Podcast - Navigating Regulatory Challenges in M&A Transactions

Molly O'Casey: Welcome to the 17th episode of Are We All Clear?, the podcast on facilitating security clearances. I'm your host, Molly O'Casey, an international trade associate with Holland & Knight's Washington, D.C., office. Today's episode will discuss DDTC, CFIUS and HSR notifications as well as BEA filings. These acronyms stand for the Directorate of Defense Trade Controls or DDTC, the Committee on Foreign Investment in the U.S. or CFIUS, the Hart-Scott-Rodino Act or HSR, and the Bureau of Economic Analysis or BEA. These notifications come up in M&A transactions and need to be considered in parallel to FOCI mitigation, FOCI being Foreign Ownership, Control or Influence. With those acronyms in mind, let's get started. Today's speaker is Antonia Tzinova. Antonia leads Holland & Knight's CFIUS and Industrial Security Team. Welcome back to the podcast, Antonia.

Antonia Tzinova: Thank you, Molly. It seems I'm becoming a fixture on your show. Thank you for keeping inviting me.

Molly O'Casey: We covered CFIUS and FOCI in previous episodes, so I'm going to run through these concepts real quick for those listeners just joining us. As said, CFIUS is the Committee on Foreign Investment in the U.S. It's an interagency committee chaired by the Secretary of the Treasury and made up of both voting members as well as non-voting members. The voting members include the secretaries of state, defense, homeland security, commerce and energy to name a few. The high-profile nature of these members is because CFIUS oversees potential national security risks of foreign direct investment in the U.S. economy. To this end, it reviews mergers, acquisitions and takeovers that could result in foreign control of a U.S. business. Not just any business, though, these businesses tend to be involved in critical technologies, critical infrastructure or sensitive personal data, as well as real estate transactions that are near sensitive government facilities or airports or maritime ports. Meanwhile, FOCI stands for Foreign Ownership, Control or Influence. Companies can obtain a facility security clearance or FCL to perform classified contracts and access classified information. Once these cleared companies obtain an FCL, however, there are limitations on the degree of ownership, control or influence a foreign entity can obtain over them. The view is that FOCI could adversely affect the performance of these classified contracts or raises a risk for unauthorized access to classified information. As we discussed in the previous episode, CFIUS and FOCI overlap in that the focus of these regulatory regimes is to protect U.S. national security by managing foreign influence over specialized U.S. businesses. When a foreign investment triggers national security concerns, it may require both a CFIUS review, which could result in mitigation and the implementation of FOCI mitigation. Did I kind of cover everything there, Antonia?

Antonia Tzinova: Thank you, maybe we can go home now.

Molly O'Casey: No, not yet, you still got to put some time in on that, we haven't really discussed DDTC, HSR and BEA before. So with that, I'll turn it over to you, Antonia. How do these notifications come up? What are the regulatory regimes and what triggers a review?

Antonia Tzinova: Right. So I think that the key point to drive home is that fortunately or unfortunately, depending on your point of view, it's not only one regime that we need to consider. It's a multitude of regulatory regimes that come up in the context of M&A transactions. And so this is really the first key factor. I mean, most of those pop up in the M&A context, I mean, with some FOCI, it may happen in, you know, other contexts as well, maybe you sign up a foreign customer, but for the most part, the ones we're discussing today pop up in the context of an M&A transaction. It could be a controlling investment, it could be a minority investment, I mean, each regulator has its own tests. So, that's the first one. The other context to consider here is like, OK, M&A, what is triggered? And so for many of those, we are dealing with a foreign person being involved like a foreign interest, but HSR, as we will learn in the moment, does not necessarily involve a foreign party, it just really is focused on the value of the transaction. So it's like big picture M&A value of the transaction, foreign issues, issues of control. These are some key operative words that people need to remember. So, I just want to kind of lay them out so people know which ones we will be dealing with.

FOCI, you spoke about that at length, but just to summarize, we deal with that in the context of safeguarding classified information. At least in the current environment, there are changes coming in the DOD world, but keywords, classified information, foreign interests, red light, goes on.

CFIUS, Committee on Foreign Investment in the U.S., deals with national security very broadly speaking. National security, as others have mentioned on your prior episodes, is not defined. That's on purpose, so it can take the form and shape of anything that is of concern in the current political-geopolitical environment, but because it deals with foreign investments, it will always be in the context of a foreign person either acquiring control or a minority investment in certain U.S. businesses.

Then we have DDTC, that's, I think, a new entrant on your show. So DDTC, again, stands for Directorate of Defense Trade Controls. It's a bureau or an office within the Department of State. And they're concerned with the control of defense technologies. So anything to do with a weapon system, but it goes beyond just weapons. There is, within their regulations, the International Traffic in Arms Regulations, the ITAR. There is the so-called U.S. Munitions List, USML, and so on the U.S. Munitions List, you have the various defense technologies that are controlled in the U.S. They are also controlled in many of our allied countries. So it covers pure firearms, defense weapons, but it may cover military vehicles, tanks, naval ships, aircrafts. It may cover defense technologies, for example, military training equipment. It may cover equipment used for reconnaissance and counter-intelligence. So these are specifically enumerated so people don't need to guess what's there, they can just reference the U.S. Munitions List, and whenever a foreign person acquires control in a company that deals in defense technologies in the U.S., either as a manufacturer or as an exporter or as a dealer, DDTC needs to be notified in advance so that they can evaluate any threat or any potential risks with respect to a foreign person acquiring control over such a company.

