HealthEquity : 2026 Annual Report

Published: 2026-05-14 14:24:05 ET HQY

Published on 05/14/2026 at 02:24 pm EDT

FY26

Annual Report

TO OUR SHAREHOLDERS

Fiscal 2026 was a record year for HealthEquity and a clear demonstration of the strength and durability of our model.

We delivered strong execution, significant margin expansion, and record new Health Savings Accounts (HSAs) from sales. For the full year, revenue grew to $1.3 billion, and net income margin doubled to 16%. Adjusted EBITDA margin expanded to more than 43%. For the second consecutive year, we opened more than 1 million new HSAs from sales and ended fiscal 2026 with 17.8 million total accounts, surpassing $36 billion in HSA assets.

These results reflect a business that becomes stronger with scale. As assets, engagement, and automation grow, our platform becomes more valuable to members, more strategic to partners and clients, and more efficient financially.

Healthcare affordability remains one of the defining financial pressures facing American households and employers. As costs rise faster than wages, the need for better tools to save, spend, and invest for care is increasing. That is what makes HSAs more relevant and HealthEquity better positioned to serve that need.

The flywheel of our strategy empowers members to better save, spend, and invest for healthcare. Its strength builds over time through maturing accounts and a

scaled distribution network with more than 200 network partners and more than 100,000 employer clients.

GROWTH ACROSS THE PLATFORM

We advanced each component of our flywheel in fiscal 2026.

On save, total HSA assets increased 14%, with asset growth continuing to outpace account growth. We also expanded access through our direct HSA enrollment experience, enabling newly HSA-eligible individuals selecting Bronze plans on Affordable Care Act (ACA) exchanges to open and fund HSAs through our web and mobile channels.

On spend, we launched Marketplace, expanding the ways members can use their HSAs and other health accounts through our platform, including Flexible Spending Accounts (FSAs) and Health Reimbursement Arrangements (HRAs). Over time, that should increase the share of healthcare spend flowing through our platform.

On invest, HSA investors grew 10% year-over-year, and their invested assets now represent more than 50%

of total HSA assets. With more than 3.6 million mobile app downloads in the last year and workflows designed to make investing easier, we continue to support that growth. The runway ahead remains substantial, as more than 90% of members are not yet investing.

Those member outcomes matter to employers as well. Employers do not have to choose between controlling healthcare costs and helping employees build healthcare financial security. Third-party research based on interviews with existing HealthEquity clients found that employers saved approximately $1,630 per employee per year in healthcare costs when at least 60% of benefit-eligible employees were enrolled in a high-deductible health plan paired with an HSA and the employer adopted other best practices. Through strong plan design and enrollment execution, HealthEquity helps clients pursue both goals at once.

Delivering that value requires trust and security. In fiscal 2026, we strengthened fraud controls and improved the member experience, including expanding passkey authentication to reduce reliance on traditional

password-based access. In a category where consumers rely on us to safeguard their healthcare dollars and personal information, trust is a competitive advantage.

LOOKING AHEAD

We enter fiscal 2027 with momentum and confidence. We will continue expanding our platform while investing in AI-enabled automation to improve member experience, reduce friction, widen access to products and services, and lower the cost to serve over time, while continuing to allocate capital with discipline.

We are building more than a successful company. We are building a trusted financial platform for how Americans better save, spend, and invest for healthcare.

Executed with discipline, our strategy will continue to drive revenue growth, sustain margin expansion, and create long-term shareholder value.

Thank you for your continued support and long-term partnership.

Sincerely,

Scott Cutler President and CEO HealthEquity

Stephen D. Neeleman, M.D.

Founder and Vice Chair

(millions)

Revenue Adjusted EBITDA

(thousands)

(millions)

HSAs HSA Assets

(thousands)

200+

Network Partners

Provider of HSAs1

Total Accounts

1 HealthEquity is ranked as #1 by number of HSAs in the Devenir 2025 Year-End HSA Market Statistics & Trends Report dated April 23, 2026.

Washington, D.C. 20549

☒ ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934

For the fiscal year ended January 31, 2026 OR

TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934

For the transition period from to Commission File Number: 001-36568

(Exact name of registrant as specified in its charter)

Delaware 52-2383166

(State or other jurisdiction of incorporation or organization)

15 West Scenic Pointe Drive Suite 100

Draper, Utah 84020

(801) 727-1000

(I.R.S. Employer Identification Number)

Title of each class

Trading symbol

Name of each exchange on which registered

Common stock, par value $0.0001 per share

HQY

The NASDAQ Global Select Market

(Address, including Zip Code, and Telephone Number, including Area Code, of Registrant's Principal Executive Offices) Securities registered pursuant to Section 12(b) of the Act:

Securities registered pursuant to Section 12(g) of the Act:

None

Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act. Yes No

Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or Section 15(d) of the Act. Yes No

Indicate by check mark whether the registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days. Yes No

Indicate by check mark whether the registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit such files). Yes No

Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, a smaller reporting company, or an emerging growth company. See the definitions of "large accelerated filer," "accelerated filer," "smaller reporting company," and "emerging growth company" in Rule 12b-2 of the Exchange Act.

Large accelerated filer

☑

Accelerated filer

☐

Non-accelerated filer

☐

Smaller reporting company

Emerging growth company

☐

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act.

Indicate by check mark whether the registrant has filed a report on and attestation to its management's assessment of the effectiveness of its internal control over financial reporting under Section 404(b) of the Sarbanes-Oxley Act (15 U.S.C. 7262(b)) by the registered public accounting firm that prepared or issued its audit report. ☑

If securities are registered pursuant to Section 12(b) of the Act, indicate by check mark whether the financial statements of the registrant included in the filing reflect the correction of an error to previously issued financial statements.

Indicate by check mark whether any of those error corrections are restatements that required a recovery analysis of incentive-based compensation received by any of the registrant's executive oﬃcers during the relevant recovery period pursuant to §240.10D-1(b).

Indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Exchange Act). Yes ☐ No ☑

The aggregate market value of voting and non-voting common equity held by non-affiliates of the registrant on July 31, 2025, based on the closing price of $97.00 for shares of the registrant's common stock as reported by the NASDAQ Global Select Market was approximately $7.0 billion. For purposes of determining whether a stockholder was an affiliate of the registrant at July 31, 2025, the registrant assumed that a stockholder was an affiliate of the registrant at July 31, 2025 if such stockholder (i) beneficially owned 10% or more of the registrant's capital stock, as determined based on public filings, and/or (ii) was an executive officer or director, or was affiliated with an executive officer or director of the registrant, at July 31, 2025. This determination of affiliate status is not necessarily a conclusive determination for other purposes.

As of March 3, 2026, there were 84,478,406 shares of the registrant's common stock outstanding.

DOCUMENTS INCORPORATED BY REFERENCE

Portions of the Registrant's definitive proxy statement related to its 2026 annual meeting of stockholders (the "2026 Proxy Statement") are incorporated by reference into Part III of this Annual Report on Form 10-K where indicated. The 2026 Proxy Statement will be filed with the U.S. Securities and Exchange Commission within 120 days after the end of the fiscal year to which this report relates.

HealthEquity, Inc. and subsidiaries

Form 10-K annual report

Table of contents

Page

Part I.

Item 1. Business

Item 1A. Risk factors

Item 1B. Unresolved staff comments

Item 1C. Cybersecurity

Item 2. Properties

Item 3. Legal proceedings

Item 4. Mine safety disclosures

Part II.

Item 5. Market for registrant's common equity, related stockholder matters and issuer purchases of equity securities

Item 6. Reserved

Item 7. Management's discussion and analysis of financial condition and results of operations

Item 7A. Quantitative and qualitative disclosures about market risk

Item 8. Financial statements and supplementary data

Item 9. Changes in and disagreements with accountants on accounting and financial disclosure

Item 9A. Controls and procedures

Item 9B. Other information

Item 9C. Disclosure regarding foreign jurisdictions that prevent inspections

Part III.

Item 10. Directors, executive officers and corporate governance

Item 11. Executive compensation

Item 12. Security ownership of certain beneficial owners and management and related stockholder matters

Item 13. Certain relationships and related transactions, and director independence

Item 14. Principal accounting fees and services

Part IV.

Item 15. Exhibits and financial statement schedules

Item 16. Form 10-K Summary

Signatures

[This page intentionally left blank]

SPECIAL NOTE REGARDING FORWARD-LOOKING STATEMENTS

This Annual Report on Form 10-K includes forward-looking statements that involve risks and uncertainties, including in the sections entitled "Business," "Risk factors," and "Management's discussion and analysis of financial condition and results of operations." Statements that are not purely historical are forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended (the "Securities Act"), and Section 21E of the Securities Exchange Act of 1934, as amended (the "Exchange Act"). These forward-looking statements include, without limitation, statements regarding our industry, business strategy, plans, goals, and expectations concerning our markets and market position, future operations, expenses and other results of operations, margins, profitability, tax rates, capital expenditures, liquidity and capital resources, and other financial and operating information. When used in this discussion, the words "may," "believes," "intends," "seeks," "anticipates," "plans," "estimates," "expects," "should," "assumes," "continues," "could," "will," "future," and the negative of these or similar terms and phrases are intended to identify forward-looking statements in this report.

Forward-looking statements reflect our current expectations regarding future events, results or outcomes. These expectations may or may not be realized. Although we believe the expectations reflected in the forward-looking statements are reasonable, we can give you no assurance these expectations will prove to be correct. Some of these expectations may be based upon assumptions, data or judgments that prove to be incorrect. Actual events, results and outcomes may differ materially from our expectations due to a variety of known and unknown risks, uncertainties, and other factors. Although it is not possible to identify all of these risks and factors, they include, among others, the risks identified in Item 1A. Risk factors.

Unless the context otherwise indicates or requires, the terms "we," "our," "us," "HealthEquity," and the "Company," as used in this Annual Report on Form 10-K, refer to HealthEquity, Inc. and its subsidiaries as a combined entity, except where otherwise stated or where it is clear that the terms mean only HealthEquity, Inc. exclusive of its subsidiaries.

We are a leader and an innovator in providing technology-enabled services that empower consumers to make healthcare saving, spending, and investing decisions. We use our innovative technology to manage consumers' tax-advantaged health savings accounts ("HSAs") and other consumer-directed benefits ("CDBs") offered by employers, including flexible spending accounts and health reimbursement arrangements ("FSAs" and "HRAs"), and to administer Consolidated Omnibus Budget Reconciliation Act ("COBRA"), commuter and other benefits. As part of our services, we provide consumers with payment processing services, personalized benefit information, access to healthcare solutions through our marketplace, and investment advice to grow their tax-advantaged healthcare savings. We believe the shift to greater consumer responsibility for healthcare costs will require a significant portion of consumers under the age of 65 with private health insurance in the United States to use offerings such as ours.

