results of any future litigation cannot be predicted with certainty, and regardless of the outcome, litigation can have an adverse impact on us because of defense and settlement costs, diversion of management resources, and other factors.

In the course of implementing geolocation data-based sanctions screening measures, we identified certain payments which, based on geolocation data, appear to have been initiated from Cuba, Iran, or Syria, in potential violation of applicable sanctions regimes. Although Flywire continues to evaluate whether these or other transactions constitute potential violations of OFAC sanctions (including whether certain of these payments may have been authorized by general licenses or license exemptions under the relevant sanctions regulations), in August 2023, Flywire made a voluntary submission to OFAC to report the potential violations. Based upon the results of the internal investigation completed to date, we do not believe that the amount of any loss incurred as a result of this matter would be material to its business, financial condition, results of operations or cash flows.

Item 4. Mine Safety Disclosures

Not applicable.

PART II

Item 5. Market for Registrant’s Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities

Market Information

Our voting common stock trades on the Nasdaq Global Select Market under the symbol “FLYW.” Our non-voting common stock is not listed on any stock exchange nor traded on any public market.

Holders of Record

As of February 23, 2024, there were approximately 36 holders of record of our voting common stock. This number does not include beneficial owners whose shares are held by nominees in street name. As of February 23, 2024, there was 1 holder of record of our non-voting common stock.

Dividend Policy

We have never declared nor paid any cash dividends on our capital stock. We currently intend to retain all available funds and any future earnings for use in the operation of our business and do not expect to pay any dividends on our capital stock in the foreseeable future. Any future determination relating to our dividend policy will be at the discretion of our board of directors, subject to applicable laws, and will depend on our financial condition, results of operations, capital requirements, general business conditions, and other factors that our board of directors considers relevant. In addition, the terms of our revolving credit syndication loan restrict our ability to pay dividends.

Stock Performance Graph

The following performance graph and related information shall not be deemed “soliciting material” or to be “filed” with the SEC for purposes of Section 18 of the Exchange Act, nor shall such information be incorporated by reference into any future filing under the Securities Act or the Exchange Act, whether made before or after the date hereof and irrespective of any general incorporation language in any such filing, or otherwise subject to the liabilities under the Securities Act or Exchange Act, except to the extent that we specifically incorporate it by reference into such filing.

The following graph depicts the total cumulative stockholder return on our common stock from May 26, 2021, the first day of trading of our common stock on the Nasdaq Global Select Market, through December 31, 2023, relative to the performance of the S&P 500 Index and S&P 500 IT Index. The graph assumes an initial investment of $100.00 at the close of trading on May 26, 2021 and that all dividends paid by companies included in these indices have been reinvested. The performance shown in the graph below is not intended to forecast or be indicative of future stock price performance.

Recent Sales of Unregistered Equity Securities

None.

Issuer Purchases of Equity Securities

None.

Item 6. [Reserved]

Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations

You should read the following discussion and analysis of our financial condition and results of operations together with our consolidated financial statements and the related notes appearing elsewhere in this Annual Report on Form 10-K. Some of the information contained in this Annual Report on Form 10-K includes forward-looking statements that involve risks and uncertainties. You should read the sections titled “Special Note Regarding Forward-Looking Statements” and “Risk Factors” for a discussion of important factors that could cause actual results to differ materially from the results described in or implied by the forward-looking statements contained in the following discussion and analysis. Our fiscal year end is December 31, and our fiscal quarters end on March 31, June 30, September 30, and December 31.

Overview

Flywire is a leading global payments enablement and software company. Our next-gen payments platform, proprietary global payment network and vertical-specific software help our clients get paid and help their customers pay with ease—no matter where they are in the world. Our clients rely on us for integrated solutions that are both global and local, and combine tailored invoicing, flexible payment options, and highly personalized omni-channel experiences. We believe we make generational advances for our clients by transforming payments into a source of value and growth for their organizations while delighting their customers with payment experiences that are engaging, secure, fast, and transparent.

Our Flywire Advantage is derived from three core elements: (i) our next-gen payments platform; (ii) our proprietary global payment network; and (iii) our vertical-specific software backed by our deep industry expertise. With our Flywire Advantage, we aim to power the transformation of our clients’ accounts receivable functions by automating paper and check-based business processes in addition to creating interactive, digital payment experiences for their customers. As a result, clients who implement our payments and software solutions can see increased digital payments and improved accounts receivable, higher enrollment in payment plans, and a reduction in customer support inquiries. We help our clients turn their accounts receivable functions into strategic, value-enhancing areas of their organizations.

