Article – Compliance Considerations
Compliance Considerations for Navigating Parallel CFIUS and FOCI Reviews
Foreign direct investment in the United States has long been subject to scrutiny by the U.S. government in the interest of national security, but generally applied to the defense sector. This is no longer the case. More U.S. companies across more industries involved in transactions with foreign investors must be prepared to face government reviews, and many for the very first time.
As mandated under Section 847 of the FY 2020 National Defense Authorization Act (NDAA), the Department of Defense (DoD) is preparing to publish in 2026 a Defense Federal Acquisition Regulation Supplement (DFARS) clause that will significantly expand the scope of federal contractors and subcontractors subject to foreign ownership, control, or influence (FOCI) reviews by the DoD’s Defense Counterintelligence and Security agency (DCSA).
It’s estimated that the number of FOCI reviews will increase from approximately 2,000 to 41,000 companies, adding additional security requirements for up to $200 billion worth of acquisitions that currently don’t require FOCI vetting.
A U.S. company is considered “under FOCI” when a foreign interest has the power, directly or indirectly, to influence the U.S. company’s management or operations in a manner that could result in unauthorized access to sensitive and classified information; or could adversely affect management’s ability to perform on the contract. The new DFARS clause would require existing or prospective contractors and subcontractors participating in contracts, subcontracts, or defense research assistance awards valued at over $5 million to disclose their beneficial ownership and FOCI information; and undergo periodic reassessments of their compliance with FOCI disclosure requirements whenever a “changed condition” is submitted to ensure ongoing monitoring of FOCI risk.
Current FOCI vetting requirements would be expanded to include pre-award contracts and non-classified contracts, no longer just to contractors that hold a facility security clearance (FSC). “For the Defense Industrial Base, this will mean a tougher look and additional scrutiny for unclassified contracts,” the DCSA stated.
CFIUS’s expanding role
At the same time, scrutiny is also heightening into foreign investments across a broader range of industries, including critical infrastructure, healthcare, agriculture, energy, and raw materials. This is where the Committee on Foreign Investment in the United States (CFIUS) is playing an increasingly critical role. An interagency committee chaired by Treasury, CFIUS assesses, reviews and investigates transactions that could result in foreign control of a U.S. business to determine whether it poses a national security risk.
In February 2020, CFIUS regulations implementing the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) significantly broadened the scope of CFIUS’s review authority to cover certain non-controlling “covered investments” by foreign persons of U.S. businesses involved in critical technologies, critical infrastructure, or that maintain or collect sensitive personal data of U.S. citizens (collectively referred to as “TID U.S. businesses”); and certain real estate transactions by foreign persons near sensitive government facilities, airports, or maritime ports.
“Every year, thousands of transactions are potentially subject to CFIUS’s review, whereas the number of transactions that implicate DCSA [FOCI evaluations] is a tiny sliver of that,” said Stephen Heifetz, a partner in the National Security practice at Wilson Sonsini.
President Trump’s “America First Investment Policy” memorandum signaled that CFIUS’s review authority may be expanded further in relation to “greenfield” investments (i.e., the construction of new facilities by a foreign company); and in “emerging and foundational technologies.”
In remarks at the American Conference Institute’s (ACI) annual conference on CFIUS, Deputy Secretary of the Treasury Michael Faulkender said, “[D]istance and independence from foreign adversaries—and being able to verify this—is a core component of CFIUS’s risk analysis with respect to a foreign investor.”
Streamlined CFIUS reviews
On May 8, Treasury introduced a new “fast-track” pilot-program review process, with plans to launch a “Known Investor” portal, where CFIUS can collect foreign investor information earlier in the transaction process to improve efficiencies.
At the ACI event, Deputy Secretary Faulkender shared that Treasury is also considering ways to “share more information … about the types of risks that arise in certain transactions” and best practices for mitigating risks before a CFIUS review.