The core of our offerings is the HSA, a financial account through which consumers save, spend, and invest their healthcare dollars on a tax-advantaged basis. As of January 31, 2026, we administered 10.6 million HSAs, with balances totaling $36.5 billion, which we call HSA Assets, as well as 7.2 million complementary CDBs. We refer to the aggregate number of HSAs and other CDBs that we administer as Total Accounts, of which we had 17.8 million as of January 31, 2026.

We reach consumers primarily through relationships with their employers, which we call Clients. We reach Clients primarily through relationships with benefits brokers and advisors, integrated partnerships with a network of health plans, benefits administrators, and retirement plan recordkeepers, which we call Network Partners, and a sales force that calls on Clients directly. As of January 31, 2026, our platforms were integrated with more than 200 Network Partners.

We have increased our share of the growing HSA market from 4% in December 2010 to 20% as of June 2025, measured by HSA Assets. According to the 2025 Midyear Devenir HSA Research Report, as of June 2025, we were the largest HSA provider by number of accounts and the second largest HSA provider by HSA Assets. In addition, we believe we are the largest provider of other CDBs. We seek to differentiate ourselves through our service-driven culture, product breadth, ecosystem connectivity, and proprietary technology, which enables our members to better save, spend, and invest their healthcare dollars. Our proprietary technology allows us to help consumers optimize the value of their HSAs and other CDBs and gain confidence and skills in managing their healthcare costs as part of their financial security.

Our ability to assist consumers is enhanced by our capacity to securely share data in both directions with others in the health, benefits, and retirement ecosystems.

Our business model provides strong visibility into our future operating performance, with the vast majority of our accounts opened before the start of our fiscal year.

We earn revenue primarily from three sources: service, custodial, and interchange. We earn service revenue mainly from fees paid by our Clients, Network Partners, and account holders, which we refer to as members, for the administration services we provide in connection with the HSAs and other CDBs we offer. Service revenue also includes revenues earned from invested HSA Assets and our marketplace. We earn custodial revenue primarily from HSA cash held by our insurance company partners, HSA cash held by our federally insured bank and credit union partners, which we collectively call our Depository Partners, and Client-held funds deposited with our Depository Partners. We earn interchange revenue mainly from fees paid by merchants on payments that our members make using our physical payment cards and on our virtual payment system. See "Key components of our results of operations" for additional information on our sources of revenue.

BenefitWallet HSA portfolio acquisition. In fiscal 2025, we acquired the BenefitWallet HSA portfolio, comprised of approximately 616,000 HSAs plus other accounts, which collectively totaled $2.7 billion of HSA Assets, from Conduent Business Services, LLC for a purchase price of $425.0 million. We paid the purchase price using $225.0 million of borrowings under our revolving credit facility, with the remainder paid using cash on hand.

Health savings accounts. The Medicare Modernization Act of 2003 created HSAs, a tax-exempt trust or custodial account managed by a custodian that is a bank, an insurance company, or a non-bank custodian specifically authorized by the Internal Revenue Service, or IRS, as meeting certain ownership, capitalization,

expertise, and governance requirements. We are an IRS-approved non-bank custodian of our members' HSAs, designated to serve as both a passive and non-passive non-bank custodian of HSAs.

To be eligible to contribute to an HSA, an individual must be covered under a high-deductible healthcare plan, or HDHP, have no additional health coverage, not be enrolled in Medicare, and not be claimed as a dependent on someone else's tax return. HSAs have several tax-advantaged benefits, subject to applicable limitations, which we call the "triple tax savings": (1) individuals can claim a tax deduction for contributions they make to their HSAs, and contributions that their employers make to their HSAs may be excluded from their gross income for purposes of federal and most state income and employment tax; (2) the interest or earnings on the assets in the account, including reinvestment, accumulate without being subject to tax; and (3) distributions may be tax free if they are used to pay qualified medical expenses. There is no requirement to provide receipts to us to substantiate HSA distributions to members as members are responsible for substantiation, whether made through our payment card or directly from our online HSA platform. Additionally, taxable distributions other than for qualified medical expenses are permitted without penalty (although subject to income tax) after age 65. Balances remain in the account until used, i.e., there is no "use or lose" requirement. An HSA is owned by the member; it remains the member's property upon a change of employment, health plan or retirement.

Investment platform and advisory services. We offer an investment platform and access to an online-only automated investment advisory service to all of our members whose account balances exceed a stated threshold. These services are entirely elective to the member. The advisory service is delivered through a web-based tool, Advisor, which is offered and managed by HealthEquity Advisors, LLC, our SEC-registered investment adviser subsidiary. HealthEquity Advisors, LLC provides investment advice to its clients exclusively through the Advisor tool on an interactive website. Members who utilize our investment platform or subscribe for Advisor services pay asset-based fees which include the cost of the advisory service and all other expenses associated with transactions made through these online tools.

Advisor provides investment education guidance and management, including maintaining HSA cash (liquidity) in amounts directed by the member, targeting risk appropriate portfolio diversification, and mutual fund selection.

We offer investors access to three levels of service:

Self-driven: For members who do not subscribe for Advisor, we provide an investment platform to invest HSA balances. Neither we nor Advisor provides advice to members in respect of investments on the platform. We also offer a self-directed brokerage option through a third-party partner;

GPS powered by HealthEquity Advisors, LLC: Advisor provides guidance and advice, but the member makes the final investment decisions and implements portfolio allocation and investment advice through the HealthEquity platform; and

AutoPilot powered by HealthEquity Advisors, LLC: Advisor manages the account and implements portfolio allocation and investment advice automatically for the member.

Regardless of the level of service selected, members are responsible for their proportionate share of fees and expenses payable by the underlying mutual funds and other investment vehicles in which they invest.

Healthcare flexible spending accounts. Healthcare FSAs are employer-sponsored CDBs that enable employees to set aside pre-tax dollars to pay for eligible healthcare expenses that are not generally covered by insurance, such as co-pays, deductibles and over-the-counter medical products, as well as vision expenses, orthodontia, and medical devices. Healthcare FSAs can be customized by employers so they have the freedom to determine what eligible expenses may be reimbursed under these arrangements. Our employer Clients also realize payroll tax (i.e., FICA and Medicare) savings on the pre-tax contributions made by their employees.

The IRS imposes a limit, indexed to inflation, on pre-tax dollar employee contributions made to healthcare FSAs. The IRS also allows a carryover of up to 20% of the indexed contribution limit that does not count against or otherwise affect the indexed salary reduction limit applicable to each plan year. Employers are able to contribute additional amounts in excess of this statutory limit and may choose to do so in an effort to mitigate the impact of rising healthcare costs on their employees.

Dependent care flexible spending accounts. We also administer FSA programs for dependent care plans. These plans allow employees to set aside pre-tax dollars to pay for eligible dependent care expenses, which typically include child care or day care expenses but may also include expenses incurred from adult and elder care. Current laws and regulations impose a statutory limit on the amount of pre-tax dollars employees can contribute to dependent care FSAs with no carryover allowed. Like healthcare FSAs, employers can also contribute funds to employees' dependent care FSAs; however, these are subject to the statutory annual limit on total contributions. As

with healthcare FSAs, employers realize payroll tax savings on the pre-tax dependent care FSA contributions made by their employees.

Health reimbursement arrangements. Under HRAs, employers provide their employees with a specified amount of reimbursement funds that are available to help employees defray their out-of-pocket healthcare expenses, such as deductibles, co-insurance and co-payments. HRAs may only be funded by employers and there is no limitation on how much employers may contribute; however, similar to other CDBs that are funded with pre-tax dollars, employers are required to establish the programs in such a way as to prevent discrimination in favor of highly compensated employees. HRAs must either be considered an excepted benefit (for example, a dental-only HRA or a vision-only HRA), a retiree HRA or be integrated with another group health plan. HRAs can be customized by employers so employers have the freedom to determine what expenses are eligible for reimbursement under these arrangements. At the end of the plan year, employers have the option to allow all or a portion of the unused funds to roll over and accumulate year-to-year if not spent. All amounts paid by employers into HRAs are deductible for tax purposes by the employer and tax-free to the employee.

COBRA. We provide federal COBRA and state continuation administration services to employer Clients. COBRA generally requires eligible employers to offer continuation coverage to qualified beneficiaries for a period that varies based on the qualifying event (generally 18 months for termination or reduction in hours and up to 36 months for certain other events). We also offer direct-billing services and participant support for individuals who elect continuation coverage.

Commuter programs. We administer pre-tax commuter benefit programs through which employers are permitted to provide employees with commuter benefits including qualified transit and parking. The maximum monthly federal (and sometimes state) tax free exclusion is indexed for inflation.

Marketplace. We provide HSA and FSA members with access to certain healthcare products, programs, and services through our marketplace, with tax-advantaged payment options using their HealthEquity accounts. Our marketplace is made available through partnerships with third-party providers. These providers are responsible for the related clinical services (including prescribing medications, where applicable), fulfillment, and ongoing member support. Marketplace offerings may vary by Client or health plan partner and are subject to change over time.

Our direct competitors are HSA custodians and other CDB providers. Many of these are state or federally chartered banks and other financial institutions for which we believe benefits administration services are not a core business. Some of our direct competitors (including well-known retail investment companies, such as Fidelity Investments, and healthcare service companies such as UnitedHealth Group's Optum and Webster Bank) are in a position to devote more resources to the development, sale and support of their products and services than we have at our disposal. Our other CDB administration competitors include health insurance carriers, human resources consultants and outsourcers, payroll providers, national CDB specialists, regional third-party administrators, and commercial banks. In addition, numerous indirect competitors, including benefits administration service providers, partner with banks and other HSA custodians to compete with us. Our Network Partners and ecosystem partners may also choose to offer competitive services directly, as some health plans have done. The products, programs, and services made available through our marketplace are part of highly competitive markets and introduce new and sophisticated competitors to us. Our success depends on our ability to predict and react quickly to these and other industry and competitive dynamics.

We believe we are well-positioned to benefit from the transformation of the healthcare benefits market. Our technology platforms are aligned with a healthcare environment that rewards consumer engagement and fosters an integrated consumer experience for tax-advantaged saving, spending, and investing. Generally, our members begin by building tax-advantaged savings through contributions to their HSAs. These savings deliver immediate, practical value by helping members pay for qualified medical care, including through our marketplace. Our members' HSA savings can also be invested for long-term growth and, over time, become an important component of their financial planning. We believe that our offerings complement and reinforce one another and that member retention increases as they use their accounts with greater frequency and confidence.