We reach clients through various channels, with our direct channel being our primary go-to-market strategy. Our industry-experienced sales and relationship management teams bring expertise and local reach, and our solution combines high-tech and high-touch functions backed by 24x7 multilingual customer support, resulting in high client and customer satisfaction. In addition, the value of our Flywire Advantage has been recognized, with global financial institutions and technology providers choosing to form channel partnerships with us. These partnerships promote organic referral and lead generation opportunities and enhance our indirect sales strategy.

The combination of our differentiated solution and efficient go-to-market strategy has resulted in strong and consistent client growth.

As of December 31, 2023, we serve over 3,800 clients around the world. In education, we serve more than 2,800 institutions. In healthcare, we power more than 90 healthcare systems, including four of the top 10 healthcare systems in

the United States ranked by hospital size as of December 31, 2023. In our newer payment verticals of travel and B2B payments, we have a growing portfolio of more than 900 clients as of December 31, 2023.

Our success in building our client base around the world and expanding utilization by our clients’ customers has allowed us to achieve significant scale. We enabled over $24.0 billion and approximately $18.1 billion in total payment volume during the years ended December 31, 2023 and 2022, respectively. We generated revenue of $403.1 million, $289.4 million and $201.1 million for the years ended December 31, 2023, 2022 and 2021, respectively, and incurred net losses of $8.6 million, $39.3 million, and $28.1 million for those same years.

We believe that the growth of our business and our operating results will be dependent upon many factors, including our ability to add new clients, expand the usage of our solutions by our existing clients and their customers, integrate the businesses and technology platforms that we acquire and increase the breadth and depth of our payments and software capabilities by adding new solutions. While these areas present significant opportunities for us, they also pose challenges and risks that we must successfully address in order to sustain the growth of our business and improve our operating results.

While we have experienced significant growth and increased demand for our solutions over recent periods, we expect to continue to incur losses in the short term and may not be able to achieve or maintain profitability in the future. Our marketing is focused on generating leads to develop our sales pipeline, building our brand and market awareness, scaling our network of partners and growing our business from our existing client base. We believe that these efforts will result in an increase in our client base, revenues, and improved margins in the long term. To manage any future growth effectively, we must continue to improve and expand our IT and financial infrastructure, our operating and administrative systems and controls, and our ability to manage headcount, capital, and processes in an efficient manner. Additionally, we face intense competition in our market, and to succeed, we need to innovate and offer solutions that are differentiated from legacy payment solutions. We must also effectively hire, retain, train, and motivate qualified personnel and senior management. There are also circumstances beyond our control which can materially impact our business that we need to respond to, including, but not limited to fluctuations in exchange rates. If we are unable to successfully address these challenges, our business, operating results, and prospects could be adversely affected.

2023 Follow-On Offering

On August 9, 2023, we entered into an underwriting agreement (Underwriting Agreement) with Goldman Sachs & Co. LLC, as representative of the several underwriters (Underwriters), in connection with the offer and sale of 8,000,000 shares of common stock, at a price to the public of $32.00 per share (the Primary Offering). In addition, pursuant to the terms of the Underwriting Agreement, we granted the Underwriters an option to purchase up to 1,200,000 additional shares of Common Stock (Underwriters’ Option).

On September 12, 2023, the Underwriters exercised the Underwriters’ Option in part and purchased an additional 500,000 shares common stock, in each instance at a price to the public of $32.00 per share. We received $260.1 million in net proceeds from the Primary Offering and the Underwriters’ Option, after deducting underwriting discounts and commissions of $10.9 million and other offering costs of $1.1 million.

Initial Public Offering (IPO)

On May 28, 2021, we completed our IPO, in which we issued and sold 12,006,000 shares of common stock at a public offering price of $24.00 per share, which included 1,566,000 shares of common stock issued pursuant to the exercise in full of the underwriters' option to purchase additional shares. We received $263.8 million in net proceeds from the IPO, after deducting underwriting discounts and commissions of $19.4 million and other offering costs of $4.9 million.