In rare instances, CFIUS will approve a transaction but adopt mitigation agreements to address any national security concerns. According to CFIUS’s 2023 Annual Report to Congress, CFIUS adopted mitigation agreements in only 35 of 233 covered transactions. These numbers may decline further, however, as the Trump administration seeks to cease the use of “overly bureaucratic, complex, and open-ended mitigation agreements,” according to the memorandum.
If CFIUS determines that a transaction poses unresolved national security risks that mitigation measures don’t adequately resolve, it may refer the transaction to the President, unless the parties choose to withdraw and abandon the transaction. In rare cases, the President may suspend or prohibit the transaction, including requiring divestment.
Compliance best practices
As members of CFIUS, Treasury and the DoD, along with many other member agencies, closely coordinate with one another, so a FOCI review may also trigger a parallel CFIUS assessment, review, or investigation, such as when a foreign acquired U.S. business requires access to classified information.
These parallel reviews involve separate processes, time constraints, and demand different compliance responses. Below are some best practices to consider when navigating the review process.
Consider the timeline of a review, and prepare accordingly. The review process often impacts the timing and likelihood of a transaction closing. “If going through a review, it almost always takes longer than you think it will,” Heifetz said. This applies to both CFIUS reviews and mandatory FOCI reviews, and especially if a company faces both. “You need to do a lot of planning and really think through the timeline,” he said.
Know the beneficial owners. Current and prospective federal contractors and subcontractors under FOCI should proactively prepare to disclose their beneficial ownership and FOCI information in compliance with the new DFARS clause. Especially for contractors and subcontractors that have never undergone a FOCI review, should be prepared to evaluate or reevaluate, and have a firm grasp on, the beneficial ownership structure of the company, as they may now face FOCI evaluations for the very first time.
Weigh the pros and cons of filing a voluntary CFIUS notice. Most CFIUS transactions don’t trigger a mandatory filing. Typically, parties voluntarily file a notice or submit a short-form declaration notifying CFIUS of an investment to receive a “safe harbor” letter, reducing the risk of a CFIUS review.
Over the past few years, heightened scrutiny over foreign investment has made the CFIUS review process more complex, time-consuming, and costly, from a legal review standpoint and from a pre- and post-closing compliance burden standpoint, Heifetz noted. Companies should seek the assistance of counsel, as deciding whether to file a CFIUS notice is a highly complex decision, he said.
Making a voluntary filing to CFIUS may not always make sense, “absent a likelihood that the U.S. government is going to have significant concerns about a transaction,” Heifetz added. “You really have to weigh the benefit you’re getting out of the CFIUS process versus the cost.”
For example, for small dollar transactions of less than $100 million, “CFIUS costs can become a material percentage of the deal value and therefore a significant deterrent to filing,” Heifetz said. “The delay associated with the CFIUS process also tends to be a more significant impediment for smaller transactions, because parties to smaller transactions usually hope to close those transactions quickly.”
“For venture capital investments, a delay of several weeks can be an acute problem, and the CFIUS process always lasts longer than that.”
Review CFIUS’s Enforcement and Penalty Guidelines. A final rule issued by Treasury last year increased the maximum monetary penalties CFIUS can impose from $250,000 to $5 million. And CFIUS can impose monetary penalties for various violations, including failure to timely submit a mandatory declaration or notice; non-compliance with CFIUS mitigation terms; or making material misstatements, omissions, or false certifications in CFIUS filings.
For compliance guidance, CFIUS’s annual reports to Congress highlight examples of mitigation measures commonly negotiated and adopted by transaction parties. CFIUS’s Enforcement and Penalty Guidelines serve as another helpful resource, informing legal and compliance teams of common compliance missteps resulting in enforcement actions; sources of information on which CFIUS relies; and examples of aggravating and mitigating factors CFIUS considers in responding to violations.
As Deputy Secretary Faulkender warned, “We will continue to hold responsible those companies that violate their obligations through our strengthened enforcement regime.”
ACI’s “8th National Forum on FOCI” will be held on Sept. 29–30 in Washington DC. For more information, and to register, please visit: https://www.americanconference.com/foci/