Market leadership. We have established a leadership position in the HSA industry through our focus on innovation and differentiated capabilities. Our leadership position is evidenced by the increase in our market share (measured by HSA Assets), from 4% in December 2010 to 20% in June 2025, as reported in the 2025 Midyear Devenir HSA Research Report, which stated that we were the largest HSA provider by number of accounts and the second largest HSA provider by HSA Assets.

Differentiated consumer experience. We have designed our solution and support services to deliver a differentiated consumer experience, which is a function of our culture and technology. We believe this provides an advantage relative to legacy competitors.

Culture: We seek to provide customer-friendly experiences for our members, Clients, and Network Partners through what we call our "Purple" service. We believe our Purple culture is a significant factor in our ability to attract and retain customers and to address opportunities in the rapidly changing healthcare sector.

Technology: We believe our technology helps us drive member outcomes and deliver on our commitment to provide Purple service. We tailor the content of our technology platforms and the guidance of our experts to be timely, personal, and relevant to each member. For example, our technology generates health savings strategies that are delivered to our members when they interact with our platforms, including our mobile application.

Customer service and education: As a key part of our strategy and commitment to provide Purple service, our team members work directly with our Network Partners, Clients, and members, educating them about the benefits of our HSAs and other products. We employ individuals who provide real-time assistance to our members via telephone, email, or chat.

Bundled solution for HSAs and complementary CDBs. We are a market-share leader in the administration of HSAs and each of the major categories of complementary CDBs, including FSAs and HRAs, COBRA and commuter benefits. Our Clients and their benefits advisors increasingly seek HSA providers that can deliver a bundled offering of HSAs and complementary CDBs. We believe that our ability to provide a combination of HSA and complementary CDB offerings significantly strengthens our value proposition to employers, health benefits brokers and consultants, and Network Partners as a leading single-source provider.

Large and diversified channel access. We believe our differentiated distribution platforms provide a competitive advantage by efficiently enabling us to reach a growing consumer market. Our solution is built on a business-to-business-to-consumer, or B2B2C, channel strategy, whereby we work with Network Partners and Clients to reach consumers in addition to marketing our services to these potential members directly. Reaching the consumer is critical in order for us to increase the number of our HSA members. Our integrations with Network Partners have provided, and continue to provide, a key channel through which we gain access to Clients and members.

We work directly with our Network Partners and Clients to reach the consumer in various ways. Our Network Partners collectively employ thousands of sales representatives and account managers who promote both the health plan and administrator partner's health insurance products, such as HDHPs, and our products and services. Our Clients collectively employ thousands of human resources professionals who are tasked with explaining the benefits of our HSAs to their employees. Our sales and account management teams work with and train the sales representatives and account management teams of our Network Partners and the human resource professionals of our Clients on the benefits of enrolling in, contributing to, and saving and spending through our HSAs, and our Network Partners and Clients then convey these benefits to prospective members. As a result of this collaboration, we develop relationships with each member who enrolls in an HSA with us. This personalized engagement with our members constitutes our B2B2C channel strategy.

Proprietary and integrated technology solution. We have a proprietary cloud-based technology solution, which we believe is differentiated for the key reasons described below. We are currently investing in a modernization of our proprietary technology platforms, including through the increasing use of artificial intelligence ("AI") tools and technologies, to support new opportunities and enhance security, privacy and platform infrastructure, while maintaining existing applications, features, and services.

Complete solution for managing consumer healthcare saving, spending, and investing: We believe our technology platforms and marketplace drive member outcomes by enabling our members to use this technology based on their own needs and desires. For example, our members utilize our HSA platform to evaluate and pay healthcare bills through the member portal, which allows members to pay their healthcare providers, receive reimbursements, learn of savings opportunities for prescription drugs, and invest their HSA Assets for long-term growth. Members also utilize the platform's mobile app to view and pay claims on-the-go, including uploading medical and insurance documentation to the platform with their mobile phone cameras.

Purpose-built technology: Our technology solution was designed specifically to serve the needs of our members, Network Partners, other ecosystem partners and our Clients. We believe our technology enables us to both provide customer-friendly experiences and drive member outcomes by providing greater functionality and flexibility than the technologies used by our competitors, many of which were originally

developed for banking, benefits administration or retirement services. We believe we are one of few providers with a solution that encompasses all of the core functionalities of healthcare saving and spending in one integrated, secure, and compliant system, including custodial administration of individual savings and investment accounts, card and electronic funds transaction processing, benefits enrollment and eligibility, electronic and paper medical claims processing, medical bill presentment, tax-advantaged reimbursement account administration, HSA trust administration, online investment advice, and sophisticated analytics.

Innovation: We continue to invest in technology solutions to meet the evolving needs of our Network Partners, Clients and members. Among other things, we also increasingly use AI tools and technologies to improve customer service, lower costs, and increase efficiencies. Our current innovation efforts include, among others, increasing member and Client self-service capabilities, developing application programming interfaces (APIs), driving electronic communication rather than paper, increasing straight-through processing, improving overall process times utilizing traditional robotic process automation, providing our members access to healthcare solutions through our marketplace, and AI tools including the Expedited Claims and HSAnswers tools, leveraging chip-enabled stacked cards, and mobile wallet.

Data integration: Our technology solution allows us to integrate data from disparate sources. We utilize APIs to integrate with health plans, pharmacy benefit managers, employers, and other benefits provider systems. A key part of our strategy is to integrate into our partners' ecosystems, rather than requiring them to conform to ours, as many of our partners' systems rely on custom data models, non-standard formats, complex business rules, and security protocols that are difficult or expensive to change. We believe that this integration enables us to deepen our partnerships with our Network Partners and other ecosystem partners.

Configurability: Our flexible technology solution enables us to create a unique solution for each of our Network Partners. For example, a HealthEquity team member can configure product attributes, including integration with a partner's chosen healthcare price transparency or wellness tools, single sign on, sales and broker support sites, branding, member communication, custom fulfillment and payment card, savings options and interest rates, fees, and investment choices.

Scalable operating model. We believe that our model is scalable because our services are accessed primarily through our cloud-based technology platforms. After initial on-boarding and a period of education, our service costs for any given customer typically decline over time. Our opportunity to earn high-margin revenue from existing HSA members grows over time because as our HSA members' balances grow, our custodial revenue and recordkeeping and advisory service revenues increase without equivalent incremental cost to us.

Enhanced Rates. We partner with large, highly rated insurance company partners to hold, through group annuity contracts or other similar arrangements, HSA cash. We refer to this as our "Enhanced Rates" offering. Enhanced Rates is our default HSA cash offering, and a significant portion of new HSA cash is placed in Enhanced Rates. An increase in the percentage of HSA cash held in our Enhanced Rates offering positively impacts our custodial revenue, as we generally receive a higher yield on HSA cash held by our insurance company partners compared to cash held by our Depository Partners, which we refer to as our "Basic Rates" offering. In addition, increased participation in our Enhanced Rates offering reduces our exposure to short-term fluctuations in prevailing interest rates because contract repricing occurs gradually, at approximately 10% per year. The percentage of HSA cash held in our Enhanced Rates offering has increased, and we expect that it will continue to increase. As our Basic Rates contracts continue to expire, the HSA cash held in those Basic Rates contracts will transition to Enhanced Rates contracts, subject to our members retaining the right to keep their HSA cash in Basic Rates.

Strong retention rates. Retention of our HSA members has been strong over time. Individually owned trust accounts, including HSAs, have inherently high switching costs, as switching requires a certain amount of effort on the part of the account holder and may result in closure fees. We believe that our retention rates are also high due to our HSA platform's integration with the broader healthcare system used by our HSA members and our customer engagement and focus on the consumer experience.

Selective acquisition strategy. We have historically acquired HSA portfolios and businesses that we believe strengthen our service offerings. We expect to continue this growth strategy and are regularly engaged in evaluating different opportunities. We have developed an internal capability to source, evaluate, and integrate acquisitions. We believe the nature of our competitive landscape provides significant acquisition opportunities. Many of our competitors view their HSA businesses as non-core functions. We believe they may look to divest these assets and, in certain cases, be limited from making acquisitions due to depository capital requirements. Our success depends in part on our ability to successfully integrate acquired businesses and HSA portfolios with our business in an efficient and effective manner.

Technology platforms. We provide secure cloud-based platforms, accessed by our members online via our mobile application or a desktop, through which our members are empowered to make health saving, spending and investment decisions, pay healthcare bills, receive personalized benefit information, and grow their savings. The platforms provide users with access to services we provide as well as services provided by third parties selected by us or by our Network Partners. We are increasingly using AI tools and technologies to increase efficiencies and reduce costs while developing AI-powered technologies to improve our customer experience. Our delivery model for these platforms eliminates the need for our Clients to install and maintain hardware and software in order to support HSA and other CDB programs and enables us to rapidly implement product enhancements across our entire user base.

Among other features, our HSA platform includes the capability to present to users medical bills upon adjudication by a health plan, including details such as the amount paid by insurance, specific nature of the medical service provided, and diagnostic code. Users of our HSA platform can pay these bills from an account of ours or from any bank account, online, via a mobile device, or using our payment card. All users of our HSA platform gain access to our healthcare consumer specialists, available every hour of every day, via a toll-free telephone number or email. Our specialists can assist users with such tasks as optimizing the use of tax-advantaged accounts to reduce medical spending or selecting from among medical plans offered by an employer or health plan.

For a description of our cybersecurity risk management framework for our technology platforms, see Item 1C. Cybersecurity.

Cloud-based solution. Our proprietary technology is deployed as a cloud-based solution that is accessible to customers online and through our mobile app. We utilize a multi-tenant architecture that allows changes made for one Network Partner to be extended to all others. This architecture provides operating leverage by reducing costs and improving efficiencies, enabling us to maximize the utilization of our infrastructure capacity with a reduction in required maintenance. We are increasing investment in our technology and communications systems to support new opportunities and enhance security, privacy, and platform infrastructure.

Our solution is delivered via cloud-based services and hosted in third-party data centers or on a virtual private cloud with an ability to scale on demand. This allows us to quickly support our current and projected growth. We utilize regional cloud failover and multiple redundant third-party data centers to ensure continuous access and data availability. The data centers are purpose-built facilities for hosting mission critical systems with multiple built-in redundancy layers to minimize service disruptions and meet industry-standard measures.

Our business is subject to extensive, complex, and rapidly changing federal and state laws and regulations.

