Podcast - Analyzing the Overlap Between CFIUS and FOCI

Molly O'Casey: Welcome to the 16th episode of Are We All Clear? the podcast on facilitating security clearances. I'm your host, Molly O'Casey, an international trade associate with Holland & Knight's Washington, D.C., office. Today's episode will discuss overlap between actions by the Committee on Foreign Investment in the United States, or CFIUS, and Foreign Ownership, Control and Influence, or FOCI mitigation. We will discuss what CFIUS is and how it mitigates national security risks similar to FOCI mitigation. Today's speaker is Libby Bloxom. Libby is an associate with the International Trade Group in Holland & Knight's Dallas office, where she practices international trade. Welcome back to the podcast, Libby.

Libby Bloxom: Thanks, Molly. It's good to be back and looking forward to discussing CFIUS. I thought I'd never say that, but…

Molly O'Casey: We're glad to have you back. And we haven't really mentioned CFIUS on the podcast before, so I'm excited. Libby, what is CFIUS?

Libby Bloxom: CFIUS is, as you said, the Committee on Foreign Investment in the United States. It's an interagency committee, so it's chaired by the Secretary of the Treasury, made up of nine voting members. So that includes the Secretary of the Treasury, Secretaries of State, Defense, Homeland Security, Commerce and Energy, the Attorney General, U.S. Trade Representative and Director of the Office of Science and Technology Policy, the Secretary of Labor and Director of National Intelligence, or DNI, our non-voting ex officio members. Lastly, five White House offices observe or participate in CFIUS as appropriate, including in the Council of Economic Advisors and the National Security Council. The president can appoint other officials to serve on the committee on a case-by-case basis as well.

Molly O'Casey: It sounds like we've got every secretary there.

Libby Bloxom: Yes, and sometimes you have other officials listening in clandestinely from the Intelligence Committee, or IC.

Molly O'Casey: I really want to start humming the Mission Impossible theme song, but I'll refrain for all our sakes. What does CFIUS do?

Libby Bloxom: CFIUS oversees potential national security risks of Foreign Direct Investment or FDI in the U.S. economy. CFIUS' jurisdiction is quite broad and includes the purview of mergers, acquisitions and takeovers that could result in foreign control of a U.S. business. Its jurisdiction also covers certain non-controlling investments in businesses involved in critical technologies, critical infrastructure or sensitive personal data. We call these businesses TID U.S. business. CFIUS jurisdiction also covers certain real estate transactions that are near sensitive government facilities or airports or maritime ports. In short, CFIUS has broad jurisdiction to review transactions. Certain transactions trigger a mandatory filing requirement, but the majority of transactions are subject to a voluntary filing and making a voluntary filing is a business decision. It's tied to the foreign investors' risk tolerance.

Molly O'Casey: And what are the risks to those foreign investors that they consider when making the decision whether or not to report a transaction to CFIUS?

Libby Bloxom: Yeah, there's no statute of limitations with CFIUS. So CFIUS can open a post-closing review of any transaction it has jurisdiction over.

Molly O'Casey: That's a bummer.

Libby Bloxom: Yes. So if your party is subject to a voluntary filing requirement, and you do not file and close the transaction, later down the road, CFIUS can open a review and require the parties to file a CFIUS notice. And then the parties are subject to CFIUS' determination or assessment of any national security risks. A CFIUS review and approval is the only safe harbor. If CFIUS unwinds a transaction after it's closed or imposes a penalty for not filing, the foreign buyer would have to sell the company at a discount. These are extreme circumstances, I should preface. The foreign buyer would have to sell the company at a discount, which may result in financial losses or loss of revenue and the inability to repay a loan. There are also reputational risks at stake if the U.S. government is unwinding a transaction because there are too many national security risks. It may be difficult for the foreign investor to continue investing in the U.S. market.

Molly O'Casey: Got it. Those are some fairly serious consequences, especially if a penalty is involved. It seems like CFIUS enforcement has been on an uptick lately. In 2024, CFIUS launched an enforcement website with previous enforcement actions, and also last year, it imposed a record-setting $60 million penalty on a foreign-controlled U.S. telecommunications company.

Libby Bloxom: Yes, CFIUS is definitely even more of a watchdog these days.

Molly O'Casey: How do companies avoid getting these penalties when CFIUS reviews a transaction for national security risks? What happens?

Libby Bloxom: To answer your first question about how do companies avoid getting penalties, usually penalties are imposed when there's a mandatory filing requirement and the companies do not. So understanding whether you have a mandatory filing requirement is paramount in any transaction. When CFIUS finds national security risks or identifies risks, what CFIUS does depends on the level of risk present. So generally, when CFIUS is reviewing a transaction, CFIUS can approve a transaction, it can request parties to withdraw — meaning CFIUS is not going to approve the transaction — or it can refer the proposed transaction to the president with a recommendation to block the transaction. Referring the transaction to the president is rare. And most parties "voluntarily" —I say voluntarily with quotation marks around it, to indicate that it is not quite voluntary — that they voluntarily withdraw and abandon the proposed transaction before having it referred to the president.

Molly O'Casey: Right. It's only technically mandatory for pre-closing CFIUS filings if there are certain transactions involving a TID U.S. business.

Libby Bloxom: That's correct. And you know, the other option besides approve, deny, refer to the president, CFIUS can approve a transaction, but impose some type of mitigation. And in recent years, approximately 1 in 5 transactions that are filed with CFIUS are approved with mitigation. So, for example, in 2023, 21 percent of filed transactions were cleared with mitigation.

