EXHIBIT 99.5

The following sets forth (i) the Risk Factors discussion of WageWorks, Inc. (“WageWorks”) described in Part I, Item 1A in WageWorks’s Annual Report on Form 10-K for the year ended December 31, 2018 (the “Annual Report), and filed with the Securities and Exchange Commission on May 30, 2019 and (ii) information related to material pending litigation contained in Part I, Item 3 in the Annual Report.

As used herein, “WageWorks,” “we,” “us” and “our” and similar terms include WageWorks, Inc. and its wholly-owned subsidiaries, unless the context indicates otherwise.

Risk Factors

You should carefully consider the risks described below together with the other information set forth in this Annual Report on Form 10-K, which could materially affect our business, financial condition and future results. The risks described below are not the only risks facing our company. Risks and uncertainties not currently known to us or that we currently deem to be immaterial also may materially adversely affect our business, financial condition and operating results. If any of the following risks is realized, our business, financial condition, results of operations and prospects could be materially and adversely affected. In that event, the trading price of our common stock could decline.

The restatement of our previously issued financial statements has been time-consuming and expensive and could expose us to additional risks that could materially adversely affect our financial position, results of operations and cash flows.

As discussed in the Explanatory Note to the 2017 Annual Report on Form 10-K and in Note 2, “Restatement” to the Notes to our Consolidated Financial Statements included in the 2017 Annual Report, we have restated our previously issued financial statements for (i) the quarterly and year-to-date periods ended June 30 and September 30, 2016, (ii) the year ended December 31, 2016 and (iii) the quarterly and year-to-date periods ended March 31, June 30 and September 30, 2017. These restatements, and the remediation efforts we have undertaken and are continuing to undertake, have been time-consuming and expensive and could expose us to a number of additional risks that could materially adversely affect our financial position, results of operations and cash flows.

In particular, we have incurred significant expenses, including audit, legal, consulting and other professional fees and lender and noteholder consent fees, in connection with the restatement of our previously issued financial statements and the ongoing remediation of material weaknesses in our internal control over financial reporting. We have taken a number of steps, including adding significant internal resources and implementing a number of additional procedures, in order to strengthen our accounting function and attempt to reduce the risk of additional misstatements in our financial statements. To the extent these steps are not successful, we could be forced to incur additional time and expense. Our management’s attention has also been diverted from the operation of our business in connection with the restatements and ongoing remediation of material weaknesses in our internal controls.

We are also subject to a securities class action and shareholder derivative suits and investigations arising out of the misstatements in our financial statements, including investigations by the Securities and Exchange Commission (the “SEC”) and the U.S. Attorney’s Office for the Northern District of California (the “USAO”). For additional discussion see Item 3. Legal Proceedings and “Legal Matters” in Note 15 to our Consolidated Financial Statements.

The restatement of our previously issued financial results has resulted in securities class action and shareholder litigation, as well as government investigations that could result in government enforcement actions that could have a material adverse impact on our results of operations, financial condition, liquidity and cash flows.

We are subject to securities class action and shareholder litigation relating to our previous public disclosures. In addition, we are subject to government investigations arising out of the misstatements in our previously issued financial statements. For additional discussion see Item 3. Legal Proceedings and “Legal Matters” in Note 15 to our Consolidated Financial Statements.

On March 9, 2018, a putative class action - captioned Government Employees’ Retirement System of the Virgin Islands v. WageWorks, Inc., et al., No. 4:18-cv-01523-JSW - was filed in the United States District Court for the Northern District of California (the “Securities Class Action”) against the Company, our former Chief Executive Officer, and

our former Chief Financial Officer. The complaint asserts claims under Sections 10(b) and 20(a) of the Securities Exchange Act of 1934, on behalf of persons and entities that acquired WageWorks securities between May 6, 2016 and March 1, 2018, and alleges, among other things, that the defendants issued false and misleading financial statements.

On June 22, 2018 and September 6, 2018, two derivative lawsuits were filed against certain of our officers and directors and the Company (as nominal defendant) in the Superior Court of the State of California, County of San Mateo. Pursuant to the parties’ stipulation, which was approved by the Superior Court, the actions were consolidated. On July 23, 2018, a similar derivative lawsuit was filed against certain of our officers and directors and the Company (as nominal defendant) in the United States District Court for the Northern District of California (together, the “Derivative Suits”).

Furthermore, the Company voluntarily contacted the San Francisco office of the SEC Division of Enforcement regarding the restatement and independent investigation, is providing information and documents to the SEC and will continue to cooperate with the SEC’s investigation into these matters. The U.S. Attorney’s Office for the Northern District of California also opened an investigation. The Company has provided documents and information to the U.S. Attorney’s Office and will continue to cooperate with any inquiries by the U.S. Attorney’s Office regarding the matter. For additional discussion of these matters, see Note 15, “Commitments and Contingencies,” in the Notes to our consolidated financial statements included in this Annual Report on Form 10-K.

We could become subject to additional private litigation or investigations, or one or more government enforcement actions, arising out of the misstatements in our previously issued financial statements. Our management may be required to devote significant time and attention to these matters, and these and any additional matters that arise could have a material adverse impact on our results of operations, financial condition, liquidity and cash flows. While we cannot estimate our potential exposure to these matters at this time, we have already expended significant amounts investigating the claims underlying and defending this litigation and expect to continue to need to expend significant amounts to defend this litigation.

We have identified material weaknesses in our internal control over financial reporting which could, if not remediated, adversely affect our ability to report our financial condition and results of operations in a timely and accurate manner, which may adversely affect investor confidence in our company and, as a result, the value of our common stock.

Our management is responsible for establishing and maintaining adequate internal control over our financial reporting, as defined in Rule 13a-15(f) under the Exchange Act. In Item 9A, “Controls and Procedures” of this Annual Report, management identified material weaknesses in our internal control over financial reporting.

As a result of the material weaknesses, our management concluded that our internal control over financial reporting was not effective as of December 31, 2018 and 2017. The assessment was based on criteria established in Internal Control-Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission in 2013. We are actively engaged in developing a remediation plan designed to address the material weaknesses, but our remediation efforts are not complete and are ongoing. If our remedial measures are insufficient to address the material weaknesses, or if additional material weaknesses or significant deficiencies in our internal control are discovered or occur in the future, it may materially adversely affect our ability to report our financial condition and results of operations in a timely and accurate manner. If we are unable to report our results in a timely and accurate manner, we may not be able to comply with the applicable covenants in our financing arrangements, and may be required to seek additional waivers or repay amounts under these financing arrangements earlier than anticipated, which could adversely impact our liquidity and financial condition. Although we continually review and evaluate internal control systems to allow management to report on the sufficiency of our internal controls over financial reporting, we cannot assure you that we will not discover additional weaknesses in our internal control over financial reporting. The next time we evaluate our internal control over financial reporting, if we identify one or more new material weaknesses or are unable to timely remediate our existing material weaknesses, we may be unable to assert that our internal controls are effective. If we are unable to assert that our internal control over financial reporting is effective, or if our independent registered public accounting firm is unable to express an unqualified opinion or expresses an adverse opinion on the effectiveness of our internal controls, we could lose investor confidence in the accuracy and completeness of our financial reports, which would have a material adverse effect on the price of our

2

common stock and possibly impact our ability to obtain future financing on acceptable terms. We may also lose assets if we do not maintain adequate internal controls.

If our internal controls are not effective, there may be errors in our financial information that could require a restatement or delay our SEC filings. Such material weaknesses could materially and adversely affect our operations, financial condition, reputation and stock price.

We have, in the past, experienced issues with our internal control over financial reporting related to managing change and assessing risk in the areas of non-routine and complex transactions, tone at the top, and commitment to competencies in the areas of non-routine and complex transactions. It is possible that we may discover significant deficiencies or material weaknesses in our internal control over financial reporting in the future. Any failure to maintain or implement required new or improved controls, or any difficulties we encounter in their implementation, could cause us to fail to meet our periodic reporting obligations, or result in material misstatements in our financial information. If we are unable to effectively remediate and adequately manage our internal control over financial reporting in the future, we may be unable to produce accurate or timely financial information. As a result, we may be unable to meet our ongoing reporting obligations or comply with applicable legal requirements, which could lead to the imposition of sanctions or further investigation by regulatory authorities. Any such action or other negative results caused by our inability to meet our reporting requirements or comply with legal and regulatory requirements could lead investors and others to lose confidence in our financial data and could adversely affect our business and our stock price. Significant deficiencies or material weaknesses in our internal control over financial reporting could also reduce our ability to obtain financing or could increase the cost of available financing. Internal control over financial reporting may not prevent or detect all errors or acts of fraud.

Internal control over financial reporting may not achieve, and in some cases have not achieved, their intended objectives. Control processes that involve human diligence and compliance, such as our disclosure controls and procedures and internal control over financial reporting, are subject to lapses in judgment and breakdowns resulting from human failures. Controls can also be circumvented by collusion or improper management override of such controls. Because of such limitations, there are risks that material misstatements due to error or fraud may not be prevented or detected, and that information may not be reported on a timely basis. The failure of our controls to be effective could have a material adverse effect on our business, financial condition, results of operations, and market for our common stock, and could subject us to regulatory scrutiny and penalties.

Matters relating to or arising from our Special Committee and Audit Committee investigations, including regulatory investigations and proceedings, litigation matters and potential additional expenses, may adversely affect our business and results of operations.

We have incurred, and may continue to incur, significant expenses related to legal, accounting, and other professional services in connection with the Special Committee and Audit Committee investigations and related legal matters, as previously disclosed in our public filings, including the review of our accounting, the audit of our financial statements and the ongoing remediation of deficiencies in our internal control over financial reporting. As described in Item 9A., “Controls and Procedures,” of this report, we have taken a number of steps in order to strengthen our accounting function and attempt to reduce the risk of future recurrence and errors in accounting determinations. The validation of the efficacy of these remedial steps will result in us incurring near term expenses, and to the extent these steps are not successful, we could be forced to incur significant additional time and expense. The incurrence of significant additional expense, or the requirement that management devote significant time that could reduce the time available to execute on our business strategies, could have a material adverse effect on our business, results of operations and financial condition. These expenses, the delay in timely filing our periodic reports, and the diversion of the attention of the management team that has occurred, and is expected to continue, has adversely affected, and could continue to adversely affect, our business and financial condition. As a result, we are exposed to greater risks associated with litigation, regulatory proceedings and government enforcement actions. Any future investigations or additional lawsuits may adversely affect our business, financial condition, results of operations and cash flows.

3

We have not been in compliance with NYSE’s requirements for continued listing and as a result our common stock may be delisted from trading on the NYSE, which would have a material effect on us and our stockholders.

We are currently delinquent in the filing of certain of our periodic reports with the SEC, and have been delinquent in our filings in the past. We have also not convened an Annual Meeting of Stockholders since 2017. As a result, we are not in compliance with listing requirements of Section 802.01E of the NYSE Listed Company Manual which requires timely filing of periodic financial reports with the SEC. The NYSE informed the Company that, under the NYSE’s rules, the Company will have six months from March 1, 2019 to regain compliance. If the Company fails to meet the NYSE’s six-month compliance deadline, the NYSE may grant, at its sole discretion, an extension of up to six additional months for the Company to regain compliance, depending on the specific circumstances.

Our failure to file our periodic reports with the SEC in a timely manner or within any extension periods prescribed by the NYSE, may subject our common stock to delisting by the NYSE. If our common stock is delisted, there can be no assurance whether or when it would again be listed for trading on NYSE or any other exchange. If our common stock is delisted, the market price of our shares will likely decline and become more volatile, and our stockholders may find that their ability to trade in our stock will be adversely affected. Furthermore, institutions whose charters do not allow them to hold securities in unlisted companies might sell our shares, which could have a further adverse effect on the price of our stock. In addition, our ability to hire and retain key personnel and employees may be adversely affected by volatility or reductions in the price of our common stock, since these employees are generally granted equity-based awards. We have previously experienced and may continue to experience employee attrition and difficulty attracting talent as a result of these issues. We may not be successful in attracting, integrating, or retaining qualified personnel to fulfill our current or future needs, nor may we be successful in keeping the qualified personnel we currently have.

The delayed filing of some of our periodic SEC reports has made us currently ineligible to use a registration statement on Form S-3 to register the offer and sale of securities, which could adversely affect our ability to raise future capital or complete acquisitions.

As a result of the delayed filing of some of our periodic reports with the SEC, we will not be eligible to register the offer and sale of our securities using a registration statement on Form S-3 until one year from the date we regained and maintain status as a current filer. Should we wish to register the offer and sale of our securities to the public prior to the time we are eligible to use Form S-3, both our transaction costs and the amount of time required to complete the transaction could increase, making it more difficult to execute any such transaction successfully and potentially harming our financial condition.

Furthermore, the Company has several employee and director equity plans that are registered under the Securities Act of 1933, as amended, pursuant to Form S-8. Under SEC regulations, the Company’s failure to timely file its periodic and annual reports with the SEC resulted in the suspension of the availability of these insider equity plans, including the Company’s Profit Sharing Plan. For that reason, employees and directors have not been permitted to liquidate any preexisting holdings of the Company’s common stock, nor has the Company been able to issue equity retention or incentive awards since early 2018.

Our business operations are dependent upon our new senior management team and the ability of our other new employees to learn their new roles.

Within the past two years, we have substantially changed our senior management team and have replaced many of the other employees performing key functions at our corporate headquarters. Our Chief Executive Officer is new to that role and we have a new Executive Chairman, Chief Financial Officer, General Counsel and other members of our senior management team. As new employees gain experience in their roles, we could experience inefficiencies or a lack of business continuity due to loss of historical knowledge and a lack of familiarity of new employees with business processes, operating requirements, policies and procedures, some of which are new, and key information technologies and related infrastructure used in our day-to-day operations and financial reporting and we may experience additional costs as new employees learn their roles and gain necessary experience. It is important to our success that these key employees quickly adapt to and excel in their new roles. If they are unable to do so, our business and financial results could be materially adversely affected. In addition, if we were to lose the services of any one or more key employees,

4

whether due to death, disability or termination of employment, our ability to successfully implement our business strategy, financial plans, marketing and other objectives, could be significantly impaired.

Our business is dependent upon the availability of tax-advantaged Consumer-Directed Benefits to employers and employees and any diminution in, elimination of, or change in the availability of these benefits would materially adversely affect our results of operations, financial condition, business and prospects.

Our business fundamentally depends on employer and employee demand for tax-advantaged CDBs. Any diminution in or elimination of the availability of CDBs for employees would materially adversely affect our results of operations, financial condition, business and prospects. In addition, incentives for employers to offer CDBs may also be reduced or eliminated by changes in laws that result in employers no longer realizing financial gain from the implementation of these benefits. If employers cease to offer CDB programs or reduce the number of programs they offer to their employees, our results of operations, financial condition, business and prospects would also be materially adversely affected. We are not aware of any reliable statistics on the growth of CDB programs and cannot assure you that participation in CDB programs will grow.

The Tax Act generally disallows a deduction for expenses with respect to Qualified Transportation Fringe Benefits (“QTF(s)”) provided by employer taxpayers to their employees, and generally provides that a tax-exempt organization’s Unrelated Business Tax Income is increased by the amount of the QTF expense that is nondeductible. This means our revenue may decline and our results of operations, financial condition, business and prospects may be materially adversely affected.

In addition, if the payroll tax savings employers currently realized from their employees’ utilization of CDBs become reduced or unavailable, employers may be less inclined to offer these programs to their employees. If the tax savings currently realized by employee participants by utilizing CDBs were reduced or unavailable, we expect employees would correspondingly reduce or eliminate their participation in such CDB plans. Any such reduction in employer or employee incentives would materially adversely affect our results of operations, financial condition, business and prospects.

Future acquisitions are an important aspect of our growth strategy, and any failure to successfully identify, acquire or integrate acquisitions could materially adversely affect our ability to grow our business. In addition, costs of integrating acquisitions may adversely affect our results of operations in the short term.

Our recent growth has been, and our future growth will be, substantially dependent on our ability to continue to make and integrate acquisitions in order to expand our employer client base and service offerings. Since 2007, we have completed eleven significant transactions that involved the acquisition of client relationships, contracts and revenues. These acquisitions varied significantly in type and structure and were designed to accommodate each seller’s circumstances and to optimize our potential financial returns and manage risks. We expect our future acquisitions (with their attendant risks) will vary similarly as opportunities warrant.

Our successful integration of these acquisitions into our operations on a cost-effective basis is critical to our future financial performance, especially as it relates to our acquisition of ADP’s Consumer Health Spending Account (“CHSA”), COBRA, and direct bill businesses (together defined as the “ADP CHSA/COBRA Business”). Our inability to successfully continue and maintain the integration of the ADP CHSA/COBRA Business has resulted in the attrition of ADP’s clients, which may continue to occur. As a result, our revenue may decline and our results of operations, financial condition, business and prospects may be materially adversely affected. While we believe that there are numerous potential acquisitions that would add to our employer client base and service offerings, we cannot assure you that we will be able to successfully make a sufficient number of such acquisitions in a timely and effective manner in order to support our growth objectives. In addition, the process of integrating acquisitions may create unforeseen difficulties and expenditures. We face various risks in making any acquisitions and entering into strategic relationships, including:

5

·our ability to retain acquired employer clients and their associated revenues;

·diversion of management’s time and focus from operating our business to address integration challenges;

·our ability to retain or replace key employees that come to us from acquisitions we acquire;

·our ability to integrate the combined products, services and technology;

·our ability to cross-sell additional CDB programs to acquired employer clients;

·our ability to realize expected synergies;

·the need to implement or improve internal controls, procedures and policies appropriate for a public company at businesses that, prior to the acquisition, may have lacked effective controls, procedures and policies, including, but not limited to, processes required for the effective and timely reporting of the financial condition and results of operations of the acquired business, both for historical periods prior to the acquisition and on a forward-looking basis following the acquisition;

·possible write-offs or impairment charges that result from acquisitions;

·unanticipated or unknown liabilities that relate to purchased businesses;

·the potential need to implement or improve internal controls relating to privacy, security and data protection;

·the need to integrate purchased businesses’ accounting, management information, human resources, and other administrative systems to permit effective management; and

·any change in one of the many complex international, federal or state laws or regulations that govern any aspect of the financial or business operations of our business and businesses we acquire, such as state escheatment laws.

Acquisitions may also have a short-term material adverse impact on our results of operations, including a potential material adverse impact on our cost of revenues, as we seek to migrate acquired employer clients to our proprietary technology platforms, typically 12 to 24 months after transaction close, in order to achieve additional operating efficiencies. Additionally, from time to time, we may incur material costs and charges related to consolidating our operations following our acquisitions.

If we are unable to retain and expand our employer client base, establish new partnerships and exchange relationships, our results of operations, financial condition, business and prospects would be materially adversely affected.

Most of our revenue is derived from the long term, multi-year agreements that we typically enter into with our employer clients. The initial subscription period is typically three years for our enterprise clients and one to three years for our SMB and mid-market clients. We also derive revenue from our partner agreements with Aflac Incorporated, Ceridian Corporation (“Ceridian”), the referral and reseller agreements with ADP, and we anticipate in the future establishing new partnerships with other companies. Our employer clients, however, have no obligation to renew their agreements with us after the initial term and we cannot assure you that these employer clients will continue to renew their agreements at the same rate, if at all. In addition, employer clients transitioning to us from a partner have no obligation to enter into agreements with us and, if they do, there is no guarantee that they will renew their agreements with us after the initial transition period.

Moreover, most of our employer clients have the right to cancel their agreements for convenience, including the OPM, subject to certain notice requirements. While few employer clients have terminated their agreements with us for

6

convenience, some of our employer clients have elected not to renew their agreements with us. Our employer clients’ renewal rates may decline or fluctuate as a result of a number of factors, including the prices of competing products or services, reductions in our employer clients’ spending levels, disruptions in connection with the migration of accounts from one platform to another and in-house development of CDB services by our employer clients. Our employer client retention rate may further decline as a result of the audit and restatement.

Another important aspect of our growth strategy depends upon our ability to maintain our existing carrier, partner, and exchange relationships and develop new relationships. No assurance can be given that new carrier, partners, or exchange opportunities will be found, that any such new relationships will be successful when they are in place, or that business with our current partners or exchange opportunities will increase at the level necessary to support our growth objectives. If our employer clients do not renew their agreements with us, and we are unable to attract new employer clients or partners, our revenue may decline and our results of operations, financial condition, business and prospects may be materially adversely affected.

The market for our services and our business may not grow if our marketing efforts do not successfully raise awareness among employers and employees about the advantages of adopting and participating in CDB programs.

Our revenue model is substantially based on the number of employee participants enrolled in the CDB programs that we administer. We devote significant resources to educating both employers and their employees on the potential cost savings and other financial benefits available to them from utilizing CDB programs. We have created various marketing, educational and awareness tools to inform employers about the benefits of offering CDB programs to their employees and how our services allow them to offer these benefits in an efficient and cost effective manner. We also provide marketing information to employees that inform them about the potential tax savings they can achieve by utilizing CDB programs to pay for their healthcare, commuter and other benefit needs. However, if more employers and employees do not become aware of or understand these potential cost savings and other financial benefits and do not choose to adopt CDB programs, our results of operations, financial condition, business and prospects may be materially adversely affected.

In addition, there is no guarantee that the market for our services will grow as we expect. For example, the value of our services is directly related to the complexity of administering CDB programs. Government action that significantly reduces or simplifies these requirements could reduce demand or pricing for our services. Further, employees may not participate in CDB programs because they have insufficient funds to set aside into such programs, find the rules regarding the use of such programs too complex, or otherwise. If the market for our services declines or develops more slowly than we expect, or the number of employer clients that select us to provide CDB programs to their employee participants declines or fails to increase as we expect, our results of operations, financial condition, business and prospects could be materially adversely affected.

Our business and prospects may be materially adversely affected if we are unable to cross-sell our products and services.

One component of our growth strategy is the increased cross-selling of products and services to current and future employer clients. In particular, many of our employer clients use only one of our products so we expect our ability to cross-sell our commuter programs to our healthcare program clients and our healthcare programs to our commuter employer clients to be an important part of this strategy. We may not be successful in cross-selling our products and services if our employer clients find our additional products and services to be unnecessary or unattractive. Any failure to sell additional products and services to current and future clients could materially adversely affect our results of operations, financial condition, business and prospects.

The misuse or theft of information we possess, including as a result of cyber security breaches, could harm our brand, reputation or competitive position and give rise to material liabilities.

We regularly possess, store and handle non-public information about millions of individuals and businesses, including both credit and debit card information and other sensitive and confidential personal information. In addition, our customers regularly transmit confidential information to us via the internet and through other electronic means. Despite the security measures we currently have in place, our facilities and systems and those of our third-party service providers may contain defects in design or manufacture or other problems that could unexpectedly compromise

7

information security. Unauthorized parties may also attempt to gain access to our systems or facilities, or those of third parties with whom we do business, through fraud, trickery, or other forms of deception of our employees or contractors. Many of the techniques used to obtain unauthorized access, including viruses, worms and other malicious software programs, are difficult to anticipate until launched against a target and we may be unable to implement adequate preventative measures. Our failure to maintain the security of that data, whether as the result of our own error or the malfeasance or errors of others, could harm our reputation, interrupt our operations, result in governmental investigations and give rise to a host of civil or criminal liabilities. Any such failure could lead to lower revenues, increased remediation, prevention and other costs and other material adverse effects on our results of operations.

Failure to ensure and protect the confidentiality and security of participant data could lead to legal liability, adversely affect our reputation and have a material adverse effect on our results of operations, business or financial condition.

We must collect, store and use employee participants’ confidential information and transmit that data to third parties, to provide our services. For example, we collect names, addresses, and other personally identifiable information from employee participants which may include social security numbers (i.e., partial or, in some cases, full). We also collected personal health information (“PHI”), including information about employee participants’ health plans and insurance coverage. In addition, we facilitate the issuance and funding of prepaid debit cards and, in some cases, collect bank routing information, account numbers and personal credit card information for purposes of funding an account or issuing a reimbursement. Because of the types of data we collect, we are subject to numerous state data breach laws as well as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and other legal and contractual obligations.

We utilize a number of third-party platforms and outsource a portion of customer support center services and claims processing services to third-party service providers to whom we transmit certain confidential information of our employee participants. We have security measures in place with each of these service providers to help protect this confidential information, including written agreements that outline how protected health information will be handled and shared. We cannot, however, verify the security procedures and protections of these third-party platforms or vendors are adequate. Furthermore, there are no assurances that the security measures and agreements we have in place with these service providers, or any additional security measures that our service providers may have in place, will be sufficient to protect this outsourced confidential information from unauthorized security breaches.

We have taken numerous measures to secure the data we collect; however, we cannot assure you that we will not be subject to a security incident or other data breach or that this data will not be compromised. We may be required to expend significant capital and other resources to protect against security breaches or to alleviate problems caused by security breaches, or to pay penalties as a result of such breaches. Despite our implementation of security measures, techniques used to obtain unauthorized access or to sabotage systems change frequently. As a result, we may be unable to anticipate these techniques or implement adequate preventative measures to protect this data. In addition, security breaches can also occur as a result of non-technical issues, including intentional or inadvertent breaches by our employees or service providers or by other persons or entities with whom we have commercial relationships. Any compromise or perceived compromise of our security could damage our reputation with our clients, brokers and partners, and could subject us to significant liability, as well as regulatory action, including financial penalties, which would materially adversely affect our brand, results of operations, financial condition, business and prospects.

We have incurred, and expect to continue to incur, significant costs to protect against and respond to security breaches. We may incur significant additional costs in the future to address problems caused by any actual or perceived security breaches.

Breaches of our security measures or those of our third-party service providers could result in unauthorized access to our sites, networks and systems; unauthorized access to, misuse or misappropriation of employer client or employee participants’ information, including personally identifiable information, or other confidential or proprietary information of ourselves or third parties; viruses, worms, spyware or other malware being served from our sites, networks or systems; deletion or modification of content or the display of unauthorized content on our sites; interruption, disruption or malfunction of operations or destruction of data, such as through ransomware; fraud; costs relating to notification of individuals, or other forms of breach remediation; deployment of additional personnel and protection technologies; response to governmental investigations and media inquiries and coverage; engagement of

8

third-party experts and consultants; litigation, regulatory investigations, prosecutions, and other actions, and other potential liabilities. If any of these events occurs, or is believed to have occurred, our reputation and brand could be damaged, our business may suffer, we could be required to expend significant capital and other resources to alleviate problems caused by such actual or perceived breaches, we could be exposed to a risk of loss, litigation or regulatory action and possible liability, and our ability to operate our business, including our ability to provide access, usage or maintenance and support services to our customers, may be impaired. If current or prospective employer clients or employee participants believe that our systems and solutions do not provide adequate security for the storage of personal or other sensitive information or its transmission over the internet, our business and our financial results could be harmed. Additionally, actual, potential or anticipated attacks may cause us to incur increasing costs, including costs to deploy additional personnel and protection technologies, train employees and engage third-party experts and consultants.

Although we maintain privacy, data breach and network security liability insurance, we cannot be certain that our coverage will be adequate for liabilities actually incurred or that insurance will continue to be available to us on economically reasonable terms, or at all. Any actual or perceived compromise or breach of our security measures, or those of our service providers, or any unauthorized access to, misuse or misappropriation of consumer information or other confidential business information, could violate applicable laws and regulations, contractual obligations or other legal obligations and cause significant legal and financial exposure, adverse publicity and a loss of confidence in our security measures, any of which could have a material adverse effect on our business, financial condition and operating results.

Our business is subject to a variety of laws and regulations, including those regarding privacy, data protection and information security, and our customers, partners and service providers are subject to regulations related to the handling and transfer of certain types of sensitive and confidential information. Any failure of our infrastructure, our platform, third-party platforms that we utilize, or our solutions to enable us or our customers, partners and service providers to comply with applicable laws and regulations would harm our business, financial condition and operating results.

As part of our business, we collect employee participants’ personal data for the purpose of processing their benefits. Our services and solutions are subject to privacy- and data protection-related laws and regulations that impose obligations in connection with the collection, processing and use of personally identifiable information, financial data, health data or other similar data. Among other things, we have access to, and our employer clients and employee participants are able to use our solutions to handle and transfer, personally identifiable information and other data of our current and prospective employee participants and others. The U.S. federal and various state and other jurisdictional governments have adopted or proposed limitations on, or requirements regarding, the collection, distribution, use, security and storage of personally identifiable information and other data, and the Federal Trade Commission and numerous state attorneys general are applying federal and state consumer protection laws to impose standards on the online collection, use and dissemination of data, and to the security measures applied to such data. In addition, we may find it necessary or desirable to join industry or other self-regulatory bodies or other privacy- or data protection-related organizations that require compliance with their rules pertaining to privacy, data protection, and data security, or may find it necessary or desirable to align our practices with, or certify under, other industry standards. We also are and routinely become bound by contractual obligations relating to our collection, use and disclosure of personal, financial and other data. Although we work to comply with applicable laws, regulations, industry standards, contractual obligations and other legal obligations that apply to us, these are constantly evolving and may be modified, may be interpreted and applied in an inconsistent manner from one jurisdiction to another, and may conflict with one another, other requirements or legal obligations or our practices.

In addition, various federal, state and other legislative or regulatory bodies have in place and may enact new or additional laws and regulations mandating certain disclosures, including disclosures of personally identifiable information, to domestic enforcement bodies, which could adversely impact our business, our brand or our reputation with employer clients and employee participants. Despite our efforts to protect customer data, perceptions that the privacy of personal information is not satisfactorily protected in connection with our products or services could inhibit sales of our products or services, could limit adoption of our services by consumers, businesses, and government entities, and could expose us to claims or litigation. Additional privacy- or data security-related measures we may take to address such customer concerns, constraints on our flexibility to determine how to respond to customer expectations

9

or governmental rules or actions, or costs associated with compliance with law enforcement or other regulatory authority demands or requests may adversely affect our business and operating results.

Any failure or perceived failure by us to comply with applicable laws, regulations, policies, industry standards, contractual obligations or other legal obligations relating to privacy or data security, or any actual or perceived security incident resulting in unauthorized access to, or acquisition, release or transfer of, personally identifiable information or other customer data may result in governmental or regulatory investigations, inquiries, enforcement actions and prosecutions, private litigation, fines and penalties or adverse publicity and could cause our employer clients, employee participants, and others to lose trust in us, which could have an adverse effect on our reputation, business, financial condition and results of operations.

Our services and solutions are subject to numerous laws and regulations related to the privacy and security of personal health information, including those promulgated pursuant to HIPAA, as well as HITECH, which was enacted as part of the American Recovery and Reinvestment Act of 2009, which require the implementation of administrative, physical and technological safeguards to ensure the confidentiality and integrity of individually identifiable health information in electronic form. Further, our services and solutions are subject to Payment Card Industry, or (“PCI”), data security standards that impose requirements regarding the storage and processing of payment card information. If we cannot comply with, or if we incur a violation of, any of these obligations, we could incur significant liability or our growth could be adversely impacted, either of which could have an adverse effect on our reputation, business, financial condition and operating results.

We expect that there will continue to be new proposed laws, regulations, industry standards, contractual obligations and other obligations concerning privacy, data protection and information security and we cannot yet determine the impact of such future laws, regulations, standards and obligations may have on our business. Future laws, regulations, standards and other obligations, or changed interpretations of the foregoing, could, for example, impair our ability to collect, use or store information that we utilize to provide our services, thereby impairing our ability to maintain and grow our total customer base and increase revenues. New laws, amendments to or re-interpretations of existing laws and regulations, industry standards, contractual obligations and other obligations may impact our business and practices. We may be required to expend significant resources to modify our solutions and otherwise adapt to these changes, which we may be unable to do on commercially reasonable terms or at all, and our ability to develop new solutions and features could be limited. These developments could harm our business, financial condition and results of operations.

Any such new laws, regulations, industry standards, or other legal obligations or any changed interpretation of existing laws, regulations, industry standards, or other obligations may require us to incur additional costs and restrict our business operations.

The European General Data Protection Regulation (“GDPR”) took effect in May 2018. We have conducted an analysis regarding whether and how the GDPR may impact our organization and we have determined that we and our services are not subject to the GDPR at this time. Notwithstanding, we are aware that the scope of the GDPR may implicate certain organizations in the U.S., including some of our clients, partners and other entities with which we do business. We continue to monitor this regulation, and as necessary, will update any necessary processes, policies and systems.

California recently enacted legislation, the California Consumer Privacy Act (“CCPA”), which will become effective January 1, 2020. The CCPA gives California residents expanded rights to access and delete their personal information, opt out of certain personal information sharing, and receive detailed information about how their personal information is used. The CCPA provides for civil penalties for violations, as well as a private right of action for data breaches that is expected to increase data breach litigation. As required by the CCPA, the Attorney General must adopt certain regulations on or before July 1, 2020. It remains unclear the extent of the modifications that will be made to the CCPA, or how such modifications will be interpreted. The effects of the CCPA potentially are significant and may require us to modify our data processing practices and policies and to incur substantial costs and expenses in an effort to comply.

If our privacy or data security measures fail or are perceived to fail to comply with current or future laws, regulations, policies, legal obligations or industry standards, or any changed interpretations of the foregoing, we may be subject to litigation, regulatory investigations, enforcement actions, inquiries, prosecutions, fines or other liabilities, as well as negative publicity and a potential loss of business. Moreover, if future laws, regulations, industry standards, or other

10

legal obligations, or any changed interpretations of the foregoing, limit the ability of our customers, partners or service providers to use and share personally identifiable information or other data or our ability to store, process and share personally identifiable information or other data, demand for our solutions could decrease, our costs could increase and our business, financial condition and operating results could be harmed. Even the perception of privacy or data protection concerns, whether or not valid, may inhibit market adoption, effectiveness or use of our applications.

A breach of our IT security, loss of customer data or system disruption could have a material adverse effect on our results of operations, business or financial condition and reputation.

Our business is dependent on our transaction, financial, accounting and other data processing systems, as well as instances of third-party service provider systems that we use to provide our services. We rely on these systems to process, on a daily basis, a large number of complicated transactions. Any security breach in our business processes and/or systems, or those third-party systems that we use, has the potential to impact our customer information and our financial reporting capabilities which could result in the potential loss of business and our ability to accurately report information. If any of these systems fail to operate properly or become disabled even for a brief period of time, we could potentially lose control of customer data and we could suffer financial loss, a disruption of our businesses, liability to clients, regulatory intervention or damage to our reputation. In addition, any issue of data privacy as it relates to unauthorized access to or loss of employer client and/or employee participant information could result in the potential loss of business, damage to our market reputation, litigation and regulatory investigation and penalties. Our continued investment in the security of our IT systems, continued efforts to improve the controls within our IT systems and those of any service providers that we use to provide our services, business processes improvements, and the enhancements to our culture of information security may not successfully prevent attempts to breach our security or unauthorized access to confidential, sensitive or proprietary information.

In addition, we depend on information technology networks and systems to collect, process, transmit and store electronic information and to communicate among our locations and with our partners, service providers, employer clients and employee participants. Security breaches could lead to shutdowns or disruptions of our systems and potential unauthorized disclosure of confidential information. We also are required at times to manage, utilize and store sensitive or confidential employer client and employee participant data, as well as our own employee data in the regular course of business. As a result, we are subject to numerous laws and regulations designed to protect this information, including various U.S. federal and state laws governing the protection of health or other individually identifiable information. If any person, including any of our personnel, fails to comply with, disregards or intentionally breaches our established controls with respect to such data or otherwise mismanages or misappropriates that data, we could be subject to monetary damages, fines or criminal prosecution. Unauthorized disclosure of sensitive or confidential data, whether through systems failure, accident, employee negligence, fraud or misappropriation, could damage our reputation and cause us to lose customers. Similarly, unauthorized access to or through our information systems or those we develop or utilize in connection with our provision of services, whether by our personnel or third parties, could result in significant additional expenses (including expenses relating to notification of data security breaches and costs of credit monitoring services), negative publicity, legal liability and damage to our reputation, as well as require substantial resources and effort of management, thereby diverting management’s focus and resources from business operations.

We may be unable to compete effectively against our current and future competitors.

The market for our products and services is highly competitive, rapidly evolving and fragmented. We have numerous competitors, including health insurance carriers, human resources consultants and outsourcers, payroll providers, national CDB specialists, regional third party administrators and commercial banks. Many of our competitors, including health insurance carriers, have longer operating histories and significantly greater financial, technical, marketing and other resources than we have. As a result, some of these competitors may be in a position to devote greater resources to the development, promotion, sale and support of their products and services.

For example, we may face increased competition in the FSA and HSA markets, which could result in a lower rate of account growth, service fees paid by our employer clients, and interchange fees paid by financial institutions related to transaction fees on debit cards used by employee participants. In addition, we may face competition between our internal product offerings to the extent that our employer clients choose to discontinue participation in our FSA program and instead enroll in our HSA program or otherwise. We are also challenged to maintain and increase the

11

employee participation rates in all our CDB programs, and if we fail to successfully do so, our results of operations, business and prospects could be materially adversely affected.

In addition, if one or more of our competitors were to merge or partner with another of our competitors, the change in the competitive landscape could materially adversely affect our ability to compete effectively. Our competitors may also establish or strengthen cooperative relationships with our current or future strategic brokers, insurance carriers, payroll services companies, private exchanges, third-party advisors or other parties with which we have relationships, thereby limiting our ability to promote our CDB programs with these parties and limiting the number of brokers available to sell or market our programs. This competitive environment is further magnified by relatively low customer switching costs between providers. If we are unable to compete effectively with our competitors for any of the foregoing or other reasons, our results of operations, financial condition, business and prospects could be materially adversely affected.

Changes in healthcare, security and privacy laws and other regulations applicable to our business may constrain our ability to offer our products and services.

Changes in healthcare or other laws and regulations applicable to our business may occur that could increase our compliance and other costs of doing business, require significant systems enhancement, or render our products or services less profitable or obsolete, any of which could have a material adverse effect on our results of operations. We may also be subject to additional obligations relating to personal data by contract that industry standards apply to our practices.

The Patient Protection and Affordable Care Act (“PPACA”) signed into law on March 23, 2010 and related regulations or regulatory actions could adversely affect our ability to offer certain of our CDBs in the manner that we do today or may make CDBs less attractive to some employers. For example, any new laws that increase reporting and compliance burdens on employers may make them less likely to offer CDBs to their employees and instead offer employees benefit coverage through public exchanges. In addition, it is unclear whether the “Cadillac Tax”, now delayed until 2022, will be modified so that employee contributions to FSAs and HSAs are excluded from the calculation or if the entire tax will be repealed. If employers are less incentivized to offer our CDB programs to employees because of the Cadillac Tax, the resulting increased regulatory burdens, costs or other impacts, could materially adversely affect our results of operations and financial condition, business and prospects.

In addition, the numerous federal and state laws and regulations related to the privacy and security of personal health information, in particular those promulgated pursuant to HIPAA require the implementation of administrative, physical and technological safeguards to ensure the confidentiality and integrity of individually identifiable health information in electronic form. We are required to enter into written agreements with all of our employer clients known as Business Associate Agreements. Pursuant to these agreements, and as our employer client’s “Business Associate” thereunder, we are required to safeguard all  individually identifiable health information of their participating employees and are restricted in how we use and disclose such information. These agreements also contain data security breach notification requirements which, in some circumstances, may be more stringent than HIPAA requirements. As we are unable to predict what changes to HIPAA or other privacy and security laws or regulations might be made in the future, we can’t be certain how those changes could affect our business or the costs of compliance.

We plan to extend and expand our products and services and introduce new products and services, and we may not accurately estimate the impact of developing and introducing these products and services on our business.

We intend to continue to invest in technology and development to create new and enhanced products and services to offer our employer clients and their participating employees. Scalability of our platforms remains an on-going focus as our platform volume increases. We continue to make investments in technology upgrades to ensure stability and performance of our applications for our clients and participants. Despite quality testing of technology prior to use, it may contain errors that impact its function and performance and this may result in negative consequences. We may not be able to anticipate or manage new risks and obligations or legal, compliance or other requirements that may arise. The anticipated benefits of such new and improved products and services may not outweigh the costs and resources associated with their development.

12

Our ability to attract and retain new employer clients and increase revenue from existing employer clients will depend in large part on our ability to enhance and improve our existing products and services and to introduce new products and services. The success of any enhancement or new product or service depends on several factors, including the timely completion, introduction and market acceptance of the enhancement or new product or service. Any new product or service we develop or acquire may not be introduced in a timely or cost-effective manner and may not achieve the broad market acceptance necessary to generate significant revenue. If we are unable to successfully develop or acquire new products or services or enhance our existing products or services to meet client requirements, our results of operations, financial condition, business or prospects may be materially adversely affected.

Our future results will depend on our ability to continue to focus our resources and manage costs effectively.

We are continually implementing productivity measures and focusing on measures intended to further improve cost efficiency. We may be unable to realize all expected cost savings in connection with these efforts within the expected time frame, or at all and we may incur additional and/or unexpected costs to realize them. Further, we may not be able to sustain any achieved savings in the future. Future results will depend on the success of these efforts.

If we are unable to control costs, we may incur losses, which could decrease our operating margins and significantly reduce or eliminate our profits. Our future profitability will depend on our ability to manage costs or increase productivity. An inability to effectively manage costs could adversely impact our business, results of operations, or financial condition.

If we fail to manage future growth effectively, we may not be able to market and sell our products and services successfully.

We have expanded our operations significantly in recent years and anticipate that further expansion will be required in order for us to grow our business. If we do not effectively manage our growth, the quality of our services could suffer, which could materially adversely affect our results of operations, financial condition, business and prospects, and damage our brand and reputation among existing and prospective clients. In order to manage our future growth, we will need to hire, integrate and retain highly skilled and motivated employees. We will also be required to continue to improve our existing systems for operational and financial information management, including our reporting systems, procedures, controls, and regulatory compliance processes. These improvements may require significant capital expenditures and will place increasing demands on our management. We may not be successful in managing or expanding our operations, or in maintaining adequate operating and financial information systems and controls. If we are not successful in implementing improvements in these areas, our results of operations, financial condition, business and prospects would be materially adversely affected.

