A recent Wall Street Journal article described how the Committee on Foreign Investment in the U.S. (“CFIUS;” “the Committee”) is using its expanded monitoring and enforcement capabilities to investigate transactions that were not submitted for review prior to closing (“non-notified transactions”). While many transactions are now subject to a mandatory filing requirement (which is principally based on the export control status of the U.S. business’ technologies), the decision to file most cross-border M&A transactions continues to be in the hands of the transaction parties in the first instance. However, there are many reasons why a transaction may pose potential national security concerns, even though it is not subject to a mandatory filing requirement. For example, the sensitive knowhow of the company may not be suitable for regulation using export controls; the technology may be too early stage; the risk may relate to supply to the government; the risk may relate to sensitive government, corporate, or personal information; or the risk may be tied to the profile of the specific investor.
Although CFIUS actions against non-notified transactions are nothing new, the Wall Street Journal article and other media reports suggest that companies—particularly Chinese technology companies—have seen a marked increase in the number inquiries from the U.S. Department of the Treasury (“Treasury”) about past deals, some of which closed years ago. When combined with the fact that a transaction remains with CFIUS jurisdiction indefinitely, absent CFIUS having cleared the transaction, these enhanced monitoring and enforcement capabilities place an even higher premium on understanding how CFIUS thinks about national security risk and identifying nonobvious risks in your deal before CFIUS does.
Hasn’t CFIUS always had the ability to review non-notified transactions?
Yes, but now its bite matches its bark. The lack of resources needed to effectively monitor the vastness of U.S. deal flow has long been viewed as a vulnerability of CFIUS’s primarily voluntary filing regime. For nearly a decade, the task of identifying non-notified transactions and referring them to CFIUS was primarily performed by “Project Iceberg,” an interagency working group led by the Federal Bureau of Investigation. However, converting a non-notified referral into a request for a filing requires making a preliminary finding of both jurisdiction and a national security risk, which could previously only be accomplished by diverting or dual-hatting personnel working active cases. More personnel at Treasury and other CFIUS member agencies dedicated to monitoring and enforcement breaks this bottleneck, resulting in more non-notified transactions being identified and more identified transactions being called in.
But surely CFIUS won’t notice my small, private deal.
Don’t be so certain. While it is undoubtedly easier for CFIUS to monitor large public deals, it has a variety of resources at its disposal to identify small, private, and early stage transactions. This includes numerous deal databases that track private deals and identify investors even if the percentage investment is not publicly known. It includes customers, suppliers, and employees who may approach CFIUS directly or through a Member of Congress. It also includes a tip line that can used to anonymously alert CFIUS to deals that might not appear in open sources.
Okay, but even if CFIUS identifies my deal, it doesn’t pose any risk to national security.
The problem with nonobvious risks is the nonobvious part. CFIUS’s flexible concept of national security can make it difficult for those not familiar with the Committee to identify the nonobvious risks that might be lurking in a deal. Relying on input from top subject matter experts in the U.S. government and Intelligence Community, CFIUS has identified national security risks in deals involving companies focused on LED lightbulbs, specialty insurance, inflight entertainment, and hotel property management software. It is also important to remember that CFIUS does not have a de minimis exception when it comes to national security risk. A business unit can represent half a percent of total transaction value and account for 100 percent of your CFIUS regulatory risk. Additionally, it is important to think about how the business may evolve into a national security risk over time (e.g., musical.ly was not viewed as much of a risk until it was acquired by ByteDance and merged into TikTok).
However, just because CFIUS contacts the parties about a transaction does not mean it ultimately will take action. In many cases CFIUS informally requests that parties submit additional information voluntarily and that is the extent of the inquiry. In other cases though, it has resulted in post-closing divestiture orders on terms acceptable to CFIUS.
So Big CFIUS is watching me, how can I manage the regulatory risk to my deal?
Talk with someone who knows how CFIUS views national security risk. A voluntary filing can provide the assurance of safe harbor and eliminate the risk of being called in post-closing, but it also comes with costs in terms of time, money, and, potentially, CFIUS mitigation. The potential concerns that CFIUS may have and how CFIUS may seek to resolve such concerns informs both the decision as to whether to file on a voluntary basis and how to allocate CFIUS risk between the transaction parties. Depth of insight and experience with CFIUS and U.S. national security considerations are key to making these assessments.