IRS regulations

We are subject to applicable IRS regulations, which lay the foundation for tax savings and eligible expenses under the HSAs, HRAs, tax-advantaged commuter benefits, and FSAs we administer. The IRS issues guidance regarding these regulations regularly. In addition, we are subject to conflict of interest and other prohibited transaction rules that are enforced through excise taxes under the Internal Revenue Code. Although the excise taxes are enforced by the IRS, the underlying rules are promulgated by the Department of Labor.

In February 2006, HealthEquity, Inc. received designation by the U.S. Department of Treasury to act as a passive non-bank custodian, which allows HealthEquity, Inc. to custody HSA Assets for individual account holders. In July 2017, HealthEquity, Inc. received designation by the U.S. Department of Treasury to act as both a passive and non-passive non-bank custodian, which allows HealthEquity, Inc. to custody HSA Assets for individual account holders and use discretion to direct investment of such assets held. As a passive and non-passive non-bank custodian, the Company must maintain net worth (assets minus liabilities) greater than 2% of passive custodial funds held at each fiscal year-end and 4% of the non-passive custodial funds held at each fiscal year-end in order to take on additional custodial assets. As of January 31, 2026, the Company's year-end for trust and tax purposes, the net worth of the Company exceeded the required thresholds.

Privacy and data security regulations

In the provision of HSA custodial services and directed third-party administration services for FSAs and HRAs, we are subject to the Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley Act or GLBA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA, as amended by the Health Information Technology for

Economic and Clinical Health Act), and similar state laws. The products and services made available through our marketplace may subject us to additional federal, state, and local laws and regulations.

GLBA imposes financial privacy and security requirements on financial institutions that relate to the collection, storage, use, and disclosure of an account holder's nonpublic personal information. Nonpublic personal information includes information that is collected or generated in the course of offering a financial product or service. For example, nonpublic personal information includes information submitted by a prospective account holder in an application, an account holder's name and contact information, and transaction information. Because part of our business is the administration of financial products such as HSAs, we are required under GLBA to send a notice of our privacy practices to account holders and to comply with restrictions on the disclosure of nonpublic personal information to non-affiliated third parties. We are also required under GLBA to establish reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of nonpublic personal information pursuant to the Federal Trade Commission's safeguards rule. Violations of GLBA can result in civil and criminal penalties.

HIPAA covered entities and their business associates are required to adhere to HIPAA privacy and security standards. Covered entities include most healthcare providers, health plans, and healthcare clearinghouses. Because we perform services (such as FSA services) for covered entities that include processing protected health information, we are a business associate and subject to HIPAA. The two rules that most significantly affect our business are: (i) the Standards for Privacy of Individually Identifiable Health Information, or the Privacy Rule; and (ii) the Security Standards for the Protection of Electronic Protected Health Information, or the Security Rule. The Privacy Rule restricts the use and disclosure of protected health information and requires us to safeguard that information and provide certain rights to individuals with respect to that information. The Security Rule establishes requirements for safeguarding protected health information transmitted or stored electronically. Both civil and criminal penalties apply for violating HIPAA, which may be enforced by both the Department of Health and Human Services' Office for Civil Rights and state attorneys general. Violations of HIPAA may also subject us to contractual remedies under the terms of business associate agreements with covered entities.

Various states also have laws and regulations that impose additional restrictions on our collection, storage, use, and disclosure of personal information. Privacy regulation in particular has become a priority issue in many states and with the federal government. For example, the California Consumer Privacy Act ("CCPA") protects certain privacy rights of California consumers and requires companies, such as ours, that process information on California residents, to make disclosures to consumers about their data collection, use, and sharing practices, and allows consumers to opt out of certain data sharing with third parties and provides a private right of action for data breaches. The CCPA does not generally apply to data subject to GLBA or HIPAA. We expect further privacy requirements to be applicable to us as a result of additional recently passed, and likely upcoming, state privacy laws similar to CCPA, which may expand consumers' rights with respect to their personal information. Several of these laws do not apply to entities or data subject to GLBA or HIPAA. The federal government also at times considers legislative and regulatory proposals concerning privacy, data protection, and cybersecurity, which may require us to implement and maintain additional operational or compliance measures.

ERISA

Our private-sector clients' FSAs, HRAs, COBRA continuation insurance, and other account-based retirement plans are covered by the Employee Retirement Income Security Act of 1974, as amended, or ERISA, which governs "employee benefits plans." Title I of ERISA does not generally apply to HSAs. ERISA generally imposes extensive reporting requirements on employers, as well as an obligation to provide various disclosures to covered employees and beneficiaries; and employers and third-party administrators that have authority or discretion over management, administration, or investment of plan assets are subject to fiduciary responsibility under ERISA. ERISA's requirements affect our FSAs, HRAs, and COBRA administration businesses. The Department of Labor can bring enforcement actions or assess penalties against employers, investment advisers, administrators, and other service providers for failing to comply with ERISA's requirements. Participants and beneficiaries may also file lawsuits against employers, investment advisers, administrators, and other service providers under ERISA.

Department of Labor

The Department of Labor, or the DOL, regulates plans that are subject to ERISA, including health FSAs, HRAs, and 401(k) and other retirement plans, as well as COBRA administration. The DOL also issues guidance related to fiduciary responsibility and prohibited transactions under ERISA and the Internal Revenue Code that affect administration of HSAs (as well as health FSAs, HRAs, and retirement plans).

The DOL issues regulations, technical releases, and other guidance that apply to employee benefit plans, tax-favored savings arrangements (including HSAs) and COBRA administration, generally. In addition, in response to a

request by an individual or an organization, the DOL's Employee Benefits Security Administration may issue an advisory opinion that interprets and applies ERISA and/or corresponding prohibited transaction rules under the Internal Revenue Code to a specific situation, including issues related to consumer-centric healthcare accounts and retirement plans.

Healthcare reform

In March 2010, the federal government enacted significant reforms to healthcare benefits through the Affordable Care Act. The legislation amended various provisions in many federal laws, including the Internal Revenue Code and ERISA. The reforms included new excise taxes that incentivize employers to provide health benefits (including HSA-compatible benefits) to all full-time employees and new coverage mandates for health plans. The rules directly affect health FSAs and HRAs and have an indirect effect on HSAs.

In July 2025, the "One Big Beautiful Bill Act" was signed into law, which expanded HSA availability to individuals with Bronze and Catastrophic health plans and expanded HSA eligibility to include a broader range of healthcare services.

Further changes to healthcare regulation remain under consideration, including "Medicare for all" plans. In addition, legislative proposals to either increase access to HSAs and similar accounts, and conversely legislation that would curtail them, are commonly introduced in both chambers of Congress and could be taken up at any time.

Investment Advisers Act of 1940

Our subsidiary HealthEquity Advisors, LLC is an SEC-registered investment adviser that provides web-only automated investment advisory services to members. As an SEC-registered investment adviser, it must comply with the requirements of the Investment Advisers Act of 1940, or the Advisers Act, and related Securities and Exchange Commission, or SEC, regulations and is subject to periodic inspections by the SEC staff. Such requirements relate to, among other things, fiduciary duties to clients, disclosure obligations, recordkeeping and reporting requirements, marketing restrictions limitations on agency cross and principal transactions between the adviser and its clients, and general anti-fraud prohibitions. The SEC is authorized to institute proceedings and impose sanctions for violations of the Advisers Act, ranging from fines and censure to termination of an investment adviser's registration. Investment advisers also are subject to certain state securities laws and regulations. Failure to comply with the Advisers Act or other federal and state securities and regulations could result in investigations, sanctions, profit disgorgement, fines or other similar consequences.

Intellectual property is important to our success. We rely on trademarks, patents, and other forms of intellectual property rights and measures, including trade secrets, know-how and other unpatented proprietary processes, and nondisclosure agreements, to maintain and protect proprietary aspects of our products and technologies. We require our team members and consultants to execute confidentiality agreements in connection with their employment or consulting relationships with us. We also require our team members and consultants to disclose and assign to us all inventions conceived during the term of their employment or engagement while using our property or which relate to our business.

Our sole geographic market is the U.S.

HealthEquity is comprised of people dedicated to empowering consumers to spend, save, and invest for healthcare by delivering Purple service. We believe that our culture is a key differentiator that drives the success of our company through, among other things, attracting and retaining top talent.

Our board of directors and its committees provide oversight on certain human capital matters. The Talent, Compensation and Culture Committee of our board of directors acts on behalf of the board to review and determine executive compensation plans, policies, and programs; oversee the Company's culture and related strategies, programs, and risks; and oversee the Company's talent management, development, and retention efforts.

As of January 31, 2026, we had 2,814 team members.

Talent acquisition and team member development

Our People team seeks to attract, hire, and develop the best, most qualified candidates and team members. HealthEquity has taken, and continues to take, steps to strengthen our talent:

Our People team uses a hiring framework which seeks to improve candidate experience, ensure quality of hire, and increase our focus on hiring practices that meet or exceed industry and legal standards.

We continued an early career internship program, offering positions across two key areas: corporate business functions and technology. We strive to attract candidates aligned with our vision and who will provide the unique viewpoints and experiences that help drive our success going forward, including by our engaging in outreach with universities where we have a strong regional presence.

We offer a library of resources for our "Grow Your Career" series with the Talent Partner and Talent Operations teams. This includes guides on how to write resumes, create a social media presence, and prepare for interviews to support team member development.

We run the Temporary On-Project Specialist (TOPS) program, which allows Member Service Specialists to experience working in other areas of the business. The program is open to all Member Service Specialists, and selected individuals who are able to support areas that need help while gaining experience that can assist with their personal and professional goals.

We offer a broad leadership development program to improve team member engagement and productivity.

We coordinate an annual company-wide learning series. Open to all teammates, sessions include leadership development, emotional intelligence, technical skills, and other professional development topics.

We also offer an annual summit for company leadership that provides an opportunity to discuss strategic priorities and initiatives and focus on leadership development and effective leadership workshops.

Pay equity

Pay equity is a crucial metric in assessing equal opportunity at HealthEquity. We strive to provide a consistent and fair remuneration strategy for all team members through our Total Rewards package. This package includes:

Base salary

Incentive/bonus pay

Stock-based compensation

401(k) with company matching

Health benefits

The Total Rewards philosophy underlying this package is intended to promote fairness and simplicity so that team members and people leaders understand the performance goals they target during the year and the outcomes that result from achieving or exceeding those goals. We strive to administer the Total Rewards package consistently and to ensure equal opportunity as follows:

Maintaining competitive pay by reviewing market data annually

Rewarding team members based on their abilities, competencies, experience, and performance levels

Effectively communicating our Total Rewards policies and practices

Complying with all applicable federal, state, and local laws and requirements

Team member engagement

We also consider team member engagement an important metric of our organizational health. We regularly seek team member feedback and measure engagement through a survey which contains three engagement key performance indicators (KPIs) that we believe provide a comprehensive measure of team member engagement. The KPIs are designed to determine whether our team members recommend HealthEquity as a great place to work, whether their work gives them a sense of accomplishment, and whether they are motivated to go above and beyond in their work.

