Podcast - Understanding FOCI Mitigation
The 10th episode of "Are We All Clear? Facilitating Security Clearances" explores the mitigation of foreign ownership, control or influence (FOCI) in a cleared company. Host Molly O'Casey and International Trade attorney Andrew McAllister cover key topics in this area, including the implications of FOCI for companies that have obtained facility security clearances, common issues faced by companies in relation to FOCI, monitoring and enforcement of FOCI issues, strategies for companies navigating this process with the Defense Counterintelligence and Security Agency (DCSA) and recent developments in this area.
Listen and subscribe on Amazon.
Listen and subscribe on Apple Podcasts.
Listen and subscribe on SoundCloud.
Listen and subscribe on Spotify.
Watch and subscribe on YouTube.
Molly O'Casey: Welcome to the 10th episode of "Are We All Clear," the podcast on facilitating security clearances. I'm your host, Molly O'Casey, an international trade associate with Holland & Knight's Washington, D.C., office. Today's episode will discuss the mitigation of foreign ownership, control or influence, also known as FOCI, of a cleared company. Today's speaker is Andrew McAllister. Andrew is a partner in the International Trade Group based out of Washington, D.C. Welcome back to the podcast, Andrew.
Andrew McAllister: Thanks, Molly. It's great to be back. This is becoming sort of a regular standing appointment for me, so I'm enjoying that.
Molly O'Casey: Yeah. Happy to catch up every few weeks. As a starting point, can you tell us a little bit about FOCI generally?
Andrew McAllister: Yes. So FOCI, F-O-C-I, stands for foreign ownership, control or influence, and essentially it refers to a circumstance in which the degree of ownership, control or influence over a company that has obtained or is going to obtain a facility security clearance by a foreign interest, is such that it may adversely affect either the performance of classified contracts or raise the risk for unauthorized access to classified information. So just one point that I think is important is we always think logically about, oh, FOCI, we want to make sure that we protect the classified information as best we can. But as I mentioned previously, there's sort of a second aspect of it, which is, is that foreign interest somehow altering or affecting the ability to perform unclassified contracts?
Molly O'Casey: Right. And what are the implications of FOCI for cleared companies, i.e. the companies that have received facilities security clearances?
Andrew McAllister: Yeah. So as we've sort of discussed in prior episodes of the podcast, you know, there are instances where basically the foreign ownership, control or influence presents some kind of risk. And so, right, the risk can happen in a variety of ways, both in relation to the cleared company, but also things like who is the company owned by? What's its parent companies? What's its subsidiaries? And then things that are sometimes a little bit more difficult to get your arms around, which are, you know, what are the nature of its foreign contracts? What does it have in terms of debt to foreign persons? Right. If a company has a, you know, $20 million debt instrument that's held by a foreign company, well, clearly that foreign company may have some ability or triggering mechanism to, you know, whether it's convert the debt in the equity, whether it's some kind of power over maybe how the company operates. So again, there's a lot of different tentacles to FOCI.
Molly O'Casey: Right. And given that the point of obtaining an FCL is frequently to become a government contractor and gain access to classified information, you want to avoid a scenario in which some kind of foreign ownership, influence or control is able to compromise the company's operations, which could then present a national security issue. Right?
Andrew McAllister: Perfect, you've got it. Which is, you know, the main thing that we're looking out for, is unmitigated FOCI, from the government's perspective, is really grounds either not to grant the facility security clearance or terminate the clearance. So obviously these are key important issues.
Molly O'Casey: And that dovetails nicely into my next question, which is, how do companies tend to run into issues with FOCI?
Andrew McAllister: Yeah. So two general scenarios that we come across the most. One is you have an existing cleared contractor that holds an FCL and they're in the process of undergoing some kind of transaction. Let's say they're being acquired by a French company. And so it would arise in the context of that potential transaction. And so the cleared contractor would need to notify DCSA of the fact that they have essentially entered into negotiations for the transaction. So that's one scenario. The other is sometimes you have companies that are applying for facility clearance for the first time and they have some kind of foreign ownership, or they have a significant, you know, debt instrument held by a foreign company, or maybe their largest customer, that's an overwhelming amount of their revenue, is also a foreign company.
