WORLDLINE_REGISTRATION_DOCUMENT_2017

Risk Factors [GRI 102-15] and [GRI 102-11] Risks related to the Group’s business and industry [GRI 102-10]

Security breaches could disrupt the Group’s business and damage its reputation. As part of its business, the Group electronically receives, processes, stores and transmits sensitive business information of its clients. In addition, depending on the services offered, the Group collects and processes a significant amount of sensitive personal consumer data, including names and addresses, cardholder data, payment history records, personal medical data and tax information, among other consumer data. The confidentiality and integrity of the client and consumer information that resides on the Group’s servers and other information systems is critical to the successful operation of its business. Accordingly, the Group has security, backup and recovery systems in place. The costs of systems and procedures associated with such protective measures could increase and therefore reduce the Group’s profitability. Notwithstanding these safeguards, unauthorized access to the Group’s computer systems or databases could result in the theft or publication of confidential information, the deletion or modification of records or could otherwise cause interruptions in the Group’s operations. These risks are increased when the Group transmits information over the Internet. The Group’s visibility, or the visibility of the brands for which it processes data, in the global payment and digital services industry may attract hackers to conduct attacks on its systems that could compromise the security of its data or could cause interruptions in the operations of its businesses and subject the Group to increased costs, litigation and other liabilities. Any such litigation could be protracted and result in the payment of damages and costly upgrades to the Group’s safeguards. There is also a possibility of mishandling or misuse, for example, if such information were erroneously provided to parties who are not permitted to have the information, either by fault of the Group’s systems, employees or subcontractors acting contrary to the Group’s policies, or where such information is intercepted or otherwise improperly obtained by third parties. An information breach in the system and loss of confidential information such as credit card numbers and related information could have a longer and more significant impact on the Group’s business operations than a hardware failure and could result in claims against the Group for misuse of personal information, such as identity theft. The loss of confidential information could result in the payment of damages and reputational harm and therefore have a material adverse effect on the Group’s business, results of operations and financial condition. Additionally, the introduction of, or changes to, existing “cyber” security rules and regulations may impose new or stricter security standards that

require changes that would be costly for the Group to implement. The Group’s financial exposure from the items referenced above may either not be insured against or not fully covered through any insurance maintained by the Data privacy concerns or failure to comply with privacy regulations and industry security requirements relating to personal consumer data could have a material adverse effect on the Group’s business and reputation. The Group’s systems collect, process and store vast quantities of personal consumer data. Many of the value added services the Group offers its clients are designed to analyze some of that data to allow merchants, financial institutions and other clients to deliver targeted advertising and better understand consumer needs and behavior in order to develop more effective products and services that address their preferences. User and regulatory attitudes towards privacy are evolving, and future regulatory or user concerns about the extent to which personal information is shared with advertisers or others could adversely affect the feasibility or marketability of such value added services. Moreover, as a global provider of services to financial institutions, card processing services and other digital and e-Transactional services, the Group is subject directly (or indirectly through its clients) to laws, regulations, industry standards and limitations applicable to the collection, storage, processing and transfer of personal data in various jurisdictions in which the Group operates, and in particular to the European Regulation GDPR (General Data Protection Regulation). The Group’s failure to keep apprised of and comply with privacy, data use and security laws, standards and regulations could result in the suspension or revocation of licenses or registrations, the limitation, suspension or termination of services and the imposition of administrative, civil or criminal penalties including fines, or may cause existing or potential customers to be reluctant to do business with the Group, damage to the Group’s global reputation and its brand, any of which could have an adverse effect on the Group’s business, results of operations and financial condition. In addition, to the extent more restrictive laws, rules or industry security requirements relating to personal data are adopted in the future in the various jurisdictions in which the Group operates or by specific industry bodies, such changes could have an adverse impact on the Group by increasing its costs or imposing restrictions on its business processes. The Group may be required to expend significant capital and other resources to comply with mandatory privacy and security standards required by international standards and law and industry standards, or to adapt its contracts accordingly. The Group’s financial exposure from any actual or alleged breach of such regulations or standards may either not be insured against or not fully covered through any insurance maintained by the Group. Group.

F

267

Worldline 2017 Registration Document