Molly O'Casey: Queue Pavlov: if I hear mitigation, I think FOCI. Would this be the moment where CFIUS and FOCI overlap?

Libby Bloxom: Yes, exactly. Both CFIUS and FOCI mitigation, the goal is to protect U.S. national security by managing influence over U.S. businesses, particularly those involved in critical industries and technologies. When a foreign investment triggers national security, it may require both a CFIUS review, which could result in mitigation, and if it's a cleared company, the implementation of FOCI mitigation.

Molly O'Casey: We've heard a lot about mitigation measures imposed by the Defense Counterintelligence and Security Agency, or DCSA, for FOCI. What types of mitigation can CFIUS impose on foreign investors?

Libby Bloxom: Mitigation measures are tailored to the identified risks, and they can vary from being minimal, such as requesting the parties provide supply assurances to continue providing certain products or services to the U.S. government, to a more invasive, like requiring termination of sensitive government contracts, imposing access controls regarding sensitive personal data and other security plans. They can require appointment of security officers and third-party monitors. They can appoint proxy boards made up only of U.S. citizens. The CFIUS can also require compliance audits and certifications. They can restructure the proposed transaction to remove any access or control from the foreign party.

Molly O'Casey: That sounds like a pretty broad discretion.

Libby Bloxom: Yes, CFIUS has very broad authority to negotiate, enter into or impose any agreement, condition or order with any party in assessing risk. CFIUS also considers whether other provisions of the regulatory landscape or law adequately address national security risk. For example, if you have a cleared U.S. company as the target in a transaction that is before CFIUS, CFIUS will assess whether the required FOCI mitigation will effectively mitigate the national security risks identified by CFIUS. Strong mitigation measures under FOCI may enhance a company's position during CFIUS reviews.

Molly O'Casey: Interesting. And given the potential to impact transactions, how much can parties impact the outcome here? Can companies predict mitigation measures or what CFIUS may do?

Libby Bloxom: Based on experience and also based on CFIUS' annual reports that they publish each year, looking back at the year, we can usually guess what CFIUS will do. CFIUS acts by consensus, so decisions are made at a very high political level. Keeping current on the White House and the administration's rhetoric and mood will provide guidance on the likelihood of success.

Molly O'Casey: Does FOCI mitigation and CFIUS mitigation work harmoniously? How nicely does CFIUS and DCSA play together?

Libby Bloxom: CFIUS and DCSA do indeed play together. They talk with each other. The Department of Treasury, where CFIUS sits, and DOD, or the Department of Defense, where DCSA sits, are members of the committee. So they're in the same room. For example, we had a client who acquired a U.S. company. The transaction was not subject to the mandatory filing requirement, and the parties chose not to make a voluntary filing with CFIUS. A few years later, that same U.S. company applied for a facility security clearance, and CFIUS learned of the acquisition and opened a review and required a CFIUS notice, post-closing.

Molly O'Casey: So not only do they work harmoniously, but one can get you in trouble with the other. That's a lot to consider when filing with DCSA. What are some key takeaways for companies involved in critical industries and foreign investment?

Libby Bloxom: If a transaction involves a U.S. cleared company and is subject to either a mandatory or voluntary filing requirement, then navigating both CFIUS regulations and the National Industrial Security Program Operating Manual, or NISPOM, can be tricky. As you gather, companies should understand these issues early in the investment process. It is important to understand all of the regulatory timelines in order to effectively strategize and make a plan towards closing. A lot of times companies want to close as soon as possible, but you may have these regulatory hurdles and can't meet that closing timeline that the parties desire. And remember, the agencies talk to each other: Department of Defense, DCSA; State, I think ITAR-registered companies, the International Traffic in Arms Regulations; and Justice, Hart-Scott-Rodino pre-merger notification requirements. These agencies are all members of CFIUS and, as I said, CFIUS acts by consensus. So a CFIUS filing might smooth the overall review process when a cleared company is involved in a transaction and FOCI mitigation is required or a pre-merger notification is required under Hart-Scott-Rodino.

Molly O'Casey: Right. So if you're sitting in a sense of industry and/or your cleared company, you need to consider the national security implications, not just for the agency that's in front of you, but also for any of the agencies that might be interested in that transaction.

Libby Bloxom: Yeah, that's exactly right.

Molly O'Casey: Thank you so much for your thoughts, Libby.

Libby Bloxom: Of course, Molly. Thanks for having me back.

Molly O'Casey: This area is full of acronyms. Just this week we had CFIUS, so the Committee on Foreign Investment in the U.S.; TID U.S. business or U.S. businesses with critical technologies, critical infrastructure and sensitive personal data; FDI or Foreign Direct Investment; DNI, the Director of National Intelligence; HSR, Hart-Scott-Rodino; ITAR, International Traffic in Arms Regulations; DOD or Department of Defense; and IC, Intelligence Community. So each episode we ask our speaker to explain an acronym that featured in the episode with wrong answers only. Libby, do you want to have a go?

Libby Bloxom: Sure. Today, my acronym is CFIUS, curious feds inspecting unusual spaces.

Molly O'Casey: Unusual spaces, indeed. Thank you again, Libby.

Libby Bloxom: Yeah. Thanks, Molly.

Molly O'Casey: With that, I hope that everyone has a great week.