Molly O'Casey: And we'll come back to mitigation because I doubt that's a straightforward process. But in the meantime, and I suspect 10 episodes in, we kind of know the general answer to this question, but how are issues around FOCI monitored and enforced? Who's the relevant government party?
Andrew McAllister: Well, first of all, I would put a plug in for the fact that our prior 10 episodes do a great job of covering many of these issues and hit on this one as well. So certainly encourage the audience to go back and listen to those other episodes. But essentially, again, it's the Department of Defense's Defense Counterintelligence and Security Agency that administers the FOCI program. And so, right, essentially, it's the DCSA's Due Diligence Unit to assess facilities for these FOCI vulnerabilities and then to recommend strategies for mitigating the risk to the satisfaction of the U.S. government. And so within, again, the DCSA structure, there's also the Risk Mitigation Unit or RMU that performs a function to develop and implement sort of the appropriate mitigation instrument, such that the government is confident and comfortable that there's no unmitigated FOCI.
Molly O'Casey: DCSA's DDU and RMU. Fun times.
Andrew McAllister: Exactly.
Molly O'Casey: What's a good starting point for a company trying to address these issues? Is there a good reference document out there?
Andrew McAllister: Yes. So there's actually a document, and this was the subject of one of our prior episodes, called the Standard Form 328, or SF-328, certificate pertaining to foreign interest. It's really a seemingly simple document of 10 questions, but there are a lot of nuances and a lot of different ways or forks in the road that come up with respect to those 10 questions.
Molly O'Casey: And as you said, we covered some of these already in an earlier episode. But do you mind highlighting a few of the questions that are important to FOCI?
Andrew McAllister: Yeah, exactly. And so, again, there's sort of 10 questions. A couple that I would point to is, which I mentioned a bit earlier, is, you know, does your organization have any contracts, agreements, understandings or arrangements with a foreign person? So that's any contract. You could have a supply agreement with a foreign person. You could have a sales agreement where you're selling goods or services to a foreign person. And just to be clear, a foreign person would include a U.S. subsidiary of a foreign company. So a U.S. subsidiary of a French company is deemed to be a foreign person. Two others, which are, you know, again, related, it's about revenues or net income from a single foreign person. And then sometimes you have instances where maybe a company has non-U.S. citizens that serve in some kind of director or other senior management role.
Molly O'Casey: Are there any implications for dual citizens if you're a U.S. citizen and a non-U.S. citizen?
Andrew McAllister: Yes. So if you are a U.S. citizen, then you're treated as a, you know, U.S. person. And so, again, dual nationals, for instance, are eligible for clearances. And so it's an area you want to be careful about. You want to be mindful of. But a dual citizen is treated as a, you know, U.S. person, U.S. citizen under the rules.
Molly O'Casey: So it sounds like it really is the degree of foreign ownership, control or influence. It's not a binary situation, which raises the question of how much FOCI is too much FOCI?
Andrew McAllister: Yeah. And so, again, different levels of FOCI may necessitate sort of different levels of mitigation. And so one of the questions on the SF-328 talks about foreign ownership or foreign participation in the capital of the company. And so you have to report anything above 5 percent. And so that doesn't automatically mean that you're going to be subject to a significant FOCI mitigation. But it's more the U.S. government wants to make sure they know and understand that sort of foreign ownership and control. And so, right, you may have instances where a foreign person owns 40 percent of a company, but it's a passive investment where they're really just providing capital contributions. That is different and less of a concern than another situation where a foreign company may own 25 percent of the cleared contractor, but that 25 percent entitles them to representation on the company board.
Molly O'Casey: So unfortunately, you can't just plug and play the numbers. You got to consider the broader implications for how the cleared company functions.
Andrew McAllister: Yes, exactly. As I sort of mentioned, you could have different levels of foreign ownership that have, you know, differing impacts on how much mitigation is necessary. So, yes, it's a detailed, sort of whole-of-the-company-type analysis.
