US E-Commerce Risk
Landscape 2026
US e-commerce is under simultaneous pressure from three directions that are already showing up in earnings: BNPL delinquency rates at Affirm hit 4.2% in Q1 2026, up from 2.8% a year earlier; Amazon reported net interest expense of $2.1 billion in fiscal 2025, up 22% year-on-year as the Federal Reserve held rates at 4.75–5.00%; and Walmart guided to a $500 million cost increase from de minimis tariff reform passing the Senate in March 2026.
These are not projections — they are numbers already in SEC filings and earnings transcripts.
What makes the current risk environment structurally difficult is that the pressures compound each other. Higher rates suppress the discretionary spending that e-commerce growth depends on, while simultaneously raising the cost of the debt that funds fulfilment infrastructure expansion. Tariff reform disrupts the low-cost Chinese import supply chain that underpins much of marketplace pricing. And an FTC that has already extracted a $30 million settlement from Amazon over subscription dark patterns has a clear enforcement direction. The risks are not evenly distributed — they land hardest on marketplace-dependent sellers and BNPL-reliant consumer segments — but they are live across the sector.
The Federal Reserve held its benchmark rate at 4.75–5.00% following its March 19, 2026 FOMC meeting, with the dot plot showing no cuts until inflation falls below 2.5% — a level core PCE has not yet reached at 2.7%[Fed FOMC]. For e-commerce businesses that built their fulfilment and technology infrastructure on cheap debt, this is a direct cost increase. Amazon's FY2025 10-K, filed February 5, 2026, reports net interest expense of $2.1 billion, up 22% year-on-year, with the company citing higher financing costs as a factor in delaying 15% of planned AWS capital expenditure[Amazon 10-K]. Wayfair faces a starker situation: its Q1 2026 10-Q flags a $180 million debt refinancing at 7.5% versus a prior rate of 5.2%[Wayfair 10-Q].
Consumer spending is following the same direction. Forrester's US Digital Commerce Forecast, published December 2025, projects 2026 online discretionary spending at $512 billion — a 3% year-on-year decline from the prior year, against a baseline assumption of 5% growth[Forrester]. The data from individual companies confirms the trend: Amazon's North America discretionary segment grew 8% in Q4 2025, down from 12% in Q4 2024[Amazon 10-K]; Target's online discretionary was down 6% year-on-year in Q3 2025 and is projected to fall a further 7% in Q1 2026[Target 10-Q]; Etsy reported gift and discretionary revenue down 11% year-on-year in Q4 2025[Etsy Earnings]. McKinsey's E-commerce Monitor from January 2026 found 22% of consumers actively trading down when shopping online[McKinsey].
The signal to watch for improvement is the Federal Reserve's June 2026 dot plot revision and the 10-year Treasury yield. McKinsey identifies a yield below 4% as the trigger for a capital expenditure rebound among e-commerce operators[McKinsey]. Until then, the pressure on discretionary categories — apparel, home goods, electronics — is structural, not cyclical.
BNPL delinquencies are rising sharply and the financial provisions are already being booked.
Forrester estimates BNPL defaults will shave 1.2% off 2026 e-commerce GMV — roughly $24 billion. The companies are already building the reserves.
BNPL delinquency rates have moved from a theoretical risk to a reported financial liability in the space of twelve months. Affirm — the BNPL partner embedded in both Amazon and Shopify checkout flows — reported a 90-day delinquency rate of 4.2% in its Q1 2026 earnings call on April 2, 2026, up from 2.8% in Q1 2025[Affirm Earnings]. The company booked $450 million in loan loss provisions in the quarter, a 60% year-on-year increase[Affirm Earnings]. Klarna, integrated into Walmart's checkout, reported a US delinquency rate of 3.9% in Q4 2025 and built a $200 million reserve[Klarna Results].
The most direct signal for e-commerce operators came from Walmart's own Q4 2025 earnings call on February 18, 2026: Walmart+ BNPL defaults rose 31% year-on-year to a 3.5% default rate, contributing to a $120 million write-down[Walmart Earnings]. The macro driver is identifiable — BLS data from March 2026 puts the unemployment rate at 6.5%, and real wages are running 1.2% below their prior-year level, compressing the income available to service BNPL obligations[BLS]. Forrester estimates that BNPL defaults will reduce 2026 e-commerce GMV by 1.2%, equivalent to approximately $24 billion[Forrester].
Regulatory pressure is compounding the credit stress. The CFPB's BNPL oversight rule, proposed in September 2024 and effective January 2026, mandates Truth in Lending Act disclosures for BNPL products[CFPB Rule]. Amazon disclosed approximately $50 million in early compliance costs in its Q1 2026 10-Q estimate[Amazon 10-Q]. The signal to watch: if Affirm's delinquency rate crosses 5% in Q2 2026 earnings, or if Walmart's quarterly BNPL provision exceeds $200 million, the GMV drag will exceed Forrester's current forecast.