Recent Acquisition

In November 2023, we acquired all of the issued and outstanding shares of StudyLink for an estimated total aggregate purchase price of approximately $35.5 million, consisting of approximately $32.8 million in cash consideration, net of cash acquired and up to approximately $2.7 million in contingent consideration. Purchase consideration is subject to certain adjustments as specified in the share sale agreement, including a net working capital adjustment. The contingent consideration represents additional payments that we may be required to make in the future dependent on the successful achievement of revenue, volume, cross-selling and engineering implementation milestones, a portion of which can be paid in the form of cash or shares of common stock, at our option, and is subject to exchange rate fluctuation adjustment between the U.S. Dollar and Australian Dollar. Additional payments in the form of shares of common stock will be made based on the continuing employment of a key employee; accordingly, the fair value of $2.4 million,

approximately 84,000 shares of common stock, have been excluded from the purchase consideration. StudyLink is an Australian-based SaaS education company that provides platforms to education providers to support their student admissions systems and processes, including features such as eligibility assessment, offer generation, recruitment agent and commission management and acceptance processing. The acquisition of StudyLink was intended to accelerate our success in the Australian higher education market and enhance our value proposition to payers, universities and agents in the higher education ecosystem. StudyLink contributed $1.4 million in platform revenue during the year ended December 31, 2023.

In July 2022, we acquired all of the issued and outstanding shares of Cohort Go for an estimated aggregate purchase price of $23.1 million, which consisted of $17.1 million in cash consideration, net of cash acquired, $4.3 million in shares of common stock and up to $1.7 million in contingent consideration assessed at the acquisition date. Subsequent to the acquisition date, at each reporting date, the contingent consideration was remeasured and changes in the fair value resulting from a change in the underlying inputs were recognized in general and administrative expense in the consolidated statements of operations and comprehensive loss. Contingent consideration represented additional payments that Flywire was required to make which was dependent upon Cohort Go's achievement of specific post-acquisition milestones and was subject to exchange rate fluctuation adjustment between the U.S. Dollar and Australian Dollar. During the year ended December 31, 2023 and 2022, we paid $1.7 million and $0.5 million, respectively, in contingent consideration based on Cohort Go's successful and timely achievement of contracted milestones. No additional contingent consideration is due or payable with respect to the Cohort Go acquisition. Cohort Go is an Australian-based education payments provider that simplifies the student recruitment process by bringing together students, agents and essential student services such as health insurance into one platform. The acquisition of Cohort Go accelerated the growth of Flywire's agent related revenue and contributed to our global expansion. Cohort Go contributed $16.6 million in transaction revenue and $10.4 million in platform revenue during the year ended December 31, 2023 and $6.4 million in transaction revenue and $3.3 million in platform revenue during the year ended December 31, 2022.

In December 2021, we acquired all of the issued and outstanding shares of WPM for an estimated aggregate purchase price of $59.6 million, which consisted of $56.1 million in cash consideration, net of cash acquired and up to $3.5 million in estimated fair value of contingent consideration. Contingent consideration was potentially payable at various intervals through March 2024 in the form of cash or up to approximately 225,000 shares of common stock, at our option, and was dependent upon our achievement of specified minimum payment volume targets and integration targets. As of December 31, 2023, no contingent consideration is due or payable with respect to the WPM acquisition. During the year ended December 31, 2022, we paid $0.4 million in contingent consideration related to the completion of integration targets. There was no contingent consideration paid during the year ended December 31, 2021. Certain amounts were also tied to continued employment of key employees. During the year ended December 31, 2023, we expensed $0.7 million in personnel costs associated with retention of key employees. These personnel costs have been paid through shares of Flywire common stock issued in January 2023, July 2023 and January 2024. During the year ended December 31, 2022 and 2021, we expensed $0.9 million and less than $0.1 million, respectively, in personnel costs associated with the retention of key employees. WPM is a leading software provider that enables seamless and secure payment experiences for universities and colleges across the U.K. The acquisition of WPM was intended to build on our existing education payments business and is expected to further accelerate our market share in the U.K. education sector. WPM contributed $6.3 million, $6.4 million and $0.3 million in platform revenue during the years ended December 31, 2023, 2022 and 2021, respectively.

Our Revenue Model

We derive revenue from transactions and platform and usage-based fees.

Transaction revenue is earned from payment processing services provided to our clients. The fee earned on each transaction consists of a rate applied to the total payment value of the transaction, which can vary based on the payment method currency pair conversion and the geographic region in which our client and the clients’ customer resides. We also earn revenue from marketing fees from credit card service providers for marketing arrangements in which we perform certain marketing activities which we consider to be ancillary to the solutions we provide to our clients.

Platform and usage-based fee revenue includes (i) fees earned for the utilization of our payment platform to optimize cash collections, (ii) fees collected on payment plans established by our clients on our payment platform, (iii) subscription fees and (iv) fees related to printing and mailing services which we consider to be ancillary to the solutions we provide to our clients.

