Fifth Third Bank is presumed not to control us under the statutory terms of the
BHC Act based on its current ownership level. Nevertheless, in the future or in connection with other initiatives, the ODFI or Federal Reserve could assert that our relationship with Fifth Third Bank imposes limitations, conditions or approval
requirements under banking laws that affect our activities, investments or acquisitions. The imposition of such limitations, conditions or approval requirements could have an adverse impact on our business, such as by preventing us from pursuing an
otherwise attractive acquisition or business opportunity.
The framework by which we would address such circumstances is set forth in the
Second Amended and Restated Limited Liability Company Agreement of Worldpay Holding, LLC, as amended by that certain Transaction Agreement, dated August 7, 2017, by and among the Company, Worldpay Holding, Fifth Third Bank and Fifth Third
Bancorp (the Worldpay Holding LLC Agreement). Among other things, we must notify Fifth Third Bank before we engage in any business activity (by acquisition, investment or organic growth that may reasonably require Fifth Third Bank or an affiliate of
Fifth Third Bank to obtain regulatory approval, so that Fifth Third Bank can consider the legal permissibility of the activity and any required regulatory approvals, and we and Fifth Third Bank must use our respective reasonable best efforts to
obtain any such regulatory approvals if we determine to pursue the business activity. The Worldpay Holding LLC Agreement also includes provisions to address circumstances where any such required regulatory approval is not obtained.
The United Kingdom
In the U.K.,
the Payment Services Regulations 2017 require non-bank payment service providers, such as Worldpay, to be authorized as Payment Institutions upon which these regulations impose an on-going system of regulation and control. To comply with these regulations, we have licensed three entities, Worldpay (UK) Limited (WPUKL), Worldpay Limited (WPL) and Worldpay AP Ltd (WPAP), as Authorized
Payment Institutions and we are authorized to provide certain payment services across the European Economic Area. The FCA has the power to take a range of enforcement actions, including the ability to sanction firms and individuals carrying
out functions within the firm. Additionally, WPUKL has a regulated consumer hire business, for which it currently holds the necessary permission under the U.K. Financial Conduct Authority and WPAP is registered with Her Majestys Revenue and
Customs for the purposes of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. We are also subject to the Regulation of the European Parliament and the Council on interchange fees for
card-based payment transactions (IFR). These interchange fees are a major part of the charges paid by merchants to payment service providers. The Payment Systems Regulator is the competent authority for the monitoring and enforcement of compliance
with the IFR in the U.K.
Worldpay BV (WPBV) is incorporated and registered in the Netherlands and holds a license from the Dutch Central Bank (De Nederlandsche Bank or
DNB) for providing payment services. The regulatory system in the Netherlands is a comprehensive system based on the Dutch Financial Supervision Act, which sets out rules regarding the conduct of business supervision (exercised by the Netherlands
Authority of Financial Markets (Autoriteit Financiële Markten or AFM)) and prudential supervision exercised by DNB on payment services providers. As WPBV provides payment services in the Netherlands, it is both subject to the supervision of the
DNB and the AFM, both of which are empowered to intervene in cases of non-compliance with the regulations.
Association and Network Rules
subject to the network rules of Visa, Mastercard and other payment networks. The payment networks routinely update and modify their requirements. On occasion, we have received notices of non-compliance and
fines, which have typically related to excessive chargebacks by a merchant or data security failures. Although these network rules are not government regulations, our failure to comply with the networks requirements or to pay the fines they
impose could cause the termination of our registration and require us to stop providing payment processing services.
Privacy and Information Security
We provide services that may be subject to privacy laws and regulations of a variety of U.S. and foreign jurisdictions,
including the European Union General Data Protection Regulation (GDPR). These laws and regulations restrict the collection, processing, storage, use and disclosure of personal information, require notice to individuals of privacy
practices and provide individuals with certain rights to prevent the use and disclosure of protected information. These laws also impose requirements for safeguarding and proper destruction of personal information through the issuance of data
security standards or guidelines. For example, relevant U.S. federal privacy laws include the Gramm-Leach-Bliley Act of 1999, which applies directly to a broad range of financial institutions and indirectly, or in some instances directly, to
companies that provide services to financial institutions. In addition, there are state laws restricting the ability to collect and utilize certain types of information such as Social Security and drivers license numbers. U.S. federal and
state and foreign laws also impose privacy and data security requirements, which can include obligations to provide notification of security breaches of computer databases that contain personal information to affected individuals, officers and
consumer reporting agencies and businesses and governmental agencies that own data. In addition, we are subject to the GDPR, which is the expanded E.U. regime applicable to all foreign companies processing personal data of E.U. residents. GDPR
requires companies to maintain a comprehensive data protection and privacy program to protect the personal and sensitive data of European citizens and residents, and failure to comply with GDPR, including country-specific legislation interpreting
GDPR, carries significant penalties.
- 8 -