As of October 2025, our team member engagement score was 78% favorable, 15% neutral, and 7% unfavorable, based on a participation rate of 86%. We believe that our team member engagement impacts our ability to retain our team members. For the fiscal year ended January 31, 2026, our total team member turnover was 25% and our voluntary turnover was 10%.

HealthEquity, Inc. was incorporated as a Delaware corporation on September 18, 2002. Our principal business office is located at 15 W. Scenic Pointe Dr., Ste. 100, Draper, Utah 84020. Our website address is https://www.healthequity.com. We do not incorporate the information contained on, or accessible through, our corporate website into this Annual Report on Form 10-K, and you should not consider it to be part of this report.

Our website is located at https://www.healthequity.com, and our investor relations website is located at ir.healthequity.com. Information on our website is not incorporated into this report. Copies of our Annual Reports on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K, and any amendments to these reports filed or furnished pursuant to Section 13(a) or 15(d) of the Exchange Act are available, free of charge, on our investor relations website as soon as reasonably practicable after we file such material electronically with or furnish it to the SEC. The SEC maintains an internet site that contains reports, proxy and information statements, and other information regarding issuers that file electronically with the SEC at https://www.sec.gov.

You should carefully consider the risks described below together with the other information set forth in this Annual Report on Form 10-K. If any of the risks described below are realized, our business, financial condition, results of operations, and prospects could be materially and adversely affected. The risks described below are not the only risks facing our company. Risks and uncertainties not currently known to us or that we currently deem to be immaterial also may materially adversely affect our business, financial condition, and operating results.

Risks relating to our business and industry

Any diminution in, elimination of, or change in the availability of tax benefits for HSAs and other CDBs would materially adversely affect us.

Substantially all of our revenue is earned from tax-advantaged HSAs and other CDBs. The efforts of governmental and third-party payers to raise revenue or contain or reduce healthcare or other costs could include restructuring the tax benefits available through HSAs and other CDBs, which may adversely affect our business, operating results, and financial condition. For example, the federal government or states may seek to raise revenues by enacting tax laws that limit or eliminate the tax deductions available to individuals who contribute to HSAs and other CDBs. We cannot predict if any new tax reforms will ultimately become law, or if enacted, what their terms or the regulations promulgated pursuant to such reforms will be. If the laws or regulations are changed to limit or eliminate the tax benefits available through these accounts, such a change would have a material adverse effect on our business.

Failure to adequately place and safeguard HSA cash and Client-held funds, or the failure of any of our insurance company partners or Depository Partners, could materially and adversely affect our business, financial condition, and results of operations.

As a non-bank custodian, we rely on our insurance company partners and federally insured custodial Depository Partners to hold HSA cash that we custody. The portion of HSA cash held by our insurance company partners continues to increase with the increasing adoption of our Enhanced Rates program. The HSA cash held through our insurance company partners is not federally insured, and our members bear the risk of loss with respect to either the failure of the insurance company partner holding their HSA cash or the breach by the insurance company partner of its obligations to guarantee principal or pay interest thereon. In addition, we deposit Client-held funds with our Depository Partners in interest-bearing demand deposit accounts, and federal deposit insurance may not be available for certain Clients.

If any material adverse event were to affect one of our insurance company partners or Depository Partners, including a significant decline in its financial condition, a decline in the quality of its service, a loss of deposits, its inability to comply with applicable insurance, banking, or other regulatory requirements, systems failure, or its inability to return principal or pay interest thereon, our business, financial condition, and results of operations could be materially and adversely affected. In addition, in the event of such a failure of, or breach by, one of our insurance company partners, the HSA cash held through that insurance company partner would be at risk and no assurance can be given that our contractual arrangements with that insurance company partner would be sufficient for our members to fully recover their HSA cash, which would in turn result in reputational and financial harm to the Company.

In addition, certain of our insurance company partners have commitments to us with respect to the interest rates paid; however, some of these commitments are conditional upon certain market events or the satisfaction of our obligations to the partner. A reduction of the interest rate payable, or a requirement that we post collateral in lieu of any such reduction, could have a material and adverse impact on our business, financial condition, and results of operations.

Failure to adequately manage the liquidity of the custodial assets held by our insurance company partners and Depository Partners could materially and adversely affect our business, financial condition, and results of operations.

Certain of our arrangements with our insurance company partners and Depository Partners require that we keep a minimum amount of HSA cash with such partner. If we fail to comply with those minimum HSA cash requirements, including as a result of withdrawals by our members, we may be subject to penalties payable to our partners or a reduction in the interest paid to us under such arrangements. Such penalties or reductions, if imposed, could have a material and adverse impact on our business, financial condition, and results of operations, and we may not have sufficient capital on hand to pay such penalties.

A decline in interest rates would reduce our income on our HSA Assets and Client-held funds and our ability to attract HSA contributions.

We partner with our insurance company partners and Depository Partners to hold our HSA Assets and other Client-held funds. We earn a substantial portion of our revenue from fees we earn from our insurance company partners and Depository Partners which comprised approximately 48%, 45%, and 39% of our revenues during the fiscal years ended January 31, 2026, 2025, and 2024, respectively. A decline in prevailing interest rates would negatively impact our business by reducing the yield we realize on our HSA Assets and other Client-held funds. In addition, if we do not offer competitive interest rates on HSA Assets, our members may choose another HSA custodian. Any such scenario could materially and adversely affect our business and results of operations.

A decline in the value of invested HSA Assets would adversely affect our results of operations.

If the value of invested HSA Assets that our members hold declines, whether due to market conditions or other factors, our fees received on invested HSA Assets, which are based on a percentage of the asset values, would be adversely affected, which would in turn negatively impact our results of operations.

If we are not successful in adapting to our rapidly evolving industry, our growth may be limited, and our business may be adversely affected.

The market for our products and services is subject to rapid and significant change and competition. The market for administering HSAs and other CDBs is characterized by rapid technological change, new product and service introductions, evolving industry standards, changing customer needs, existing competition, price sensitivity, and the entrance of non-traditional competitors. In addition, there may be a limited-time opportunity to achieve and maintain a significant share of this market due in part to our rapidly evolving industry, industry consolidation, and the substantial resources available to our existing and potential competitors. In order to remain competitive, we are continually involved in a number of projects to develop new services or compete with these new market entrants.

These projects carry risks, such as cost overruns, delays in delivery, performance problems, and lack of acceptance by our Clients, Network Partners, marketplace partners, and members.

Any diminution in the use of HSAs or other CDBs would materially adversely affect us.

We believe that many consumers are not familiar with, or do not fully appreciate, the tax-advantaged benefits of HSAs and other CDBs. Our success depends on the willingness of consumers to increase their use of HSAs and other CDBs, our ability to increase engagement, and our ability to demonstrate the value of our services to our existing and potential Clients, Network Partners, and members.

If our members do not fully use their HSAs or CDBs, if employers reduce or cease to offer HSAs or other CDB programs, if the rate of adoption of these accounts decreases, if existing Clients, Network Partners, and members do not recognize or acknowledge the benefits of our services or we do not drive engagement, then the market for our services might decline or develop more slowly than we expect, which could adversely affect our operating results.

The expanding use or anticipated use of AI technologies, including generative AI, by us or third parties, may increase or create new operational and competitive risks.

AI technologies - including generative AI - present numerous opportunities, such as benefits from increased operational efficiencies and innovative new products. The use of AI technologies by us, our service providers, and our competitors has increased recently, and we expect it to further increase rapidly. We utilize AI to streamline administrative processes and improve the experience for our members. These applications have and likely will continue to become increasingly important to our operations.

However, the development and deployment of such technologies also pose significant risks. For example, new products and services incorporating or utilizing AI and machine learning may raise technological, security, legal, reputational, and other risks and challenges related to, among other items, the use of personal information or the information of clients who have not granted permission for the use of their data in such AI systems, flaws in our models or training datasets that may result in biased or inaccurate results, or other unanticipated outcomes, ethical considerations regarding AI, potential infringement of third-party intellectual property rights, exposure of data, and our ability to safely deploy and implement governance and controls for AI systems. We are also exposed to risks arising from the use of AI technologies by bad actors, who may use such technologies to commit fraud, misappropriate funds, and facilitate cyberattacks. Further, our competitors may adopt AI or generative AI more quickly or more effectively than we do, causing competitive harm. AI is subject to rapidly evolving domestic and international laws and regulations, the scope and requirements of which may be inconsistent across jurisdictions and which could impose significant costs and obligations on us. Any of these risks could negatively impact our reputation, the demand for our products and services, and our financial condition and results of operations.

We may be unable to compete effectively against our current and future competitors.

The market for our products and services is highly competitive. We view our competition in terms of direct and indirect competitors. Our direct HSA competitors are well-known retail investment companies, such as Fidelity Investments, HSA custodians and administrators that include state or federally chartered banks, such as Webster Bank and Optum Bank, insurance companies, and non-bank custodians approved by the U.S. Treasury. We also have numerous indirect HSA administration competitors, including benefits administrators and health plans, that license technology platforms and partner with other HSA custodians to provide "white label" HSA offerings. Our other CDB administration competitors include health insurance carriers, human resources consultants and outsourcers, payroll providers, national CDB specialists, regional third-party administrators, and commercial banks, and these competitors have entered, and others may also enter, the HSA market or expand existing HSA offerings to compete with us. Our marketplace initiative also faces competition from telehealth companies with whom we are not affiliated, other providers of similar marketplaces, the producers of products and services competitive with the products and services made available through our marketplace, as well as from similar initiatives by our direct HSA competitors.

An increased focus on HSA-favorable healthcare regulatory reforms may create renewed interest and investment by our competitors in their HSA offerings and lead to greater competition, which could make it harder for us to maintain our growth trajectory. This risk would be compounded if legal requirements or administrative rules are interpreted in a way that makes compliance more onerous for us than for our competitors.

If one or more of our competitors were to merge or partner with another of our competitors, the change in the competitive landscape could materially adversely affect our ability to compete effectively. Our competitors have and may continue to establish or strengthen cooperative relationships with our current or future Network Partners, marketplace partners, or other strategic partners, thereby limiting our ability to promote our solution with these parties. We have seen an increase in Network Partners that have decided to offer HSAs or other CDBs directly to their customers, and a continuation of this trend would significantly reduce our channel partner opportunities and result in account attrition.