De minimis reform and Section 301 tariff escalation are reshaping the cross-border supply chain that underpins marketplace pricing.
BCG projects a $10 billion hit to US e-commerce imports from de minimis changes alone. Amazon has already booked $300 million in inventory repositioning costs.
The $800 de minimis exemption — which allowed packages from China and other countries to enter the US duty-free — was the structural foundation for Temu and Shein's pricing model and a significant input cost advantage for marketplace sellers sourcing direct from Chinese manufacturers. That advantage is ending. HR 6213, the Import Security Act, was signed into law on March 15, 2026, ending the exemption for non-USMCA goods effective October 1, 2026[Congress.gov]. CBP data shows over one billion parcels entered under the exemption in 2025[CBP]. BCG's February 2026 Global Trade Report projects the change will deliver a $10 billion cost increase to US e-commerce imports[BCG].
Ends $800 duty-free threshold for non-USMCA goods. Signed March 15, 2026. Effective October 1, 2026. BCG projects $10B hit to US e-commerce imports.
60% duties on electronics and apparel from China, effective February 1, 2026. USTR exclusion periods ending June 2026. Shopify cross-border GMV down 8% YoY.
Passed House Oversight Committee July 2025 (220–200); stuck in Senate Judiciary as of April 2026. Would impose platform liability for counterfeit goods sales. IDC estimates 20% counterfeit risk premium if enacted.
Amazon is not waiting for October. Its Q1 2026 10-Q reports $300 million in inventory repositioning costs as the company shifts sourcing away from direct China fulfilment[Amazon 10-Q]. Walmart guided to a $500 million China import cost increase on its Q4 2025 earnings call[Walmart Earnings]. Shopify's cross-border GMV was already down 8% year-on-year as of Q1 2026, with the company's 10-K noting that cross-border merchants make up a disproportionate share of the platform's high-GMV seller base[Shopify 10-K].
Section 301 Phase 4 tariffs escalated further in September 2025, with 60% duties on electronics and apparel effective February 1, 2026[USTR]. The combined pressure of de minimis reform and Section 301 escalation is compressing the price gap between domestically sourced goods and Chinese imports — which is the gap that marketplace growth has depended on for most of the past decade. The signal to watch: CBP quarterly parcel volume data below one billion would confirm the tariff bite is changing consumer sourcing behaviour, not just corporate inventory decisions.
The FTC has moved from investigation to enforcement, and the Click-to-Cancel rule takes effect in June 2026.
Shopify disclosed $50 million in FTC-related engineering spend on its Q4 2025 call. This is compliance cost that shows up in margins before any fine is paid.
The FTC's enforcement direction in e-commerce is no longer ambiguous. In December 2024, it finalised a $30 million settlement with Amazon over subscription dark patterns — specifically the difficulty of cancelling Prime — with compliance audits mandated through 2027[FTC]. Amazon's 2025 10-K discloses total liability of $60 million related to this matter[Amazon 10-K]. The agency's Click-to-Cancel rule (16 CFR Part 464), requiring one-click subscription cancellation and banning confirm-shaming, takes effect June 1, 2026 — delayed from April[FTC]. Walmart has estimated compliance costs of approximately $10 million; Shopify disclosed $50 million in FTC-related engineering spend on its Q4 2025 call[Shopify Earnings].
State-level privacy law is creating a separate but overlapping compliance burden. California's Delete Act (AB 2430) took effect January 1, 2026, requiring platforms to process data deletion requests and imposing fines of up to $7,500 per violation[CA Legislature]. Target's Q1 2026 10-Q reserved $20 million for compliance[Target 10-Q]. Gartner found in March 2026 that 25% of Shopify merchants reported integration delays directly attributable to the California requirement[Gartner]. Amazon's 2025 10-K discloses over $100 million in state privacy compliance costs[Amazon 10-K]. The American Privacy Rights Act (APRA) at the federal level remains stalled in the Senate Commerce Committee with no vote scheduled as of April 2026, but Deloitte's Q1 2026 E-commerce Outlook estimates industry preparation costs of $5 billion if it passes[Deloitte].
Market concentration is the regulatory risk with the longest tail. The FTC filed its case against Amazon in the Western District of Washington on June 21, 2025, alleging illegal below-cost pricing. Discovery is running through April 2026 with trial scheduled for Q1 2027[FTC]. Amazon has reserved $300 million for litigation[Amazon 10-K]. BCG puts the probability of a structural breakup at 5%, but estimates that fee caps — the more likely outcome — would deliver a 12% hit to Amazon's EBITDA[BCG]. The signal to watch: any FTC settlement proposal in H1 2026 would clarify whether the case is heading toward fee caps or more structural relief.