Key Operating Metrics and Non-GAAP Financial Measures

To supplement our consolidated financial statements, which are prepared in accordance with generally accepted accounting principles in the United States (GAAP), we use certain non-GAAP financials measures. The following table sets forth our key operating metrics and non-GAAP measures for the periods presented. All dollar amounts are rounded to the nearest million. As a result, certain amounts may not recalculate using the rounded amounts provided.

For the year ended December 31, 2023, transaction revenue and platform and usage-based fee revenue represented 81.8% and 18.2% of our revenue, respectively. For the year ended December 31, 2023, transaction revenue and platform and usage-based fee revenue represented 85.8% and 14.2% of our total revenue less ancillary services, respectively.

For the year ended December 31, 2022, transaction revenue and platform and usage-based fee revenue represented 77.5% and 22.5% of our revenue, respectively. For the year ended December 31, 2022, transaction revenue and platform and usage-based fee revenue represented 83.2% and 16.8% of our total revenue less ancillary services, respectively.

For the year ended December 31, 2021, transaction revenue and platform and usage-based fee revenue represented 73.6% and 26.4% of our revenue, respectively. For the year ended December 31, 2021, transaction revenue and platform and usage-based fee revenue represented 80.7% and 19.3% of our total revenue less ancillary services, respectively.

For the year ended December 31, 2023, our total payment volume was over $24.0 billion, consisting of $17.7 billion of total payment volume from transactions included in transaction revenue and $6.3 billion of total payment volume from transactions included in platform and usage-based fee revenue.

For the year ended December 31, 2022, our total payment volume was approximately $18.1 billion, consisting of $12.1 billion of total payment volume from transactions included in transaction revenue and $6.0 billion of total payment volume from transactions included in platform and usage-based fee revenue.

For the year ended December 31, 2021, our total payment volume was approximately $13.2 billion, consisting of $8.4 billion of total payment volume from transactions included in transaction revenue and $4.8 billion of total payment volume from transactions included in platform and usage-based fee revenue.

Total Payment Volume

To grow revenue from clients we must facilitate the use of our payment platform by our clients to process the amounts paid to them by their customers. The more our clients use our platform and rely upon our features to automate their payments, the more payment volume is processed on our solution. This metric provides an important indication of the value of the transactions that our clients’ customers are completing on our payment platform and is an indicator of our ability to generate revenue from our clients. We define total payment volume as the total amount paid to our clients on our payments platform in a given period.

Revenue Less Ancillary Services, Revenue Less Ancillary Services at Constant Currency, Adjusted Gross Profit, Adjusted Gross Margin and Adjusted EBITDA

We use non-GAAP financial measures to supplement financial information presented on a GAAP basis. We believe that excluding certain items from our GAAP results allows management to better understand our consolidated financial

performance from period to period and better project our future consolidated financial performance as forecasts are developed at a level of detail different from that used to prepare GAAP-based financial measures. Moreover, we believe these non-GAAP financial measures provide our stakeholders with useful information to help them evaluate our operating results by facilitating an enhanced understanding of our operating performance and enabling them to make more meaningful period to period comparisons. There are limitations to the use of the non-GAAP financial measures presented here. Our non-GAAP financial measures may not be comparable to similarly titled measures of other companies. Other companies, including companies in our industry, may calculate non-GAAP financial measures differently than we do, limiting the usefulness of those measures for comparative purposes.

We use supplemental measures of our performance which are derived from our consolidated financial information, but which are not presented in our consolidated financial statements prepared in accordance with GAAP. These non-GAAP financial measures include the following:

These non-GAAP financial measures are not meant to be considered as indicators of performance in isolation from or as a substitute for revenue, gross margin or net loss prepared in accordance with GAAP and should be read only in conjunction with financial information presented on a GAAP basis. Reconciliations of Revenue Less Ancillary Services, Revenue Less Ancillary Services at Constant Currency, Adjusted Gross Profit, Adjusted Gross Margin and Adjusted EBITDA to the most directly comparable GAAP financial measure are presented below. We encourage you to review these reconciliations in conjunction with the presentation of the non-GAAP financial measures for each of the periods presented. In future fiscal periods, we may exclude such items and may incur income and expenses similar to these excluded items.

Reconciliations of Non-GAAP Financial Measures

The tables below provide reconciliations of Revenue Less Ancillary Services, Revenue Less Ancillary Services at Constant Currency, Adjusted Gross Profit, Adjusted Gross Margin and Adjusted EBITDA to the most comparable GAAP figure on a consolidated basis for the periods presented. All dollar amounts are rounded to the nearest million. As a result, certain amounts may not recalculate using the rounded amounts provided.

Revenue Less Ancillary Services, Adjusted Gross Profit and Adjusted Gross Margin: