Main risks

Nexi Group is exposed to the European and non-European market and the related economic and political conditions of the countries where the Group operates. The revenues that Nexi Group generates partly depend on the number and volume of payment transactions (so-called volume-driven revenues), which are tied to digital payments penetration and overall consumer, business, and public administration spending. General economic conditions affect confidence, consumer spending, the amount of income available for consumption, as well as changes in consumers’ purchasing habits.

Potential Impacts:
A prolonged deterioration of general economic conditions could have a potential high economic impact on revenues due to the decrease in the number of digital payment transactions or expenditures per transaction, as well as lower number of cards issued or POSs distributed to merchants, thus negatively affecting the profitability of the Group.
However, the event is considered to have a low probability for the coming year. In fact, despite increased geopolitical tensions, due to the conflicts in Ukraine and the Middle East and the attacks on Red Sea shipping, the European economy, after seeing a moderate growth in 2023, is expected to continue to strengthen in 2024, supported by real disposable income rises, falling inflation, robust wage growth and resilient employment. In any case, the increase in the digital payments’ penetration can support the revenues growth.

The business plan includes ambitious growth targets related to commercial initiatives that, together with the increase in nominal consumption and the expected higher penetration of digital payments, aim to foster a greater spread of established products and / or ensure effective entry into unexplored segments and/or markets.

Potential Impacts:
The risk, that could have a medium economic impact and a medium-low probability of happening, is therefore represented by the possibility of not achieving the planned growth targets in the areas of greatest interest and over the established period, due to internal and external causes. This also in light of the complexity of organizing the commercial initiatives while integration operations are still under way (e.g., IT systems). 

A significant part of the activities of Nexi Group is carried out through commercial relationships with banks, thanks also to their network and branches. The concentration of relationships with partner banks, especially in the Italian market, exposes the company the risk that the performance of the banking and financial institutions sector, as well as possible integrations within such sector, could have possible negative effects on Nexi Group itself. It is also possible that bigger banking or financial institutes arising from mergers or consolidations may hold greater bargaining power in negotiations with Nexi Group. 

Potential Impacts:
The loss of commercial relations with one or more of the major customers would entail a reduction in the revenues of Nexi Group causing medium negative effects on its economic, equity and financial position. Considering the strong relationship that Nexi Group has with major partners, this event is considered to have a medium-low probability of happening

The European market is becoming increasingly competitive in the digital payments sector and is transforming rapidly due to customer habits, technological innovation, and the recent harmonization of legislation at an international level. Furthermore, in view of increasing customers’ needs and expectations, the attention to the end customer – consumer e-business – and the management of the user experience are becoming increasingly important

Potential Impacts:
Failing to adapt to the changing market dynamics can lead to loss of business and may have a impact on our economics and reputation. Due to the highly competitive landscape, this event is considered to have a medium-high impact and medium probability of happening. 

The Group’s performance and the future success of its businesses are significantly dependent on its ability to attract, retain and motivate very specific skills sets in middle and senior management. 

In addition, the Group’s performance and the future prospects of its business are also dependent on its ability to adapt to technological, social, economic and regulatory changes. To that end, the Group must leverage a broad set of diverse specialist skills in the fields of engineering, technical servicing, finance and control, sales, administration, and management.

Potential Impacts
The competitive high-skills labor market may hinder the Group's ability to hire additional staff, replace outgoing staff with equally skilled personnel, or retain key personnel essential for growth. The risk has a medium probability of happening and potential low reputational impacts. 
In that respect, the Group places a special emphasis on selecting, recruiting and training its human resources, with a view to maintaining the utmost standards.

As part of its operations Nexi Group processes personal data, including data relating to payment transactions, cardholders, and merchants, and is therefore exposed to the risk of cyber security attacks and/or incidents resulting in potential data breaches or interruptions of business. Furthermore, Nexi is aware of the risks arising from the activities of third parties, such as service providers or business partners. In addition to including contractual clauses to ensure the security and confidentiality of data, Nexi is committed to mitigating these threats through vigilance and close cooperation. Nexi is bound by data protection and privacy laws, as well as the rules of international schemes such as Visa and Mastercard. Compliance with these rules involves adopting data protection standards and maintaining industry certifications, such as those required by the PCI (Payment Card Industry) consortium.

Potential Impacts
The risk of a security incident is considered to have a critical impact and very low probability of happening. In fact, at worst, the above-mentioned security threats could lead to system downtime, compromise of critical IT systems, potential breaches of confidential information or misuse of payment information. Similarly, the loss or otherwise unauthorised or accidental disclosure of personal customer information or other sensitive information could result in regulatory or legal sanctions and/or fines, substantial remediation costs and a weakening of our corporate brand and reputation.

Mitigating actions
The Nexi Group is actively engaged in mitigating cyber security risks. In addition to having an adequate insurance policy, Nexi implements specific IT security measures, organises training to make staff aware of risks and best practices, and maintains a constant monitoring of services and a business continuity plan to ensure an effective response to any crisis.

Nexi Group’s operations are highly dependent on the reliability, operational performance, integrity, and continuity of its ICT infrastructure. The technological networks are crucial to the Group’s business, prospects, and reputation. An especially crucial part of the ICT infrastructure in question are the merchant acquiring and card issuing platforms. These systems handle digital payments’ authorisation and settlement processing, card issuing and management, payment terminal and services management – all subject to interbank standards.  

Potential Impacts:
Unexpected platform downtime would impact the availability of our services, potentially causing Service Level Agreement (SLA) breaches, loss of business revenue and increased operating expenses. In addition, Nexi Group could suffer reputational damage in case of prolonged or repeated downtime incidents. For these reasons, this risk could have high economic, operational, and reputational impacts with a low probability of happening.

Mitigating actions
Nexi has adopted an IT risk management model integrated with its operational risk management framework and with internal control system. An IT security unit defines protection strategies, oversees business continuity and incident management, and ensures security standards are applied. The infrastructure management unit oversees IT services continuity, manages IT incidents, the transition of new services, systems, applications and changes into production, and the design, implementation, and technical operation of Nexi’s technological infrastructures.

To conduct its business, Nexi Group relies on third-party service providers and product suppliers. The main providers include (i) payment processors, (ii) ICT and application maintenance providers, (iii) cards, POS and ATM suppliers (iv) contact units. Partnering with third parties allows Nexi to attain greater efficiency, to optimise operating costs and to focus on its core business. However, high reliance on third parties may increase levels of dependence that may expose Nexi to risks in respect of service level oversight, data management and protection, systems continuity, concentration, compliance, and reputation.  

Potential Impacts:
In case of event, this risk could have a medium impact, however with a low probability of happening. 

For Nexi Group, credit risk mainly originates from:

• Acquiring activities, and specifically in the form of chargeback risk, in the event of non-delivery of a product/service purchased on a prepaid basis, the cardholder may receive an advance from the acquirer, who only then sees reimbursement from the merchant.
• Issuing activities, Nexi debits customers the expenditures of credit card on a date that is later than the date on which the payments were made, thus establishing a receivable from the cardholders.
• Buy now pay later (“BNPL”) activities where the credit risk is inherent in the type of service provided.
• Processing activities, and mainly in relation to trade receivables generated by non-payment of invoices.

Potential Impacts:
Medium impact in case of events, however with a low probability of happening, thanks to the mitigant put in place and robust monitoring systems. 

Nexi Group may incur liabilities and may suffer damages, including reputational ones, related to fraudulent digital payment transactions, fraudulent receivables claimed by merchants or other parties, or fraudulent sales of goods and services. Examples of commercial fraud may include phishing attacks, the sale of counterfeit goods, the malicious use of either stolen or counterfeit credit or debit cards, use by merchants or other parties of payment card numbers or of other card details to register a false sale or transaction, the processing of an invalid card, and the malicious failure to deliver goods or services sold within the scope of an otherwise valid transaction.

Potential Impacts:
Considering that the parties engaging in criminal counterfeiting and frauds, are using increasingly sophisticated methods, a failure to identify thefts and to effectively manage fraud risk and prevention may increase the Group’s charge-back liability or cause the Group to incur other liability, including fines and sanctions. Moreover, impacts could be related to the worsening of the online customer experience and a significant reputational impact that would affect consumer confidence in using digital payment systems. The risks is considered to have a low economic impact and medium probability of occurrence, thank to Nexi Group sophisticated monitoring and detection systems to prevent and block potential fraud cases that our clients may suffer. 

Specific to the sector it operates in, the main directives/regulations the Group must comply with include AML, GDPR, PSD2, antitrust, and other binding rules issued periodically by the international schemes. Nexi Group is preparing to comply with the upcoming DORA regulation, enhancing operational resilience in ICT systems starting from January 2025. As a listed company, Nexi SpA adheres to various special listing rules, including Italian financial laws, Italian Consob regulations, EU directives like MAD II and MAR, Italian Law 262/2005, CSRD sustainability reporting, and market-specific codes of conduct. 

Potential Impacts:
A lack of regulatory compliance may potentially result in recommendations and fines from local regulators or central banks. In addition, Nexi Group may suffer reputational damage in case of data breaches, facilitation of money laundering, late implementation of new regulatory requirements etc. This risk could have medium-high impact in case of event, but a low probability of happening.