Molly O'Casey: Can you walk us through some of the mitigation strategies?
Andrew McAllister: Yeah, absolutely. So, for instance, let's take a look at instances where a foreign person obtains or is going to obtain full ownership or control over a U.S. company. The two forms that you see in that context are what are referred to as a proxy agreement, and the other one is a special security agreement. And so, again, we're going sort of in descending order. So the proxy agreement is the most onerous and stringent. And then we sort of move down the ladder to the special security agreement. Another rung down the ladder is the security control agreement. And so that might be a situation where the foreign owner has representation on the company board, but it's a minority interest. So, again, 25 percent ownership, maybe one board seat out of four, certainly have an influence on how the business is run, how the cleared contractor operates and its government contracting space, but they don't have control over the entity. And so companies, and we work with clients in terms of, you know, trying to present to DCSA the most optimal FOCI mitigation plan. But as you might expect, the ultimate decision resides with the DCSA as to the mitigation necessary to satisfy the U.S. government.
Molly O'Casey: And is it usually a combination of these agreements, or does it tend to be one or the other?
Andrew McAllister: Yeah. So it's really one or the other. And so again the three I talked about above — proxy agreement, special security agreement and security control agreement, right — those are different possibilities depending on the level of FOCI. The fourth one that I didn't mention is also something called board resolutions. And that's sort of the, I would say, least onerous of the four mitigation instruments or primary mitigation instruments.
Molly O'Casey: And do they tend to be highly specialized to the company?
Andrew McAllister: Yeah. So each of these arrangements, there is a template that's available from DCSA. They're probably between 15 and 25 pages. So there is, for the proxy agreement, special security and security control agreement, so there is a template. And I would say generally, whatever mitigation instrument you are under, you are primarily or principally following that template in terms of the agreement that's signed to by the U.S. company, the cleared contractor, the foreign parent or foreign interest in DCSA. So not a ton of capability or ability to tailor or modify things in a particular way. That being said, DCSA will work with the company and sometimes there are intermediary documents where you might have, you know, a security control agreement that has some additional restrictions, but it doesn't rise to the level of a special security agreement.
So maybe I'll just quickly go through, you know, or at least relatively quickly go through the sort of four broad categories. Again, as I said, proxy agreement is the most restrictive FOCI mitigation method. And so, generally, the voting rights of the foreign owner are conveyed to proxy holders. And so, again, that's the most onerous because essentially the foreign owner is turning over the operation and management of the cleared company to disinterested proxy holders. And so there are only a few limitations on the proxy holder action. And so, meaning the proxy holders have lots of discretion to do what they believe to be in the best interest of the cleared company. But, you know, something like a sale or disposal of all or a substantial part of the U.S. entity's assets, that would require input from the foreign interests, right? The proxy holders have lots of power, but their power doesn't rise to the level of unlimited power. And so one of the advantages that companies seek for a proxy agreement is that it doesn't require something called a national interest determination. And so if the contractor, let's say, is bidding on work with the U.S. Navy, if they have a proxy agreement and let's say they have a French owner, they're able to directly compete, directly bid on that work without this sort of special determination that says, oh, a FOCI company is acceptable to bid on this work because the agency has made a determination that it's acceptable.
Turning to the special security agreement. One step down. So that essentially requires a few outside directors. And so I think that's going to be part of our next session. But special security agreement essentially consist of outside directors to sort of watch over the business operations, make sure that things are insulated from the foreign owner in a way that the cleared contractor is sort of operating separately without influence from the foreign persons. Security control agreement has a lot of similarities, but principally, there's, most of the time, one outside director instead of multiple outside directors. And so just to go back to one of the points I mentioned on the proxy agreement, under a special security agreement, the foreign person has more ability to see into the financial well-being of the cleared contractor, etc., but they also have to get those national interest determinations. So again, that's one of the downsides to the SSA, security control agreement.