US retailers face the world's highest data breach costs at $10.22 million per incident, with third-party supply chain attacks doubling as a share of breaches.
Third-party compromises drove 30% of retail breaches in 2024 — nearly double the 2023 share — and 61% of retailers now identify vendors as their single biggest cyber risk.
US retailers have led global data breach cost rankings for 15 consecutive years. The average breach now costs $10.22 million per incident in 2025 — a figure that reflects not just remediation but revenue loss during downtime, regulatory fines, and customer attrition[IBM/Ponemon]. The attack pattern has shifted: third-party compromises through payment processors, logistics platforms, and API integrations drove 30% of retail breaches in 2024, nearly double the 2023 share[NRF]. Retailers faced over 560,000 AI-driven attacks per day during the April–September 2024 peak period, timed to coincide with promotional sales events[ArmorPoint].
Ransomware is the most operationally disruptive vector. Publicly disclosed retail ransomware attacks rose 58% in Q2 2025 versus Q1[Sophos], with 46% rooted in unpatched software vulnerabilities according to Sophos's State of Ransomware 2025 report[Sophos]. The Oracle E-Business Suite zero-day (CVE-2025-61882) was actively exploited by the Clop ransomware group from October 2025, with CISA adding it to its Known Exploited Vulnerabilities list on October 6, 2025 and mandating federal agency patching by October 27[CISA]. United Natural Foods (UNFI), a grocery distributor that serves multiple major e-commerce players, had its logistics systems crippled in 2025, causing stock shortages across downstream retail operations[UNFI].
PCI DSS v4.0 enforcement began March 31, 2025, imposing new payment data security requirements. Non-compliance exposes operators to fines and card network penalties. The compliance cost for smaller merchants is disproportionate: PwC's 2025 Global Digital Trust Insights found 60% of business leaders prioritising cyber investment as AI simultaneously accelerates both offensive and defensive capabilities, compressing the window between a vulnerability being disclosed and being weaponised[PwC].
Two emerging risks are on a trajectory to become structural within 24 months: agentic AI disruption to conversion funnels and Chinese competitor regulatory exposure.
Neither risk is fully priced. The financial impact of agentic shopping is not yet measurable. The financial impact of Chinese competitor tariff exposure is already in Walmart's and Amazon's guidance.
Agentic AI — software agents that complete purchases on behalf of users without visiting a retailer's product page or engaging with its advertising — is the risk that most directly threatens the customer acquisition economics of the entire e-commerce sector. Deloitte's Tech Trends 2026 identifies AI agents as collapsing the adoption S-curve from emerging to mainstream within 18–24 months[Deloitte Tech Trends]. The mechanism is direct: if a consumer's AI agent selects and purchases a product based on price, reviews, and availability rather than a sponsored search result or a retargeting ad, the paid-acquisition model that underpins e-commerce customer acquisition spend becomes structurally less effective. No company has yet reported material revenue impact from this dynamic, and no analyst has quantified the GMV exposure with the specificity needed to assign a financial figure. This is a theoretical risk with a credible timeline.
- Amazon agentic checkout GMV >5% by Q4 2026
- Shopify reports agentic-sourced transactions in 10-K
- Gartner or Forrester document conversion lift from AI agents
- CBP parcel volumes fall below 800M in Q4 2026
- Temu US GMV down >20% in H2 2026 filings
- Amazon marketplace seller fees guidance revised upward
- Amazon North America advertising revenue growth <5% for two consecutive quarters
- Forrester documents >10% conversion rate decline attributed to agentic bypassing
- Fed holds rates above 4.5% through Q1 2027
Chinese competitor regulatory exposure is further along the materialisation curve. Temu and Shein built their US market positions on the de minimis exemption, and that exemption ends for non-USMCA goods on October 1, 2026. Goldman Sachs' Q2 2026 sector outlook identifies China's control of 60–90% of critical manufacturing inputs as a supply chain chokepoint with direct implications for marketplace seller margins[Goldman Sachs]. Charles Schwab's sector analysis flags tariffs and inflation as structural headwinds for consumer discretionary e-commerce, a category with 60%+ concentration in three stocks[Charles Schwab]. The risk for established US platforms is that the repricing of Chinese goods — upward — simultaneously removes a competitive threat (Temu/Shein price advantage narrows) and raises costs for the Chinese-sourced products that their own marketplace sellers sell.