General economic and other conditions may adversely affect trends in employment and hiring patterns, which could result in lower employee participation in CDB programs, which would materially adversely affect our results of operations, financial condition, business and prospects.

Our revenue is attributable to the number of employee participants at each of our employer clients, which in turn is influenced by the employment and hiring patterns of our employer clients. To the extent our employer clients freeze or reduce their headcount or wages paid because of general economic or other conditions, demand for our programs may decrease, which could materially adversely affect our results of operations, financial condition, business and prospects.

A decline in interest rate levels may reduce our ability to generate income from custodial cash assets that we administer, which would adversely affect our profitability.

We partner with our FDIC-insured custodial depository bank partners to hold and invest custodial cash assets of participants. A decline in prevailing interest rates may negatively affect our business by reducing the commissions we earn from bank partners’ custodial cash assets and such scenario could materially and adversely affect our business and results of operations.

13

We rely on our FDIC-insured custodial depository bank partners for certain custodial account services from which we generate interest income and fees. A business failure in any FDIC-insured custodial depository bank partner would materially and adversely affect our business.

We rely on our FDIC-insured custodial bank partners to hold and invest our custodial cash assets. If any material adverse event affected one of our FDIC-insured custodial depository bank partners, including a significant decline in its financial condition, a decline in the quality of its service, loss of deposits, its inability to comply with applicable banking and financial services regulatory requirements, systems failure, or any sort of cybersecurity incident, our business, financial condition and results of operations could be materially and adversely affected. If we were required to change custodial depository banking partners, we could not accurately predict the success of such change or that the terms of our agreement with a new banking partner would be as favorable to us as those in our current agreements.

Restrictive covenants in our Credit Agreement may restrict our ability to pursue our business strategies.

Our existing Credit Agreement contains a number of restrictive covenants that impose significant operating and financial restrictions on us, and may limit our ability to engage in acts that may be in our long-term best interests. These include covenants restricting, among other things, our (and our subsidiaries’) ability:

·to incur additional indebtedness;

·to grant liens;

·to enter into burdensome agreements with negative pledge clauses or restrictions on subsidiary distributions;

·to pay dividends or make other distributions in respect of equity;

·to make investments, including acquisitions, loans, and advances;

·to consolidate, to merge, to liquidate, or to dissolve;

·to sell, to transfer, or to otherwise dispose of assets;

·to engage in certain transactions with affiliates; and

·to materially alter the business that we conduct.

Our Credit Agreement also requires that we maintain compliance with a maximum leverage ratio and a minimum interest coverage ratio. The terms of these covenants may limit our ability to obtain, or increase the costs of obtaining, additional financing to fund working capital, capital expenditures, acquisitions or general corporate requirements. This in turn may have the impact of reducing our flexibility to respond to changing business and economic conditions, thereby placing us at a relative disadvantage compared to competitors that have less indebtedness, or fewer or less onerous covenants associated with such indebtedness, and making us more vulnerable to general adverse economic and industry conditions.

The financing incurred under our Second Amended Credit Agreement could adversely affect our liquidity and financial condition.

As of December 31, 2018, we had outstanding revolving loans of $247.0 million under our Second Amended Credit Agreement and $150.2 million of undrawn letters of credit. Our ability to meet our payment obligations and satisfy the covenants under the Second Amended Credit Agreement, including the financial ratios, depends on our ability to generate sufficient cash flow and can be affected by events beyond our control. We cannot assure you that we will be able to meet these ratios and our other obligations under the Second Amended Credit Agreement. If we are not able to generate sufficient cash flow from operations to service our obligations under our Second Amended Credit

14

Agreement, we may have to take actions such as selling assets, seeking additional equity or reducing or delaying capital expenditures, strategic acquisitions, investments and alliances, any of which could impede the implementation of our business strategy or prevent us from entering into transactions that would otherwise benefit our business. Additionally, we may not be able to effect such actions or refinance any of our debt, if necessary, on commercially reasonable terms, or at all.

A breach of any covenant or restriction contained in the Second Amended Credit Agreement could result in a default under the Second Amended Credit Agreement. Upon the occurrence of an event of default, the lenders could elect to declare some or all outstanding borrowings, together with accrued and unpaid interest and other amounts payable thereunder, to be immediately due and payable and to terminate any commitments they have to provide further borrowings. Further, following an event of default, the lenders will have the right to proceed against the collateral granted to them to secure that debt, including substantially all of our assets. If the debt under the Second Amended Credit Agreement was to be accelerated, we may not have sufficient funds to repay our existing debt and our assets may not be sufficient to repay in full that debt or any other debt that may become due as a result of that acceleration. Any such default could have a material adverse effect on our liquidity and financial condition.

Failure to effectively develop and expand our direct and indirect sales channels may materially adversely affect our results of operations, financial condition, business and prospects and reduce our growth.

We will need to continue to expand our sales and marketing infrastructure in order to grow our employer client base and our business. We rely on our enterprise sales force to target new Fortune 1000 client accounts and sell into carriers, partnership, and private exchanges, as well as to cross-sell additional products and services to our existing enterprise clients. Effectively training our sales personnel requires significant time, expense and attention. In addition, we utilize various partners, brokers, insurance agents, benefits consultants, regional and national insurance carriers, health plans, payroll companies, banks and regional third party administrators, to sell and market our programs to employers. Furthermore, we are investing more marketing and advertising spend to increase our HSA accounts. If we are unable to develop and expand our direct sales team, our indirect sales channels, or become a partner to more carriers and private exchanges, our ability to attract new employer clients may be negatively impacted and our growth opportunities will be reduced, each of which would materially adversely affect our results of operations, financial condition, business and prospects.

We may incur significant expenses in connection with the development and expansion of our sales and marketing efforts. If our efforts to develop and expand our direct and indirect sales channels do not generate a corresponding increase in revenue, our business may be materially adversely affected. In particular, if we are unable to effectively train our sales personnel or if our direct sales personnel are unable to achieve expected productivity levels in a reasonable period of time, we may not be able to increase our revenue and grow our business.

Long sales cycles make the timing of our long-term revenues difficult to predict.

Our average sales cycle ranges from approximately two months for small opportunities to over a year for large and significant new indirect business. Factors that may influence the length of our sales cycle include:

·the need to educate potential employer clients about the uses and benefits of our CDB programs;

·the relatively long duration of the commitment clients make in their agreements;

·the discretionary nature of potential employer clients’ purchasing and budget cycles and decisions;

·the competitive nature of potential employer clients’ evaluation and purchasing processes;

·fluctuations in the CDB program needs of potential employer clients; and

·lengthy purchasing approval processes of potential employer clients.

15

If we are unable to close an expected significant transaction with one or more of these potential clients in the anticipated period, our operating results for that period, and for any future periods in which revenue from such transaction would otherwise have been recognized, would be harmed.

Our business and operational results are subject to seasonality as a result of open enrollment for CDB programs and decreased use of commuter program offerings during typical vacation months.

Typically, our revenue is greatest during our first calendar quarter. This is primarily due to two factors. First, new employer clients and their employee participants typically begin service on January 1. Second, during the first calendar quarter, we are also servicing the end of plan year activity for existing clients, including assisting our clients with initiating the deduction of healthcare premiums on a tax deferred basis, and employee participants who do not continue participation into the next plan year.

Generally, in comparison to other quarters, our SMB revenue is highest in the first quarter and lowest in the second and third quarters. Thereafter, our SMB revenue generally grows gradually in the fourth quarter as our employer clients hire new employees who then elect to participate in our programs, thereby increasing our monthly minimum billing amount. The minimum billing amount is not, however, generally subject to downward revision when employees leave their employers because we continue to administer those former employee participants’ accounts for the remainder of the plan year while there is an available balance. Revenue from commuter programs may vary from month-to-month because employees may elect to participate in our commuter programs at any time during the year and may change their election to participate or the amount of their contribution on a monthly basis; however, participation rates in our commuter business typically slow during the summer as people take vacations and do not purchase transit passes or parking passes during that time.

Our operating expenses increase during the fourth quarter because of increased debit card production and because we increase our customer support center capacity to answer questions from employee participants during the open enrollment periods related to their CDB participation decisions. The cost of providing services peaks in the first quarter as new employee participants contact us for information about their CDBs, and as terminating employee participants submit their final claims for reimbursement.

Our revenue growth rate in recent periods may not be indicative of our future performance.

Our revenue growth rate in recent periods may not be indicative of our future performance. Factors that may contribute to declines in our growth rates include challenges in the selling environment and a mid-year phase-out of a partner that migrated to their own platform. You should not rely on our revenue for any prior quarterly or annual period as an indication of our future revenue or revenue growth. If we are unable to maintain consistent revenue or revenue growth, our business, financial condition, results of operations and prospects could be materially adversely affected and our stock price could be volatile.

Our operating results can fluctuate from period to period, which could cause our share price to fluctuate.

Fluctuations in our quarterly operating results could cause our stock price to decline rapidly, may lead analysts to change their long-term models for valuing our common stock, could cause short-term liquidity issues, may impact our ability to retain or attract key personnel or cause other unanticipated issues. If our quarterly operating results or guidance fall below the expectations of research analysts or investors, the price of our common stock could decline substantially. Our quarterly operating expenses and operating results may vary significantly in the future and period-to-period comparisons of our operating results may not be meaningful. You should not rely on the results of one quarter as an indication of future performance.

If employee participants do not continue to utilize our prepaid debit cards or choose another payment method other than signature enabled prepaid debit cards, our results of operations, business and prospects could be materially adversely affected.

We derive a portion of our revenue from interchange fees that are paid to us when employee participants utilize our prepaid debit cards to pay for certain healthcare and commuter expenses under our CDB programs. These fees

16

represent a percentage of the expenses transacted on each debit card and are paid to the Company by the financial institutions that issue the cards and hold the associated participant funds. If our employer clients do not adopt these prepaid debit cards as part of the benefits programs they offer, if the employee participants do not use them at the rate we expect, if employee participants choose to process their transactions over PIN networks rather than signature networks or if other alternatives to prepaid tax-advantaged benefit cards develop, our results of operations, business and prospects could be materially adversely affected.

If we are unable to maintain and enhance our brand and reputation, our ability to sustain and grow our business may be materially adversely affected.

Maintaining and strengthening our brand is critical to attracting new clients and growing our business. Our ability to maintain and strengthen our brand and reputation will depend heavily on our capacity to continue to provide high levels of customer service to our employer clients and their employee participants at cost effective and competitive prices, which we may not do successfully. In addition, our continued success depends, in part, on our reputation as an industry leader in promoting awareness and understanding of the positive impact of CDBs among employers and employees. If we fail to successfully maintain and strengthen our brand, our results of operations, financial condition, business and prospects will be materially adversely affected.