And then the last thing is exclusionary board resolutions. So we principally see those in the context of things like U.S. equity investment funds. So maybe you have an equity fund that's managed by U.S. persons that own the cleared contractor. However, 80 percent of the capital from that fund comes from foreign persons. OK. Well, clearly the foreign persons indirectly own 80 percent. That being said, they don't really have any management or control capability. And so the exclusionary resolutions are the least restrictive in that really the companies recognize, understand and make, you know, representations to DCSA that the foreign person won't unduly influence the cleared contractor.
Molly O'Casey: Got it. So it sounds like, even though these agreements and resolutions are a bit formulaic, they're not necessarily specific to the company. Actually setting them up is pretty labor intensive.
Andrew McAllister: Yeah, I mean, it is. And so, again, there's these template agreements that all of the parties need to get comfortable with. And then moving to sort of the next area, there are also the supplements. And so I would say the supplements tend to be much more tailored to the company. And so the supplements include things like unaffiliated operations plan, technology control plan, electronic communication plan, visitor access plan and facility location plan. And so again, those affiliated operations, as an example, well, let's say that your cleared contractor and the French parent company both use the same tax accounting firm. OK. Well, if they use the same tax accounting firm, then in a way they are sharing a contractual relationship with that accounting firm. So you'd want to report, get approval, you would name the particular tax accounting firm, you would want to have separate engagements, etc. So I would say the supplements is when it gets much more down into the detail and particular circumstances of the cleared contractor.
Molly O'Casey: All right. Well, I know we're going to discuss that in more detail in a later episode, so I won't ask you too many more questions on that.
Andrew McAllister: Yeah. We don't want to spoil the fun for the next episode.
Molly O'Casey: Have there been any recent developments in this area?
Andrew McAllister: Yeah. So I would say in recent years, DCSA has shifted its focus from sort of the ownership analysis of FOCI to be much more holistic. And again, it goes back to that SF-328 form. And DCSA is looking closely at the control and influence aspects. Those are sometimes more difficult to see and understand, but again, could be something like a dedicated supply chain arrangement with a foreign company. It could be, again, some kind of debt instrument that triggers potential equity or interest, accruing to the lender. And so these are really sort of a case-by-case, specific circumstances analysis. And so I would say that continues to evolve, you know, things like cybersecurity risk. That's a big thing, a hot item at the moment. And then earlier this year in May, the DOD issued an instruction implementing the policies and procedures that DOD will use to identify contractors requiring FOCI determinations. And so again, this comes as part of that continued focus on government supply chain security and FOCI concerns, including aspects of less sensitive unclassified contracts. And I would say that document gives us some insight into sort of the direction that DOD is headed.
Molly O'Casey: Interesting. Well, thank you for coming on and discussing FOCI with us, Andrew.
Andrew McAllister: Yeah. No problem. It's been great.
Molly O'Casey: This area is full of acronyms. This week's episode had a few new ones, I think, which were foreign ownership, control or influence, also known as FOCI. DCSA's Due Diligence Unit, known as DDU. DCSA's Risk Management Unit, known as RMU. A security control agreement, or SCA. A special security agreement, or SSA. And a national interest determination, or NID. Each episode, we ask our speaker to explain an acronym that featured in the episode with wrong answers only. Andrew, would you like to choose an acronym?
Andrew McAllister: So mine is a slightly wrong answer, but I think it's important enough that I'm going to go with it anyway, which is DDU, due diligence up front, meaning DO diligence up front. Because, again, with the foreign ownership, control or influence, it's important if you're going through a transaction to understand what you might be stepping into. Who is the potential foreign buyer? What do they have in terms of FOCI? Are you asking the right questions? Or, hey, we're going through a facility clearance for the first time, we need to understand our foreign owner from the beginning, and some of these questions are uncomfortable. The foreign owner is often not volunteering this information without inquisitive questions. So again, due diligence up front.
Molly O'Casey: I like it. Well, thank you very much for coming on today.
Andrew McAllister: Great. Thanks again. Molly.
Molly O'Casey: On our next episode, we will be continuing the discussion on FOCI by going into outside disinterested individuals that oversee FOCI mitigation instruments. I hope everyone has a great week in the meantime.