Responding to CFIUS follow-up questions: A guide to building trust
This week, two CFIUS experts at Berkeley Research Group, Harry G. Broadman and Steve Klemencic, provide insights on responding to information requests from the Committee. According to Broadman and Klemencic, trust and transparency are crucial. “Failure to establish trust may jeopardize successful reviews of even the most benign of transactions.”
As most Foreign Investment Watch readers know, the initial information requirements for a voluntary notice are quite significant; with over one hundred information items required, the filing is very detailed and covers both the U.S. target and the foreign investor.
Among the required contents of voluntary filings are extensive details on the transaction, the entities involved, board composition, government contracts, cybersecurity policies, maintenance of sensitive personal data, relationships to foreign governments, org charts (both preand post-transaction) and more.
And while the initial information requirements for a declaration are shorter, the list is still quite significant.
These data points form the cornerstone of CFIUS’s data collection process, enabling the Committee to answer key questions that help determine whether it can clear a particular transaction.
However, what many readers don’t know is that CFIUS often requests additional information that goes far beyond the initial information requirements. In fact, notices and declarations are simply a baseline for CFIUS to begin its review — they are the start, not the finish.
While it’s true that, in some instances, the initial information requirements alone are sufficient for CFIUS to make a determination, in most cases the Committee and its co-leads pose additional questions. It goes without saying that responding accurately and fully builds trust with CFIUS; trust is the currency on which the likelihood of a successful review can be built.
In a recent conversation with the editors of Foreign Investment Watch, we discussed follow-up questions regularly posed by CFIUS. Based on our 30 years of collective experience serving on, and working with, CFIUS, here are the “top two” most frequently asked categories of questions that companies should be prepared to answer:
1. Nature, Scope and Duration
With respect to the foreign investor, CFIUS is often concerned with the details of where else — and with whom else — in the world business is carried out.
Often framed as “nature, scope and duration of business activities,” CFIUS has been known to ask detailed questions regarding dates of activity, identities of subsidiaries, associates, and agents with which work is currently or was previously performed.
Not surprisingly, the Committee will want to know the identities and associations of individuals and entities with whom business took place related to countries that the Commerce Department considers “foreign adversaries,” including China, Russia, Iran, North Korea, and others.
For those countries, companies should be prepared to address how compliance was met with U.S. laws and regulations, including Export Administration Regulations, International Traffic in Arms Regulations, other applicable multilateral export control regimes, as well as sanctions administered by the Office of Foreign Assets Control.
CFIUS will often want to see documentation of the corporate compliance program policies, procedures, and associated documentation, such as program reviews, assessments, audits, and more.
In the case of Iran, it will want to assess compliance with the UN Security Council Resolutions relevant to that country.
Overall, CFIUS will appraise how compliance in those problematic countries was achieved, and — if the intent is to continue operating in those countries after the transaction under review closes — how compliance will be maintained.
2. Date Related to National Security Vulnerabilities
In the case of the U.S. target, CFIUS will want to understand the national-security related vulnerabilities associated with the transaction.
Although CFIUS personnel are not experts in every industry, they must be able understand how U.S. national security would be impacted if the technology, data, and other factors are exploited or compromised by foreign adversaries.
To this end, CFIUS’s focus is on “the data.” It will want to know in detail what data are being held (i.e., personally identifiable information, personal health information, etc.); where and how the data are being held; who specifically has access to the data; and even how the data are formatted.
Based on our experience, with respect to the U.S. target’s business and operations, CFIUS will want some of the items below. And please note that for each of these, a basic list will not suffice: Lists should be ranked by revenue, with details for each. Companies should also be prepared to deliver contracts or agreements with customers and suppliers so CFIUS can understand foreign influence or impact of supply-chain disruptions:
• A full and complete list of U.S. government customers;
• The top ten suppliers by revenue (with details and data, as noted above);
• The top ten customers by revenue (again, with details and data);
• The top five debt holders (with details);
• Estimate of U.S. market share (with the data to support your assumptions);
• Estimate of annual revenue spent on research and development (with detail);
• Security policies and procedures (cybersecurity, physical security, etc., if not already submitted);
• Export control compliance program policies, procedures, and audit history (if applicable).
Final Thoughts Based on our experience, here are four more quick “words to the wise”:
• Be transparent —Whether you are the foreign investor or U.S. target, be forthcoming in your dealings with CFIUS.
• Be complete — Do not try to parse answers to questions. Answer them fully and completely.
• Be prepared — Be forewarned that, in some cases — with the support of the U.S. intelligence community — CFIUS may already know the answers to its questions; the Committee just wants to “test” its respondents.
• Be truthful — CFIUS must be able to trust what you and your team say, and the information you provide. Without trust, you will have a difficult time getting through the review.