If our customers are not satisfied with the implementation and professional services provided by us or our partners, it could have a material adverse effect on our business, financial condition, and results of operations.

Our business depends on our ability to implement our solutions on a timely, accurate, and cost-efficient basis and to provide professional services demanded by our customers. Implementation and other professional services may be performed by our own staff, by a third party, or by a combination of the two. Although we perform the majority of our implementations and other professional services with our staff, in some instances we work with third parties to increase the breadth of capability and depth of capacity for delivery of certain services to our customers. If a customer is not satisfied with the quality of work performed by us or a third party or with the implementation or type of professional services or applications delivered, or there are inaccuracies or errors in the work delivered by the third party, then we could incur additional costs to address the situation, the profitability of that work might be impaired, and the customer’s dissatisfaction with such services could damage our ability to expand the number of applications subscribed to by that customer or we could be liable for loss or damage suffered by the customer as a result of such third party’s actions or omissions, any of which could have a material adverse effect on our business, financial condition, and results of operations. If a new customer is dissatisfied with professional services, either performed by us or a third party, the customer could refuse to go-live, which could result in a delay in our collection of revenue or could result in a customer seeking repayment of its implementation fees or suing us for damages, or could force us to enforce the termination provisions in our customer contracts in order to collect revenue. In addition, negative publicity related to our customer relationships, regardless of its accuracy, may affect our ability to compete for new business with current and prospective customers, which could also have a material adverse effect on our business, financial condition, and results of operations.

Some plan providers with which we have relationships also provide, or may provide, competing services.

We face competitive risks in situations where some of our strategic partners are also current or potential competitors. For example, certain of the banks we utilize as custodians of the funds for our HSA employee participants also offer their own HSA products. To the extent that these partners choose to offer competing products and services that they have developed or in which they have an interest to attract our current or potential clients, our results of operations, business and prospects could be materially adversely affected to a material degree.

We are subject to complex regulation, and any compliance failures or regulatory action could materially adversely affect our business.

The plans we administer and, as a result, our business are subject to extensive, complex and continually changing federal and state laws and regulations, including IRS, Health and Human Services (“HHS”), and Department of Labor (“DOL”) regulations; ERISA, HIPAA, HITECH and other privacy and data security regulations; and the PPACA. If we fail to comply with any applicable law, rule or regulation, we could be subject to fines and penalties,

17

indemnification claims by our clients, or become the subject of a regulatory enforcement action, each of which would materially adversely affect our business and reputation.

We may also become subject to additional regulatory and compliance requirements as a result of changes in laws or regulations, or as a result of any expansion or enhancement of our existing products and services or the development of any new products or services in the future. For example, if we expand our product and service offerings into the health insurance market in the future, we would become subject to state Department of Insurance regulations. Compliance with any new regulatory requirements may divert internal resources and take significant time and effort.

Any claims of noncompliance brought against us, regardless of merit or ultimate outcome, could subject us to investigation by the Department of Labor, the IRS, the Centers for Medicare and Medicaid Services, the U.S. Department of the Treasury or other federal and state regulatory authorities, which could result in substantial costs to us and divert management’s attention and other resources away from our operations. In addition, investor perceptions of us may suffer and could cause a decline in the market price of our common stock. Our compliance processes may not be sufficient to prevent assertions that we failed to comply with any applicable law, rule or regulation.

The occurrence of natural or man-made disasters could result in declines in business and increases in claims that could adversely affect our financial condition and results of operations.

We are exposed to various risks arising out of natural disasters, including earthquakes, hurricanes, fires, floods, tornadoes, climate events or weather patterns, and pandemic health events, as well as man-made disasters, including acts of terrorism, military actions and cyber-terrorism. The continued threat of terrorism and ongoing military actions may cause significant volatility in global financial markets, and a natural or man-made disaster could trigger an economic downturn in the areas directly or indirectly affected by the disaster. These consequences could, among other things, result in a decline in business in the area affected by the event. Disasters also could disrupt public and private infrastructure, including communications and financial services, which could disrupt our normal business operations.

Our inability to successfully recover should we experience a disaster or other business continuity problem could cause material financial loss, loss of human capital, breach of confidential information, regulatory actions, reputational harm or legal liability.

Should we experience a disaster or other business continuity problem, either natural or man-made, our ability to protect our infrastructure, including customer data, and maintain ongoing operations will depend, in part, on the availability of our personnel, our office facilities, and the proper functioning of our computer, telecommunication and other related systems and operations. In such an event, we could experience near-term operational challenges with regard to particular areas of our operations.

In particular, our ability to recover from any disaster or other business continuity problem will depend on our ability to protect our technology infrastructure against damage from business continuity events that could have a significant disruptive effect on our operations. Our business continuity plan may not be successful in mitigating the effects of a disaster or other business continuity problem. We could potentially lose client data, experience a breach of security or confidential information, or experience material adverse interruptions to our operations or delivery of services to our clients in a disaster.

We will continue to regularly assess and take steps to improve upon our business continuity plans. However, a disaster on a significant scale or affecting certain of our key operating areas within or across regions, or our inability to successfully recover should we experience a disaster or other business continuity problem, could materially interrupt our business operations and cause material financial loss, loss of human capital, breach of confidential information, regulatory actions, reputational harm, damaged client relationships and legal liability.

A disruption of our data centers could have a materially adverse effect on our business.

We host our applications and serve our clients from data centers that we operate and from data centers operated by third-party vendors. If any of our or our third-party vendors’ data centers fail or become disabled, even for a limited period of time, our businesses could be disrupted and we could suffer financial loss, liability to clients, loss of clients,

18

regulatory intervention, or damage to our reputation, any of which could have a material adverse effect on our results of operation or financial condition. In addition, our third-party vendors may cease providing data center facilities or services, elect to not renew their agreements with us on commercially reasonable terms or at all, breach their agreements with us or fail to satisfy our expectations, which could disrupt our operations and require us to incur costs which could materially adversely affect our results of operation, financial condition or cash flow.

If our applications fail to perform properly, our reputation could be adversely affected, our market share could decline, and we could be subject to liability claims.

Our applications are inherently complex and may contain material defects or errors. Any defects in functionality or that cause interruptions in the availability of our applications could result in:

·loss or delayed market acceptance and sales;

·legal claims, including breach of warranty claims;

·issuance of refunds or service credits to customers for prepaid and unused subscription services;

·loss of customers;

·diversion of development and customer service resources; and

·injury to our reputation.

The costs incurred in correcting any material defects or errors might be substantial and could adversely affect our operating results.

Because of the large amount of data that we collect and process, it is possible that hardware failures or errors in our systems could result in data loss or corruption, or cause the information that we collect to be incomplete or contain inaccuracies that our clients and their employee participants regard as significant. Furthermore, the availability or performance of our applications could be adversely affected by a number of factors, including our clients and their employee participants’ inability to access the Internet, the failure of our network or software systems, security breaches, or variability in user traffic for our services. For example, our clients and their employee participants access our applications through their Internet service providers. If a service provider fails to provide sufficient capacity to support our applications or otherwise experiences service outages, such failure could interrupt access to our applications, which could adversely affect our clients and their participants’ perception of our applications’ reliability and our revenues. We may be required to issue credits or refunds to our clients or otherwise be liable to our clients and/or their employee participants for damages they may incur resulting from certain of these events. In addition to potential liability, if we experience interruptions in the availability of our applications, our reputation could be adversely affected and we could lose customers.

Our errors and omissions insurance may be inadequate or may not be available in the future on acceptable terms, or at all. In addition, our policy may not cover all claims made against us and defending a suit, regardless of its merit, could be costly and divert management’s attention.

If we fail to upgrade, enhance and expand our technology and services to meet client needs and preferences, the demand for our solutions and services may diminish.

Our businesses operate in industries that are subject to rapid technological advances and changing client needs and preferences. In order to remain competitive and responsive to client demands, we continually upgrade, enhance, and expand our existing solutions and services. If we fail to respond successfully to technology challenges and client needs and preferences, the demand for our solutions and services may diminish.

19

We employ third party software for use in or with both our applications and our internal operations, and the inability to maintain these licenses or errors in the software we license could result in increased costs, or reduced service levels, which could have a material adverse effect on our business, financial condition, and results of operations.

Our applications incorporate certain third party software obtained under licenses from other companies. Additionally, we are reliant on third party software licenses for our internal operational applications. We anticipate that we will continue to rely on such third party software and development tools from third parties in the future. Although we believe that there are commercially reasonable alternatives to the third party software we currently license, this may not always be the case, or it may be difficult or costly to replace, and our failure to migrate off end of life software may significantly impact our customer’s ability to operate. In addition, integration of the software used in our applications and in our operations with new third party software may require significant work and require substantial investment of our time and resources. Also, our use of additional or alternative third party software would require us to enter into license agreements with third parties.

Additionally, if the quality of our third party software declines, the overall quality of our products may be negatively impacted. To the extent that our applications depend upon the successful operation of third party software in conjunction with our software, any undetected errors or defects in this third party software could prevent the deployment or impair the functionality of our applications, delay new application introductions, and result in a failure of our applications, which could have a material adverse effect on our business, financial condition, and results of operations.

Any failure to offer high-quality technical support services may adversely affect our relationships with our customers and could have a material adverse effect on our business, financial condition, and results of operations.

Once our applications are deployed, our customers depend on our support organization to resolve technical issues relating to our applications. We may be unable to respond quickly enough to accommodate short-term increases in customer demand for support services. We also may be unable to modify the format of our support services to compete with changes in support services provided by our competitors. Increased customer demand for these services, without corresponding revenues, could increase costs and have an adverse effect on our results of operations. In addition, our sales process is highly dependent on our applications and business reputation and on positive recommendations from our existing customers. Any failure to maintain high-quality technical support, or a market perception that we do not maintain high-quality support, could adversely affect our reputation and our ability to sell our applications to existing and prospective customers, which could have a material adverse effect on our business, financial condition, and results of operations.

Our future success depends on our ability to recruit and retain qualified employees, including our executive officers and directors.

Our success is substantially dependent upon the performance of our senior management, such as our Chief Executive Officer. Our management and employees may terminate their employment at any time, and the loss of the services of any of our executive officers could materially adversely affect our business. Our success is also substantially dependent upon our ability to attract additional personnel for all areas of our organization. Competition for qualified personnel is increasingly intense, and we may not be successful in attracting and retaining such personnel on a timely basis, on competitive terms or at all. Additionally, it may be more difficult for us to attract and retain qualified individuals to serve on our Board or as our executive officers due to potential liability concerns related to serving on a public company. If we are unable to attract and retain the necessary personnel, our results of operations, financial condition, business and prospects would be materially adversely affected.