Well-known retail mutual fund companies, such as Fidelity Investments, have entered the HSA and CDB business and gained significant market share. Our market share could decline if Fidelity Investments and other mutual fund companies continue expanding their presence in the market. These investment companies have significant advantages over us in terms of brand name recognition, years of experience managing tax-advantaged retirement accounts (e.g., 401(k) and IRA), highly developed recordkeeping, trust functions, and fund advisory and customer relations management, among others. If we are unable to compete effectively with these mutual fund company competitors, our results of operations, financial condition, business, and prospects could be materially adversely affected.

Many of our competitors, in particular banks, insurance companies, and other financial institutions, have longer operating histories and significantly greater financial, technical, marketing, and other resources than we have. As a result, some of these competitors are in a position to devote greater resources to the development, promotion, sale, and support of their products and services and have offered, or may in the future offer, a wider range of products and services that are increasingly desired by potential customers, and they have also used advertising and marketing strategies (including loss-leaders) that achieve broader brand recognition or acceptance.

Finally, our competitors may have the ability to devote more financial and operational resources than we can to developing new technologies and services, including services that provide improved operating functionality, and adding features to their existing service offerings. They may have a greater ability to use AI to provide enhanced products and service offerings. If successful, their development efforts could render our services less desirable, resulting in the loss of our existing customers or a reduction in the fees we earn from our products and services.

Developments in the rapidly changing healthcare industry could adversely affect our business.

Substantially all of our revenue is derived from healthcare-related saving and spending by consumers, which could be affected by changes affecting the broader healthcare industry, including decreased spending in the industry overall. General reductions in expenditures by healthcare industry participants could result from, among other things:

government regulation or private initiatives that affect the manner in which healthcare industry participants interact with consumers and the general public;

consolidation of healthcare industry participants;

reductions in governmental funding for healthcare; and

adverse changes in general business or economic conditions affecting healthcare industry participants.

Even if general expenditures by industry participants remain the same or increase, developments in the healthcare industry may result in reduced spending in some or all of the specific market segments that we serve now or in the future. The healthcare industry has changed significantly in recent years, and we expect that significant changes will continue to occur. However, the timing and impact of developments in the healthcare industry are difficult to predict. There is no assurance that the demand for our products and services will continue to exist at current levels or that we will have adequate technical, financial, and marketing resources to react to changes in the healthcare industry.

If our members do not continue to utilize our payment cards, our results of operations, business, and prospects would be materially adversely affected.

We derived 15%, 15%, and 16% of our total revenue during the fiscal years ended January 31, 2026, 2025, and 2024, respectively, from interchange fees that are paid to us when our customers utilize our payment cards. These fees represent a percentage of the expenses transacted on each card. If our customers do not use these payment cards at the rate we expect, if they elect to withdraw funds using a non-revenue generating mechanism such as direct reimbursement, or if other alternatives to these payment cards develop, our results of operations, business, and prospects would be materially adversely affected.

If we fail to operate our marketplace effectively, if our Network Partners, Clients, or members respond negatively to our marketplace, or if our marketplace partners, products, or services are disrupted, our business may be adversely affected.

We generate revenue from our marketplace partners who provide the HSA or FSA eligible products and services, including access to telehealth consultations, certain healthcare programs, and certain prescription medications through a third-party partner, to our members. The growth of our marketplace is dependent on our ability to operate the marketplace in a regulatorily compliant manner, market to members effectively and in a cost-efficient manner, and adapt to demands of our Network Partners, Clients, and members. Failure to operate the marketplace effectively could have a negative impact on our growth opportunities.

In addition, negative publicity concerning our marketplace, our marketplace partners, or member experience using our marketplace could limit acceptance of this offering by our Network Partners, Clients, or members, which would adversely affect our revenue and future growth opportunities.

We are dependent upon the partnerships we have entered into for certain of the products, programs, and services available in our marketplace which could be negatively affected if those partnerships are disrupted or experience negative publicity. Such disruption of our partners, along with any negative developments regarding the products, programs, and services made available through the marketplace, could damage our brand, subject us to liability, affect our ability to retain Network Partners, Clients and members, and harm our business and financial results.

The products, programs, and services made available through our marketplace may also subject us to additional federal, state, and local laws and regulations, and a failure to comply with any such law or regulation could have a negative effect on our business, financial condition, and results of operations, and may expose us to civil and criminal penalties. For example, one of our marketplace partners, in addition to offering branded GLP-1 medications as part of its weight loss programs, also offers access to compounded GLP-1 medications, and the regulatory environment around compounded GLP-1 medications has been volatile. The products, programs, and services made available through the marketplace are part of highly competitive markets, and introduce new and more sophisticated competitors to us, which could result in scrutiny, competitive pressures, and litigation from these competitors.

Failure to maintain effective internal control over financial reporting could have a material adverse effect on our reputation, results of operations, and financial condition.

Effective internal control over financial reporting is necessary for us to provide reliable financial reports, prevent fraud, and operate successfully as a public company. Any failure, whether in connection with our growth, acquisitions, or otherwise, to execute on our internal controls and continue to maintain effective internal controls, to timely implement any necessary additional improvement to our internal controls, or to effect remediation of any future material weakness or significant deficiency could, among other things, result in losses from fraud or error, harm our reputation, result in regulatory fines, penalties, or investigations, or cause investors to lose confidence in our reported financial information, all of which could have a material adverse effect on our reputation, results of operations, or financial condition.

Management reviews and updates our systems of internal controls and procedures, as appropriate. Any system of controls is based in part on certain assumptions and can provide only reasonable, not absolute, assurances that the objectives of the system are met. Any failure or circumvention of our controls and procedures or failure to comply

with regulations related to controls and procedures could have a material adverse effect on our reputation, results of operations and financial condition.

Data security, technological, and intellectual property risks

Cyber attacks, including ransomware attacks, or other privacy or data security incidents could materially adversely impact our business.

As one of the largest providers of HSAs and other CDBs, our proprietary technology platforms enable the exchange of, and access to, sensitive information. As a result, we are frequently the target of cyber attacks, including ransomware attacks, which means we must continue to monitor and take steps to secure each of our technology platforms, making sure these platforms are aligned to our industry benchmark security posture. In addition, geopolitical events, including the war between Russia and Ukraine, have resulted in, and may continue to result in, an increase in cyber attacks.

Substantially all of our workforce works remotely. This remote work environment increases the risk of cybersecurity breaches and incidents, and the potential impact of these on our operations is also higher while our team members log into our network remotely. In addition, we use third-party partners to service our members. These third-party partners must have access to member information in order to provide this service. Third-party partner remote access to our member information further increases the risk of cybersecurity breaches and incidents through those partners, and from time to time our third-party partners are also the victims of cybersecurity breaches and incidents that may involve member information.

Our ability to ensure the security of our technology platforms and sensitive customer and partner information is critical to our operations. We rely on standard Internet and other security systems to provide the security and authentication necessary to effect secure transmission of data. Despite our security measures, our information technology and infrastructure are vulnerable to cybersecurity threats, including attacks by hackers, AI-powered threats, human error, insider threats, and other malfeasance or outages. Such threats could result in actual security events that compromise our networks, or those of third-party service providers on which we rely, and result in the information stored or transmitted there to be accessed, modified, or used in an unauthorized manner, publicly disclosed, lost, or stolen. Such access, use, disclosure, or other loss of information may result in regulatory scrutiny, and legal claims and liability, including under laws that protect the privacy of personal information, as it has in the recent past. Cybersecurity events disrupt our operations and the services we provide to our Clients, damage our reputation, and cause a loss of confidence in our products and services, which could adversely affect our business, operations, and competitive position.

Security breaches, including a major breach of our network security and systems, could result in serious negative consequences for our business, including the loss of sensitive information, theft or loss of actual funds, litigation, indemnity obligations to our Clients, fines, penalties, regulatory scrutiny, and other liabilities, including under laws that protect the privacy of personal information, and disrupt our operations and the services we provide to our members, Clients and Network Partners. We have been the victim of such breaches, which have damaged our reputation and caused a loss of confidence in our products and services, and which may lead to a reduction in demand and result in an unwillingness of members, Clients, Network Partners, and other data owners to provide us with their payment information or personal information, and otherwise harm our brand. Furthermore, when third parties improperly obtain and use the personal information of our members, we are required to expend significant resources to investigate and resolve these problems.

While we have security measures in place, we have experienced data privacy incidents in the past, including an incident in 2024 in which a business partner's user account containing personally identifiable information was breached. As a result of the incident, we are now subject to a consolidated putative class action lawsuits seeking unspecified damages, and we are subject to regulatory inquiries related to the incident, which may lead to fines or other enforcement by these regulators. Whether as a result of these incidents, or if our security measures are breached again or unauthorized access to data is otherwise obtained as a result of third-party action, team member error, or otherwise, our reputation could be significantly damaged, our business may suffer, and we could incur substantial liability, which could result in loss of sales, Clients and Network Partners.

Because techniques used to obtain unauthorized access to or sabotage systems change frequently and such novel techniques, including by use of AI technologies by threat actors, may not be identified until they are launched against a target, we may be unable to anticipate, or to implement adequate preventative measures to address, these techniques. Any or all of these issues could negatively impact our ability to attract new, or increase engagement by, members, Clients and Network Partners, and subject us to third-party lawsuits, regulatory actions or fines, contractual liability, and other action or liability, thereby harming our operating results or financial condition.

Fraudulent activity, whether involving member accounts or our third-party service providers, has led, and could continue to lead, to financial and reputational damage to us and could reduce the use and acceptance of our products and services.

Criminals are using increasingly sophisticated methods, including AI, to obtain personal information, which they then use to commit fraud. As a non-bank custodian of HSAs, we are frequently targeted by sophisticated and persistent bad actors for fraudulent activity, through various tactics such as high-volume credential stuffing attacks, denial of service attacks, and social engineering attacks, among others. For example, in the fiscal year ended January 31, 2025, and the fiscal quarter ended April 30, 2025, we experienced a significant increase in the volume and sophistication of outside fraudulent activity targeting member accounts, resulting in a significant loss to us as we incurred service costs to reimburse and protect impacted members. Losses due to fraud committed against us and our Clients, members, and Network Partners may not be covered by insurance policies, and losses not covered by insurance may be material. Even in the event that losses relating to fraudulent activity are covered by insurance, premiums and/or deductibles related to our insurance coverage may increase or the scope of our coverage may decrease, any of which could have an adverse impact on our financial results.