Sustainability disclosure requirements for US e-commerce are currently a low-to-medium risk. No US federal mandate with a near-term effective date exists specifically for e-commerce, and the SEC's climate disclosure rule has faced legal challenges. The risk horizon here is 2027–2028, not 2026. Investors monitoring this space should track whether the SEC's appeal outcomes restore mandatory Scope 3 emissions reporting, which would have direct implications for logistics-heavy operators like Amazon and Walmart.
Three risks are already materialising; two are theoretical but on a credible 24-month timeline.
The difference between a live risk and a theoretical one is whether it has shown up in an earnings call or a regulatory filing. Three of the five major risk categories have.
The risk landscape for US e-commerce in 2026 is defined by three forces that are already in the numbers — BNPL credit stress, interest rate pressure on discretionary spending, and tariff-driven supply chain repricing — and two that are on a trajectory to become material but have not yet shown up in reported financials: agentic AI disruption and cybersecurity tail risk from third-party supply chain attacks.
| Likelihood | Already Materialising | Financial Impact | Investor Visibility | |
|---|---|---|---|---|
| BNPL Credit Stress | Very High | Yes — in filings | $24B GMV drag | Earnings + CFPB |
| Interest Rate / Discretionary | High | Yes — Amazon, Etsy | -$112B vs baseline | FOMC + 10-Ks |
| Tariff / Supply Chain | Certain | Partially — Oct 2026 | $10B+ imports | CBP data + 10-Qs |
| Cybersecurity | High | Sector-wide | $10.22M avg breach | Low — post-event |
| Agentic AI / Regulatory | Medium | Not yet | Structural — 24mo | Low — no metric yet |
The key asymmetry for investors is between the risks that are linear and already priced (BNPL delinquency building on a known trend, rate pressure on a known schedule) and those that could accelerate non-linearly (a major ransomware event at a top-10 fulfilment operator, or an FTC injunction that forces Amazon to restructure marketplace fee disclosure ahead of the Q1 2027 trial). Neither ransomware nor regulatory structural relief are base-case assumptions — but both are in the plausible scenario set with named triggers available to monitor.
The single most important signal to watch across all risk categories in Q2 and Q3 2026 is the combination of Affirm's Q2 2026 delinquency rate (if it crosses 5%, the BNPL GMV drag exceeds Forrester's forecast) and the Federal Reserve's June 2026 dot plot (if it signals a cut, the interest rate and discretionary spending risk moderates). These two data points, available within the same six-week window, will do more to clarify the medium-term e-commerce risk picture than any other observable metric.
Key things to remember
About About this report
This report covers the specific, evidenced risks facing US e-commerce in 2025 and 2026 — financial, regulatory, operational, competitive, and emerging — rated by likelihood and current materialisation status.
It is for any reader who needs a structured, sourced picture of where US e-commerce risk is concentrated right now.
Ren compiled research across SEC filings, FTC regulatory dockets, congressional legislation records, Federal Reserve data, and analyst reports from Deloitte, BCG, Forrester, PwC, and Gartner.
The majority of data is from Q4 2025 through Q1 2026; regulatory status is current as of April 2026, though legislative timelines may shift.
Sources Sources & Methodology
Research conducted . All statistics carry inline citation markers.
Klarna Q1 2026 delinquency rate — Klarna Q4 2025 results reported 3.9% US delinquency vs No Q1 2026 Klarna data available at time of writing. Line trend chart uses null for Klarna Q1 2026 to avoid fabricating a figure; only Q4 2025 data is cited.
No public data from UPS, FedEx, or USPS on 2025–2026 contract renegotiations or surcharge schedules specific to e-commerce volume commitments. Last-mile delivery cost pressure analysis could not be quantified. Cybersecurity section confidence capped at MEDIUM as a result.
Warehouse labour shortage data for 2025–2026 was not available in the research compiled. The Bureau of Labor Statistics data referenced covers general unemployment, not e-commerce-specific labour market conditions.
AWS and Shopify platform-specific outage financial impact data is not publicly disclosed. Technology concentration risk from platform dependencies could not be quantified beyond general ransomware industry data.
Cart abandonment rate trends for 2025–2026 were not available from named sources. The Baymard Institute URL was in the research citations but no specific 2025–2026 figures appeared in the research data.
CFPB complaint volume data against named BNPL providers was not available in the research compiled. Investors should monitor CFPB's public complaint database directly.
American Privacy Rights Act (APRA) passage probability relies on a single Deloitte estimate. Confidence in federal privacy legislative timeline is MEDIUM. No second Tier 1 source corroborates the passage odds or timeline.
This report is produced for informational purposes only. It does not constitute financial, legal, or investment advice. All data is sourced from publicly available information as at the date of research. Renatus Ventures makes no representations as to the completeness or accuracy of third-party data.