20

Changes in credit card association or other network rules or standards set by Visa or MasterCard, or changes in card association and debit network fees or products or interchange rates, could materially adversely affect our results of operations, business and financial position.

We, and the banks that issue our prepaid debit cards, are subject to Visa and MasterCard association rules that could subject us to a variety of fines or penalties that may be levied by the card associations or networks for acts or omissions by us or businesses that work with us, including card processors, such as Alegeus. The termination of the card association registrations held by us or any of the banks that issue our cards, or any changes in card association or other debit network rules or standards, including interpretation and implementation of existing rules, participants deciding to use PIN networks, standards or guidance that increase the cost of doing business or limit our ability to provide our products and services, or limit our ability to receive interchange fees, could have a material adverse effect on our results of operations, financial condition, business and prospects. In addition, from time-to-time, card associations increase the organization or processing fees that they charge, which could increase our operating expenses, reduce our profit margin and materially adversely affect our results of operations, financial condition, business and prospects.

We have entered into outsourcing and other agreements with third parties related to certain of our business operations, and any difficulties experienced in these arrangements could result in additional expense, loss of revenue or an interruption of our services.

We have entered into outsourcing agreements with third parties to provide certain customer service and related support functions to our employer clients and their employee participants. As a result, we rely on third parties over which we have limited control. If these third parties are unable to perform to our requirements or to provide the level of service required or expected by our employer clients, including ensuring the privacy and integrity of individually identifiable health information that they may be privy to as a result of the services they perform for our employer clients and their employee participants, our operating results, financial condition, business, prospects and reputation may be materially harmed. In addition, we may be forced to pursue alternative strategies to provide these services, which could result in delays, interruptions, additional expenses and loss of clients and related revenues.

If our intellectual property and technology are not adequately protected to prevent use or appropriation by our competitors, our business and competitive position could be materially adversely affected.

We rely on a combination of patent, copyright, trademark and trade secret laws, as well as confidentiality procedures and contractual provisions, to establish and protect our intellectual property rights in the United States.

The efforts we have taken to protect our intellectual property may not be sufficient or effective, and our patents, trademarks and copyrights may be held invalid or unenforceable. We may not be effective in policing unauthorized use of our intellectual property, and even if we do detect violations, litigation may be necessary to enforce our intellectual property rights. Any enforcement efforts we undertake, including litigation, could be time consuming and expensive, could divert our management’s attention and may result in a court determining that our intellectual property rights are unenforceable. If we are not successful in cost-effectively protecting our intellectual property rights, our results of operations, financial condition, business and prospects could be materially adversely affected.

We may be required to record goodwill or other long-lived asset impairment charges, which could result in a significant charge to earnings, which could have a material adverse non-cash impact on our results of operations.

Under U.S. GAAP, we review our long-lived assets for impairment when events or changes in circumstances indicate the carrying value may not be recoverable. Goodwill is assessed for impairment at least annually. Factors that may be considered in assessing whether goodwill or other long-lived assets may not be recoverable include a decline in our share price or market capitalization, reduced estimates of future cash flows and slower growth rates in our industry. We may experience unforeseen circumstances that adversely affect the value of our goodwill or other long-lived assets and trigger an evaluation of the recoverability of the recorded goodwill and other long-lived intangible assets. Future goodwill or other long-lived asset impairment charges could have a material adverse non-cash impact on our results of operations.

21

Changes in our accounting estimates and assumptions could negatively affect our financial position and results of operations.

We prepare our consolidated financial statements in accordance with U.S. GAAP. These accounting principles require us to make estimates and assumptions that affect the reported amounts of assets and liabilities, and the disclosure of contingent assets and liabilities at the date of our financial statements. We are also required to make certain judgments that affect the reported amounts of revenues and expenses during each reporting period. We periodically evaluate our estimates and assumptions including, but not limited to, those relating to revenue recognition, restructuring, recoverability of assets including customer receivables, valuation of goodwill and intangibles, contingencies, share-based payments, and income taxes. We base our estimates on historical experience and various assumptions that we believe to be reasonable based on specific circumstances. These assumptions and estimates involve the exercise of judgment and discretion, which may evolve over time in light of operational experience, regulatory direction, developments in accounting principles, and other factors. Actual results could differ from these estimates, or changes in assumptions, estimates, policies, or developments in the business may change our initial estimates, which could materially affect our financial position, the Consolidated Statements of Income, Comprehensive Income, Stockholders’ Equity and Cash Flows.

Our ability to use net operating losses and income tax credits carryforwards to offset future taxable income may be limited.

As of December 31, 2018, we had $6.5 million of state net operating loss carryforwards available to offset future taxable income. The state net operating loss carryforwards have been prepared on a post-apportionment basis. These net operating loss carryforwards will begin to expire in the year 2018 through 2033 for state income tax purposes, if not fully utilized. In addition, we have federal and state research and development credit carryforwards of approximately $0.7 million and $4.4 million, respectively. The federal research credit carryforwards expire beginning in 2038, if not fully utilized. The California state research credit carries forward indefinitely and other states begin to expire in years 2029 through 2034. Our ability to utilize net operating losses and tax credit carryforwards are subject to restrictions, including limitations in the event of past or future ownership changes as defined in Section 382 of the Internal Revenue Code, or IRC, of 1986, as amended (“IRC”), and similar state tax laws. In general, an ownership change occurs if the aggregate stock ownership of certain stockholders increases by more than 50 percentage points over such stockholders’ lowest percentage ownership during the testing period (generally three years). We have considered Section 382 of the IRC and concluded that any ownership change would not diminish our utilization of our net operating loss carryforwards or our research and development credits during the carryover periods.

If one or more jurisdictions successfully assert that we should have collected or in the future should collect additional sales and use taxes on our fees, we could be subject to additional liability with respect to past or future sales and the results of our operations could be adversely affected.

Sales and use tax laws and rates vary by jurisdiction and such laws are subject to interpretation. In those jurisdictions where we believe sales taxes are applicable, we collect and file timely sales tax returns. Currently, such taxes are minimal. Jurisdictions in which we do not collect sales and use taxes may assert that such taxes are applicable, which could result in the assessment of such taxes, interest and penalties, and we could be required to collect such taxes in the future. This additional sales and use tax liability could adversely affect our results of operations.

Some of our applications may link to or utilize open source software, and any failure to comply with the terms of one or more of these open source licenses could negatively affect our business.

Some of our applications may incorporate software covered by open source licenses. The terms of various open source licenses have not been interpreted by United States courts, and there is a risk that such licenses could be construed in a manner that imposes unfavorable conditions on us. For example, by the terms of certain open source licenses, we could be required to offer our platforms that incorporate the open source software for no cost, that we make publicly-available source code for modifications or derivative works that we created based upon, incorporating or using the open source software, and/or that we license such modifications or derivative works under the terms of the particular open source license.  If portions of our proprietary software are determined to be subject to an open source license, then the value of our technologies and services could be reduced. In addition to risks related to license requirements,

22

usage of open source software may be riskier than use of third-party commercial software, as open source licensors generally do not provide warranties or controls on the origin of the software. Many of the risks associated with usage of open source software cannot be eliminated and could negatively affect our business.

Third parties may assert intellectual property infringement claims against us, or our services may infringe the intellectual property rights of third parties, which may subject us to legal liability and materially adversely affect our reputation.

Assertion of intellectual property infringement claims against us could result in litigation. We might not prevail in any such litigation or be able to obtain a license for the use of any infringed intellectual property from a third party on commercially reasonable terms, or at all. Even if obtained, we may be unable to protect such licenses from infringement or misuse, or prevent infringement claims against us in connection with our licensing efforts. Any such claims, regardless of their merit or ultimate outcome, could result in substantial cost to us, divert management’s attention and our resources away from our operations and otherwise adversely affect our reputation. Our process for controlling our own employees’ use of third-party proprietary information may not be sufficient to prevent assertions of intellectual property infringement claims against us.

We rely on insurance to mitigate some risks of our business and, to the extent the cost of insurance increases or we maintain insufficient coverage, our results of operations, business and financial condition may be materially adversely affected.

We contract for insurance to cover a portion of our potential business risks and liabilities. In the current environment, insurance companies are increasingly specific about what they will and will not insure. It is possible that we may not be able to obtain sufficient insurance to meet our needs, may have to pay very high prices for the coverage we do obtain or may not acquire any insurance for certain types of business risk. This could leave us exposed, and to the extent we incur liabilities and expenses for which we are not adequately insured, our results of operations, cash flow, business and financial condition could be materially adversely affected. Also, to the extent the cost of maintaining insurance increases, our operating expenses will rise, which could materially adversely affect our results of operations, financial condition, business and prospects.

Substantial sales of our common stock by our stockholders could depress the market price of our common stock regardless of our operating results.

Sales of substantial amounts of our common stock in the public market, or the perception that these sales could occur, could adversely affect the market price of our common stock and impair our ability to raise capital through offerings of our common stock. Under SEC regulations, the failure to file with the SEC our required annual report on Form 10-K for 2017 and quarterly reports on Form 10-Q for 2018 resulted in the suspension of the availability of our employee and director stock benefit plans, including the Company’s 401(k) and Profit Sharing Plan, to allow our employees to exercise any Company stock options that they hold or to choose to invest in our common stock under the 401(k) and Profit Sharing Plan. However, once we become current with our SEC reporting requirements, substantially all of our outstanding common stock will be eligible for sale, subject to Rule 144 volume limitations for holders affected by such limitations, as will be common stock issuable under vested and exercisable options. Rule 144 allows public resale of restricted and control securities if certain conditions are met. If our existing stockholders sell a large number of common stock or the public market perceives that existing stockholders might sell our common stock, the market price of our common stock could decline significantly. These sales might also make it more difficult for us to sell equity securities at a time and price that we deem appropriate.

Our business could be negatively impacted by unsolicited takeover proposals, by shareholder activism or by proxy contests relating to a potential change of control of us.

The Company’s business could be negatively affected as a result of an unsolicited takeover proposal or a proxy contest. In April 2019, the Company received an unsolicited, non-binding proposal to acquire all of the outstanding shares of the Company. The Company’s business could be adversely affected by any such unsolicited proposal, and by any shareholder activism or proxy contests related to or resulting from such proposal, for a number of factors including but not limited to:

23

·responding to unsolicited takeover proposals and other related actions can be costly (resulting in significant professional fees and proxy solicitation expenses) and time-consuming, disrupting operations and diverting the attention of our Board, management and employees which could interfere with our ability to execute our strategic plan;

·perceived uncertainties as to the Company’s future direction may result in the loss of potential business opportunities and may make it more difficult to attract and retain qualified personnel and business partners; and

·if completed, a takeover may result in a change-in-control under certain of the Company’s long-term indebtedness agreements, and may require it to repurchase certain outstanding debt securities or result in an acceleration of certain indebtedness.