We are also vulnerable to criminal fraudulent activity through our third-party service providers. We rely upon third parties to provide certain services, such as some transaction processing services and data feeds, and such reliance subjects us to risks related to the vulnerabilities of those third parties. For example, we are exposed to risks relating to the theft of payment card numbers housed in a merchant's point of sale systems if our members use our payment cards at a merchant whose systems are compromised. We may reimburse our members for losses sustained when using our payment cards, even in instances where we are not directly responsible for the underlying cause of such loss.

In addition, because of a significant increase in outside fraudulent member account activity, we have suffered reputational damage that could reduce the use and acceptance of our products and services, or cause our Clients, members, and Network Partners to look for alternative providers. Further fraud incidents, or increases in the overall level of fraud involving either member accounts, our reimbursement administrative services, or our third-party service providers, could result in financial and reputational damage to us. If we fail to successfully protect against fraud in the future, our business and financial results may be adversely affected.

We rely on software licensed from third parties that may be difficult to replace or that could cause errors or failures of our technology platforms that could lead to lost customers or harm to our reputation.

We rely on certain cloud-based software licensed from third parties to run our business. This software may experience outages, may not continue to be available to us on commercially reasonable terms and any loss of the right to use any of this software could result in, among others, delays in producing our financial statements, risks to our security environment, or the provisioning of our products and services until equivalent technology is either developed by us, or, if available, identified, obtained, and integrated into our systems and processes, which would likely take a significant amount of time and harm our business. In addition, we have service level agreements with certain of our Clients and Network Partners for which the availability of this software is critical. Any decrease in the availability of our services as a result of errors, defects, a disruption, or failure of our licensed software may require us to provide significant fee credits or refunds to our customers. Our software licensed from third parties is also subject to change or upgrade, which may result in us incurring significant costs to implement such changes or upgrades and interruptions or delays in our services as a result of such changes or upgrades.

Developing and implementing new and updated applications, features, and services for our technology platforms may be more difficult than expected, may take longer and cost more than expected, or may result in the platforms not operating as expected.

Attracting and retaining new Clients and Network Partners requires us to continue to improve the technology underlying our proprietary technology platforms and requires our technology to operate as expected. In addition, potential Clients and Network Partners are increasingly seeking a bundled solution, encompassing a wide range of features. We are currently investing in a modernization of our proprietary technology platforms to support new opportunities and enhance security, privacy, and platform infrastructure, while maintaining existing applications, features, and services. If we are unable to do so on a timely basis or if we are unable to implement this modernization without disruption to our existing applications, features, and services, or if we encounter technical obstacles that result in the technology not operating properly, we may lose potential and existing Clients and Network Partners. We rely on a combination of internal development, strategic relationships, licensing, and acquisitions to develop our content offerings, products, and services. These efforts may be more expensive than expected, take longer to develop and implement, and require additional personnel and resources.

The revenue opportunities earned from these efforts may fail to justify the effort or resources spent and may not have the anticipated returns on attracting and retaining new Clients and Network Partners. In addition, material performance problems, defects or errors in our existing or new software have occurred and may occur in the future. Similar challenges in the future may affect our reputation, the demand for our products and services, our financial condition and results of operations, and otherwise draw adverse regulatory scrutiny.

New products and services, including those incorporating or utilizing AI and machine learning, may raise technological, security, legal, and other risks and challenges related to, among other items, the use of personal information in such AI systems, flaws in our models or training datasets that may result in biased or inaccurate results or other unanticipated outcomes, ethical considerations regarding AI, potential infringement of third-party intellectual property rights, and our ability to safely deploy and implement governance and controls for AI systems. Realization of these risks could negatively impact our reputation, the demand for our products and services, our financial condition and results of operations, and otherwise draw adverse regulatory scrutiny.

Disruptions of service at our facilities, our servers, our third-party data centers, or our cloud service providers have interrupted and delayed our customers' access to our products and services and will be harmful if repeated.

The ability of our team members, members, Network Partners, and Clients to access our technology platforms is critical to our business. We may experience disruptions to certain data centers and servers upon which we rely to provide timely services to our clients. For example, an unplanned storage service outage in 2024 led to multiple critical services for our members being unavailable and degraded. We cannot ensure that the measures we have taken to enable access to our technology platforms, including changes in response to previous disruptions to important platforms, will be effective to prevent or minimize interruptions to our operations. Our technology platforms are hosted by third-party data centers, and we increasingly rely on third-party cloud service providers to support our technology platforms. Our facilities, our third-party data centers, and our cloud service providers are vulnerable to interruption or damage from a number of sources, many of which are beyond our control, including, without limitation:

extended power loss or other failure of critical infrastructure;

telecommunications failures from multiple telecommunications providers;

natural disaster or an act of terrorism;

software and hardware errors, or failures in our own systems or in other systems;

mistakes in updating, maintaining, and accessing databases, data centers, and servers;

network environment disruptions such as computer viruses, hacking, and similar problems in our own systems and in other systems;

theft and vandalism of equipment; and

actions or events caused by or related to third parties.

We attempt to mitigate these risks through various business continuity efforts, including redundant infrastructure, 24/7/365 system activity monitoring, backup and recovery procedures, use of a secure storage facility for backup media, separate production and test systems, and change management and system security measures, but our precautions, even after previous incidents, may not protect against all potential problems. Our data recovery centers are equipped with physical space, power, storage and networking infrastructure and Internet connectivity to support our technology platforms in the event of the interruption of services at our data centers. Even with these data recovery centers, our operations can be interrupted during transition processes when our primary and other data centers experience failures. Disruptions at our data centers may cause disruptions to our technology platforms and lead to data loss or corruption. We have experienced interruptions and delays in service and availability for data centers, and bandwidth and other technology issues in the past. Frequent or persistent system failures that result in the unavailability of our technology platforms or slower response times could reduce our members', Clients', and Network Partners' ability to access our technology platforms, impair the delivery of our products and services, and harm the perception of our platforms as reliable, trustworthy, and consistent. Any future errors, failure, interruptions, or delays experienced in connection with these third-party technologies could delay access to our products by members, Clients and Network Partners, which would harm our business. This could damage our reputation, subject us to potential liability or costs related to defending against claims or cause our members, Clients and Network Partners to cease doing business with us, any of which could negatively impact our financial results.

Our technology platforms may link to or utilize open source software, and any failure to comply with the terms of one or more of these open source licenses could negatively affect our business.

Our technology platforms may incorporate software covered by open source licenses. The terms of various open source licenses have not been interpreted by United States courts, and there is a risk that such licenses could be

construed in a manner that imposes unfavorable conditions on us. For example, by the terms of certain open source licenses, we could be required to offer our technology platforms that incorporate the open source software for no cost, that we make publicly available source code for modifications or derivative works that we created based upon, incorporating or using the open source software, and/or that we license such modifications or derivative works under the terms of the particular open source license. If portions of our proprietary software are determined to be subject to an open source license, then the value of our technologies and services could be reduced.

In addition to risks related to license requirements, usage of open source software may be riskier than use of third-party commercial software, as open source licensors generally do not provide warranties or controls on the origin of the software. Many of the risks associated with usage of open source software cannot be eliminated and could negatively affect our business.

Legal and regulatory risks

The healthcare regulatory and political framework is uncertain and evolving, and we cannot predict the effect that further healthcare reform and other changes in government programs may have on our business, financial condition, or results of operations.

Healthcare laws and regulations are rapidly evolving and may change significantly, which could adversely affect our financial condition and results of operations. In addition, proposals to implement a single payer or "Medicare for all" system in the U.S. or in individual states, if adopted, could have a material adverse effect on our business. The full impact of healthcare reform and other changes in the healthcare industry and in healthcare spending is unknown. Accordingly, we are unable to predict what effect healthcare reform measures will have on our business.

Changes in applicable federal and state laws relating to HSAs and other CDBs could materially adversely affect our business.

HSAs and other CDBs exist as a result of provisions in the Internal Revenue Code and other laws and regulations. Changes to the regulatory landscape impacting our products require substantial time and costs for us to ensure our products are compliant. In addition, federal or state governments could impose laws that limit the eligibility requirements for our products, which could limit our ability to grow or cause us to lose existing members, or such governments could change the eligibility requirements we must meet to maintain the licenses we need to offer our products. We cannot predict if any new reforms will ultimately become law, or if enacted, what their terms or the regulations promulgated pursuant to such reforms will be, and such reforms could have a material adverse effect on our business.

We are subject to privacy regulations, including regarding the access, use, and disclosure of personal information, and the privacy breaches that we or our third-party service providers have experienced or may experience in the future could result in substantial financial and reputational harm, including possible criminal and civil penalties.

We and certain third party service providers process sensitive personal information in connection with our services, including, where applicable, protected health information and nonpublic personal information. A failure to comply with evolving privacy and data protection requirements including sector-specific regimes such as HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH"), which govern protected health information, the Gramm-Leach-Bliley Act, which governs nonpublic personal information, and various state privacy and breach-notification laws, or a failure to prevent unauthorized access to or disclosure of personal information due to cyberattack, human error, system misconfiguration, third-party compromise, or other security incident or event could result in regulatory investigations, penalties, litigation (including class actions), contractual claims, member losses, remediation and monitoring costs, operational disruption, and reputational harm. We experienced privacy/security incidents in the past (including an incident in 2024 involving a third-party user account) and future incidents could have greater impact. While we maintain formal privacy and security programs, third-party oversight, and incident response and notification processes designed to mitigate risks to the confidentiality, integrity, and availability of the sensitive information, including personal information that we hold, residual risk remains. Compliance costs may increase as requirements and expectations continue to change, along with the possibility of costly penalties in the event we are deemed to not be in compliance with such laws and regulations. Privacy and data protection regulation have become priority issues in many states, and, as such, the regulatory environment is continually changing. For example, many states provide a private right of action for data breaches. Additional privacy requirements are expected as new state and federal privacy laws are enacted.

Legislative, regulatory, and legal developments involving taxes could adversely affect our results of operations and cash flows.

We are subject to U.S. federal and state income, payroll, property, sales and use, and other types of taxes in numerous jurisdictions. Significant judgment is required in determining our provisions for income taxes. Changes in tax rates, enactments of new tax laws, revisions of tax regulations, and claims or litigation with taxing authorities could result in substantially higher taxes.

We do not collect sales and use taxes in all jurisdictions in which our customers are located, other than from sales of certain commuter services, based on our belief that such taxes are generally not applicable to our services. Sales and use tax laws and rates vary by jurisdiction and such laws are subject to interpretation. In those jurisdictions and in those cases where we do believe sales taxes are applicable, we collect and file timely sales tax returns.

Currently, such sales taxes apply to certain commuter services, but otherwise are minimal to the rest of our services. Jurisdictions in which we do not collect sales and use taxes may assert that such taxes are applicable, which could result in the assessment of such taxes, interest, and penalties, and we could be required to collect such taxes in the future. Such additional sales and use tax liability could adversely affect the results of our operations.

Regulatory changes and changes in the enforcement environment may have an adverse result on our business.

Changes to regulations and the enforcement environment create uncertainty around our business and our Clients. In addition, changes to the legal, regulatory, or political environment may require management's attention, divert resources from other areas, and expose us to potential liability.

As a federal contractor, we are required to follow federal law, including executive orders, directed at federal contractors. We are unable to anticipate the scope of potential changes federal contractors will be required to comply with and cannot predict what impact any such changes may have on us or whether we will be able to implement adequate preventative measures to address any future requirements.

Additionally, we administer programs allowing eligible federal government employees access to our technology platforms and services. We generate revenue from this relationship, and in the event that the program or the number of federal employees who participate in the program change significantly, our financial results could be affected.

Changes in laws and regulations relating to interchange fees on payment card transactions could adversely affect our revenue and results of operations.

Existing laws and regulations limit the fees or interchange rates that can be charged on payment card transactions. For example, the Federal Reserve Board has the power to regulate payment card interchange fees and has issued a rule setting a cap on the interchange fee an issuer can receive from a single payment card transaction. Our HSA-linked payment cards are exempt from this rule, although we are subject to a general requirement of reasonable compensation for services rendered. To the extent that our payment cards lose their exempt status, the interchange rates applicable to transactions involving our payment cards could be impacted, which could have a material adverse effect on our financial condition and results of operations.

Failure to comply with, or changes in, payment card industry, credit card association or other network rules or standards set by Visa or changes in card association and debit network fees or products or interchange rates, could materially adversely affect us.

We, and the banks that issue our prepaid debit cards, are subject to Payment Card Industry Data Security Standards and Visa association rules that could subject us to a variety of fines or penalties that may be levied by the card associations or networks for acts or omissions by us or businesses that work with us, including card processors. Failure to comply with these rules and standards could result in significant fines, other penalties, or the termination of our interchange revenue agreements. The termination of the card association registrations held by us or any of the banks that issue our cards, or any changes in card association or other debit network rules or standards, including interpretation and implementation of existing rules, participants deciding to use PIN networks, standards, or guidance that increase the cost of doing business or limit our ability to provide our products and services, or limit our ability to receive interchange fees, could have a material adverse effect on our results of operations, financial condition, business, and prospects. In addition, from time-to-time, card associations increase the organization or processing fees that they charge, which could increase our operating expenses, reduce our profit margin, and materially adversely affect our results of operations, financial condition, business, and prospects.

We are subject to complex regulation, and any compliance failures or regulatory action could adversely affect our business.

Our business, including HSAs and many of the CDBs we administer and our investment adviser and trust company subsidiaries, is subject to extensive, complex, and frequently changing federal and state laws and regulations, including IRS, Health and Human Services ("HHS"), and Department of Labor ("DOL") regulations; ERISA, HIPAA, HITECH, and other privacy and data security regulations; the Advisers Act; state banking laws; state third-party administrator laws; the Patient Protection and Affordable Care Act; and developing regulation regimes for the use of AI.

Our subsidiary HealthEquity Advisors, LLC is an SEC-registered investment adviser that provides automated web-only investment advisory services. As such, it must comply with the requirements of the Advisers Act and related SEC regulations and is subject to periodic inspections by the SEC staff. Such requirements relate to, among other things, fiduciary duties to clients, disclosure obligations, recordkeeping and reporting requirements, marketing restrictions, limitations on agency cross and principal transactions between the adviser and its clients, and general anti-fraud prohibitions. The SEC is authorized to institute proceedings and impose sanctions for violations of the Advisers Act, ranging from fines and censure to termination of an investment adviser's registration. Investment advisers also are subject to certain state securities laws and regulations.

Our subsidiary HealthEquity Trust Company is a non-depository trust company and subject to regulation and supervision by the Wyoming Division of Banking.

As we continue to innovate and improve our products and services by leveraging automated decision making, machine learning, and AI, our business model may be affected by global trends and laws that regulate the use of these developing technologies. Such laws or regulations may restrict or impose burdensome and costly requirements on our ability to use AI and machine learning and also may impact our ability to use certain data for developing our products and services.

Compliance with regulatory requirements requires resources and takes significant time and effort. Any claim of noncompliance, regardless of merit or ultimate outcome, could subject us to investigation by the HHS, the DOL, the SEC, the Wyoming Division of Banking, or other regulatory authorities. This in turn could result in additional claims or class action litigation brought on behalf of our members, Clients or Network Partners, any of which, regardless of merit or ultimate outcome, could result in substantial cost to us and divert management's attention and other resources away from our operations. Furthermore, investor perceptions of us may suffer, and this could cause a decline in the market price of our common stock. Our compliance processes may not be sufficient to prevent assertions that we failed to comply with any applicable law, rule, or regulation. In addition, all of our business is subject, to varying degrees, to fiduciary and other service provider obligations under ERISA, the Internal Revenue Code, and underlying regulations. A failure to comply with these or other regulatory and compliance obligations could subject us to disgorgement of profits, excise taxes, civil penalties, private lawsuits, and other costs, including reputational harm.

If we are unable to meet or exceed the net worth test required by the IRS, we could be unable to maintain our non-bank custodian status.

As a non-bank custodian, we are required to comply with Treasury Regulations Section 1.408-2(e), including the net worth requirements set forth therein. If we should fail to comply with the Treasury Regulations' non-bank custodian requirements, including the net worth requirements, such failure would materially and adversely affect our ability to maintain our current custodial accounts and grow by adding additional custodial accounts, and it could result in the institution of procedures for the revocation of our authorization to operate as a non-bank custodian.

Risks relating to our service and culture

Any failure to offer high-quality member, Client, and Network Partner support services could adversely affect our relationships with our members, Clients, and Network Partners and our operating results.

Our members, Clients, and Network Partners depend on our support and education organizations to educate them about, and resolve technical issues relating to, our products and services. We may be unable to respond quickly enough to accommodate short-term increases in demand for education and support services. Increased demand for these services, without a corresponding increase in revenue, could increase costs and adversely affect our operating results.

Our sales process is highly dependent on the reputation of our products, services, and business and on positive recommendations from our existing members, Clients and Network Partners. Further, we use third-party service providers for certain call centers and COBRA claims and transaction processing, including certain offshore service

providers for member chat service, which service providers may not provide the same quality of support services for our Clients and members. Any failure to maintain high-quality education and technical support, or a market perception that we do not maintain high-quality education support, could adversely affect our reputation, our ability to sell our products and services to existing and prospective customers, and our business and operating results. We promote 24/7/365 education and support along with our proprietary technology platforms. Interruptions or delays that inhibit our ability to meet that standard have hurt our reputation and ability to attract and retain customers, and any such interruptions or delays in the future would likely also do so.

We rely on our management team and team members, and our business could be harmed if we are unable to retain qualified personnel.

Our success depends, in part, on the skills, working relationships and continued services of our executive team and other key personnel. While we have entered into employment agreements with our executive officers, all of our team members are "at-will" employees, and their employment can be terminated by us or them at any time, for any reason, and without notice, subject, in certain cases, to severance payment rights. In order to retain valuable team members, in addition to salary and cash incentives, we provide equity-based awards that vest over time or based on performance. The value to team members of these awards will be significantly affected by movements in our stock price that are beyond our control and may at any time be insufficient to counteract offers from other organizations.

The departure of key personnel could adversely affect the conduct of our business. In such event, we would be required to hire other personnel to manage and operate our business, and there can be no assurance that we would be able to employ a suitable replacement for the departing individual, or that a replacement could be hired on terms that are favorable to us. Volatility or lack of performance in our stock price may affect our ability to attract replacements should key personnel depart.

Our success also depends on our ability to attract, retain, and motivate additional skilled management personnel and other team members. For example, competition for qualified personnel in our field is intense due to the limited number of individuals who possess the skills and experience required by our industry. New hires require significant training and, in most cases, take significant time before they achieve full productivity. New team members may not become as productive as we expect, and we may be unable to hire or retain sufficient numbers of qualified individuals. If our retention efforts are not successful or our team member turnover rate increases, our business, results of operations, and financial condition could be materially and adversely affected.

If we cannot maintain our corporate culture as we grow, we could lose the innovation, teamwork, passion, and focus on execution that we believe contribute to our success.

We believe that a critical component to our success has been our corporate culture. We have invested substantial time and resources in building our team. As we continue to grow, including through our acquisitions, we have found it difficult to maintain these important aspects of our corporate culture. In addition, it is difficult to instill our culture in our now predominantly remote workforce. Any failure to preserve our culture could negatively affect our future success, including our ability to retain and recruit personnel and to effectively focus on and pursue our corporate objectives.

Risks relating to our partners and service providers

If our Network Partners choose to partner with other providers of, or otherwise reduce offering or cease to offer, our products and services, our business could be materially and adversely affected.

Our business increasingly depends on our Network Partners' willingness to partner with us to offer their customers and/or employees our products and services. In particular, certain of our Network Partners enjoy significant market share in various geographic regions. In other geographies, we have multiple Network Partners that compete against each other for the same business, which at times results in our inability to bid for certain business or in us upsetting a Network Partner that we choose not to partner with in a certain bid or that expects us to bid exclusively with them. If these Network Partners choose to instead partner with our competitors, or otherwise reduce offering, or cease to offer, our products and services, our results of operations, business, and prospects could be materially adversely affected.

A change in relationship with our bank identification number sponsor, or the failure by our sponsor to comply with certain banking regulations, could materially and adversely affect our business.

We rely on a single bank identification number ("BIN") sponsor in relation to the payment cards we issue. A BIN sponsor is a bank or credit union that provides the BIN that allows a prepaid card program to run on one of the major card brand networks (e.g., VISA, MasterCard, Discover, or American Express). Our BIN sponsor enables us to link the payment cards that we offer our members to the VISA network, thereby allowing our members to use our payment cards to pay for expenses with a "swipe" of the card. If any material adverse event were to affect our BIN

Disclaimer

HealthEquity Inc. published this content on May 14, 2026, and is solely responsible for the information contained herein. Distributed via Public Technologies (PUBT), unedited and unaltered, on May 14, 2026 at 18:23 UTC.