Our stock price has fluctuated and may continue to do so and may even decline regardless of our financial performance.

The market price of our common stock has fluctuated and may continue to fluctuate significantly in response to numerous factors, many of which are beyond our control, including:

·actual or anticipated fluctuations in our financial results;

·a takeover proposal;

·changes in the financial projections we provide to the public or our failure to meet these projections;

·failure of securities analysts to initiate or maintain coverage of our company, changes in financial estimates by any securities analysts who follow our company, or our failure to meet these estimates or the expectations of investors;

·ratings change by any securities analysts who follow our company;

·announcements by us or our competitors of significant technical innovations, acquisitions, strategic relationships, partnerships or capital commitments;

·changes in operating performance and stock market valuations of other newly public companies generally, or those in our industry in particular;

·changes brought about by health care reform and the emergence of federal, state and private exchanges;

·price and volume fluctuations in the overall stock market, including as a result of trends in the global economy;

·any major change in our Board or management;

·government investigations and lawsuits threatened or filed against us; and

·other events or factors, including those resulting from a data security breach, war, incidents of terrorism or responses to these events.

In addition, in the past, following periods of volatility in the overall market and the market price of a particular company’s securities, securities class action litigation has often been instituted against such a company. A Securities Class Action as well as Derivative Suits have been filed against us and a number of our current and former officers and directors. See Item 3. Legal Proceedings and “Legal Matters” in Note 15 to our Consolidated Financial Statements. That litigation, or future securities litigation could result in substantial costs and divert our management’s attention

24

and resources from our business. This could have a material adverse effect on our business, results of operations, financial condition and cash flow.

Anti-takeover provisions contained in our amended and restated certificate of incorporation and amended and restated bylaws, as well as provisions of Delaware law, could impair a takeover attempt.

Our amended and restated certificate of incorporation, amended and restated bylaws and Delaware law contain provisions that could have the effect of delaying, preventing or rendering more difficult an acquisition of us if such acquisition is deemed undesirable by our Board. Our corporate governance documents include provisions that:

·create a classified Board whose members serve staggered three-year terms;

·authorize “blank check” preferred stock, which could be issued by the Board without stockholder approval and may contain voting, liquidation, dividend and other rights superior to our common stock;

·limit the ability of our stockholders to call and bring business before special meetings;

·require advance notice of stockholder proposals for business to be conducted at meetings of our stockholders and for nominations of candidates for election to our Board;

·control the procedures for the conduct and scheduling of Board and stockholder meetings; and

·provide the Board with the express power to postpone previously scheduled annual meetings and to cancel previously scheduled special meetings.

These provisions, alone or together, could delay or prevent unsolicited takeovers and changes in control or changes in our management.

As a Delaware corporation, we are also subject to provisions of Delaware law, including Section 203 of the Delaware General Corporation Law, which prevents some stockholders holding more than 15% of our outstanding common stock from engaging in certain business combinations without approval of the holders of substantially all of our outstanding common stock.

Any provision of our amended and restated certificate of incorporation or amended and restated bylaws or Delaware law that has the effect of delaying or deterring a change in control could limit the opportunity for our stockholders to receive a premium for their shares of our common stock and could also affect the price that some investors are willing to pay for our common stock.

While we have adopted a stock repurchase program to repurchase shares of our common stock, any future decisions to reduce or discontinue repurchasing our common stock pursuant to our previously announced repurchase program could cause the market price for our common stock to decline.

Although the Company’s Board of Directors has authorized a share repurchase program, any determination to execute our stock repurchase program will be subject to, among other things, our financial position and results of operations, available cash and cash flow, capital requirements, and other factors, as well as the Company’s Board of Director’s continuing determination that the repurchase program is in the best interests of our stockholders and is in compliance with all laws and agreements applicable to the repurchase program. Our stock repurchase program does not obligate us to acquire any common stock. If we fail to meet any expectations related to stock repurchases, the market price of our common stock could decline, and could have a material adverse impact on investor confidence. Additionally, price volatility of our common stock over a given period may cause the average price at which we repurchase our common stock to exceed the stock’s market price at a given point in time.

We may further increase or decrease the amount of repurchases of our common stock in the future. Any reduction or discontinuance by us of repurchases of our common stock pursuant to our current share repurchase authorization

25

program could cause the market price of our common stock to decline. Moreover, in the event repurchases of our common stock are reduced or discontinued, our failure or inability to resume repurchasing common stock at historical levels could result in a lower market valuation of our common stock.

We do not expect to declare any dividends in the foreseeable future.

We do not anticipate declaring any cash dividends to holders of our common stock in the foreseeable future. Any future financing agreements may prohibit us from paying any type of dividends. Consequently, investors may need to rely on sales of their common stock after price appreciation, which may never occur, as the only way to realize any future gains on their investment. Investors seeking cash dividends should not purchase our common stock.

Legal Proceedings

The Company is pursuing affirmative claims against the OPM to obtain payment for services provided by the Company between March 1, 2016 and August 31, 2016 pursuant to our contract with OPM for the Government’s Federal Flexible Account Program (“FSAFEDS”). The Company initially issued its invoice for these services in February 2017. On December 22, 2017, the Company received the Contracting Officer’s “final decision” refusing payment of the invoiced amount and otherwise denying the Company’s Certified Claim. As a result of this decision, and a related Certified Claim that OPM subsequently denied, on February 8, 2018, we filed an appeal to the Civilian Board of Contract Appeals (“CBCA”) against OPM for services provided by the Company between March 1, 2016 and August 31, 2016. On August 3, 2018, we also filed an appeal to the CBCA of OPM’s June 21, 2018 denial of a Request for Equitable Adjustment for extra work associated with a contract modification imposing new security and other requirements not part of the original scope of FSAFED’s contract work. In connection with the Company’s claims against OPM, OPM has also claimed that an erroneous statement in a certificate signed by a former executive officer constituted a violation of the False Claims Act and moved to dismiss part of our claim against OPM as a result. In March 2019, the Company filed a Motion for Summary Judgement with CBCA on the December 22nd denial by the OPM. OPM has moved to defer consideration of the Summary Judgment Motion to permit it further discovery. That Motion has been briefed and the case is on hold pending a ruling by the CBCA which could be handed down any day. In order to accelerate resolution of all matters before the CBCA, the Company’s appeal of the June 21st denial by the OPM was withdrawn on April 9, 2019. The remaining claim related to the OPM’s December 22nd denial, valued at approximately $6.2 million, is scheduled to go to trial in July 2019 if the pending Summary Judgment is denied by the CBCA. As with all legal proceedings, no assurance can be provided as to the outcome of these matters or if we will be successful in recovering the full claimed amount.

On March 9, 2018, a putative class action was filed in the United States District Court for the Northern District of California (the “Securities Class Action”). On May 16, 2019, a consolidated amended complaint was filed by the lead plaintiffs asserting claims under Sections 10(b) and 20(a) of the Securities Exchange Act of 1934, as amended, against the Company, our former Chief Executive Officer and our former Chief Financial Officer on behalf of purchasers of WageWorks common stock between May 6, 2016 and March 1, 2018. The complaint also alleges claims under the Securities Act of 1933, as amended, arising from our June 19, 2017 common stock offering against those same defendants, as well as the members of our Board of Directors at the time of that offering and the underwriters of the offering.

On June 22, 2018 and September 6, 2018, two derivative lawsuits were filed against certain of our officers and directors and the Company (as nominal defendant) in the Superior Court of the State of California, County of San Mateo. The actions were consolidated. On July 23, 2018, a similar derivative lawsuit was filed against certain of our officers and directors and the Company (as nominal defendant) in the United States District Court for the Northern District of California (together, the “Derivative Suits”). The Derivative Suits purport to allege claims related to breaches of fiduciary duties, waste of corporate assets, and unjust enrichment. In addition, the complaint in District Court includes a claim for abuse of control, and the complaint in Superior Court includes a claim to require the Company to hold an annual shareholder meeting. The allegations in the Derivative Suits relate to substantially the same facts as those underlying the Securities Class Action described above. The plaintiffs seek unspecified damages and fees and costs. In addition, the complaint in the Superior Court seeks for us to provide past operational reports and financial statements, to publish timely and accurate operational reports and financial statements going forward, to hold an annual shareholder meeting, and to take steps to improve its corporate governance and internal procedures.

26

Plaintiffs in the Superior Court action filed a Consolidated Complaint on May 2, 2019. As stipulated by the parties, and approved by the District Court, the District Court action is stayed. The parties in the District Court action are to notify the District Court within 15 days of (1) the dismissal of the Securities Class Action, (2) the denial of defendants’ motion(s) to dismiss, or (3) a party giving notice that they no longer consent to the voluntary stay.

The Company voluntarily contacted the San Francisco office of the SEC Division of Enforcement regarding the restatement and independent investigation. The Company is providing information and documents to the SEC and will continue to cooperate with the SEC’s investigation into these matters. The U.S. Attorney’s Office for the Northern District of California also opened an investigation. The Company has provided documents and information to the U.S. Attorney’s Office and will continue to cooperate with any inquiries by the U.S. Attorney’s Office regarding the matter.

The Company records a provision for contingent losses when it is both probable that a liability has been incurred and the amount of the loss can be reasonably estimated. Based on currently available information, the Company does not believe that any additional liabilities relating to other unresolved matters are probable or that the amount of any resulting loss is estimable. In addition, in accordance with the relevant authoritative guidance, for matters which the likelihood of material loss is at least reasonably possible, the Company provides disclosure of the possible loss or range of loss. If a reasonable estimate cannot be made, the Company will provide disclosure to that effect. However, litigation is subject to inherent uncertainties and the Company’s view of these matters may change in the future. Were an unfavorable outcome to occur, there exists the possibility of a material adverse impact on the Company’s financial position, results of operations or cash flows for the period in which the unfavorable outcome occurs, and potentially in future periods.

The Company is involved in various other litigation, governmental proceedings and claims, not described above, that arise in the normal course of business. While it is not possible to determine the ultimate outcome or the duration of such litigation, governmental proceedings or claims, the Company believes, based on current knowledge and the advice of counsel, that such litigation, proceedings and claims will not have a material impact on the Company’s financial position or results of operations.

Information with respect to this Item may be found under the heading “Legal Matters” in Note 15 Commitments and Contingencies, in the Notes to Consolidated Financial Statements in Exhibit 99.1 to this Current Report on Form 8-K.

27