You mentioned BEA filings. So BEA stands for Bureau of Economic Analysis, and this is an agency that is involved in purely collecting statistics on the U.S. economy. These are the people that collect data to produce the balance of payments or trade deficit reports for the U.S., and so they collect statistical data on foreign investments in the U.S. just so that the U.S. government has a general awareness of foreign capital coming into the U.S., either to set up new companies, to acquire existing companies, etc., but this is for statistical purposes, this doesn't necessarily assess control, and it's a post-closing filing. So there's no need to obtain permission to proceed with a transaction from BEA, it's just reporting the investment so that they can track for purposes of overall reporting of the U.S. government.

And then we have the Hart-Scott-Rodino Act, the one that you mentioned, the HSR, and now this is one that doesn't relate to foreign investment in the U.S. specifically, per se. It studies the anticompetitive effects of any M&A transaction. So it happens in the context of M&A, but it's concerned with concentration of economic power on the U.S. market that might result in a negative impact on U.S. consumers. So imagine two telecom companies deciding to merge and create a behemoth that now has an outsized economic power and start dictating prices and maybe raises prices for everybody and makes it very difficult for new entrants on the market and makes the overall environment worse for the average consumer. So in that context, we have the HSR filing, and this pops up with respect to M&A transactions that exceed a certain value threshold. So I know that I spoke a lot. And you know, maybe just to summarize, we have FOCI for classified information, CFIUS for national security, broadly speaking, DDTC concerns with defense technologies, BEA, which deals with statistical reporting, and then we have the HSR, which deals with anticompetitive effects of certain M&A activity.

Molly O'Casey: Yeah, thanks for outlining that. It's a lot of different agencies to consider, and I'm sure they each have their own quirks and interpretation of national security. How do you determine whether any of these regulatory regimes apply?

Antonia Tzinova: Right. So again, back a little bit to the purpose of the regime. With most of these, we are concerned with foreign ownership or control. And in the case of HSR and BEA, we're concerned with value. And so I'm going to walk through each one individually kind of to set up the minimum parameters.

We're going to start with the FOCI reporting because this is the main feature of your show. So FOCI is regulated under the NISPOM. And the concern is that a foreign interest is not going to have undue influence over a U.S. government contractor that is processed to handle classified information. So the key concern is safeguarding classified information and so the thresholds are relatively low. So any time you have at least 5 percent or more foreign ownership in a cleared contractor, this needs to be reported. If it's a purely passive investment in the context of a private equity, for example, you can argue that there is no control, it's just foreign ownership, but indicia of control can be a board seat voting stock above 5 percent, some other arrangements that give the foreign investor or foreign interest decision-making power with respect to the cleared contractor. And so as you have discussed with others on this show, it shows up at the very low level of a foreign investment, and it also shows up in some instances where you don't have ownership or control. It may be just a foreign customer that, you know, is responsible for a major portion of declared contractor revenue. So that would be FOCI, and anytime there is a change to the information that's reported on a cleared contractor SF-328, like a material change, this needs to be reported to DCSA, and it can appropriate FOCI mitigation put in place.

With respect to CFIUS, as you discussed, I think on a couple of prior shows, CFIUS, the Committee on Foreign Investment in the U.S., looks at national security more broadly. So they will be interested in a foreign person acquiring control over an existing U.S. business and such control posing a threat to U.S. national security. There is no quantitative definition of control. It's a functional test, and the key question is, can the foreign person exercise powers that would affect decision making of the U.S. business. And that could be through a sizable equity stake, it could be through a board seat, it could be through certain veto rights or decision-making powers with respect to the business. And CFIUS is also concerned with some non-controlling investments that are made in a subset of U.S. businesses — I think you briefly referred to those earlier today — these will be U.S. businesses that are involved in critical technologies, critical infrastructure or the collection and handling of sensitive data of U.S. nationals. We refer to those as TID U.S. businesses. So in the case of those, even if you don't have a controlling interest, if a foreign person acquires certain access rights, either access to sensitive data or to technical data that's not publicly available or the ability to affect decision making of the U.S. business, there will be CFIUS jurisdiction over that transaction. With respect to DDTC, the test is a little less rigid compared to FOCI and CFIUS. So again, they're purely focused on defense technology and they're focused on foreign investments in a U.S. company that is registered either as a manufacturer or an exporter or a broker of defense items that are listed on the U.S. Munitions List. So those folks need to be registered with DDTC at the first instance of their defense trade activity, and if they accept a foreign investment at any point past the registration, they need to evaluate what's the level of foreign ownership, is there control and is that a reportable transaction that needs to be cleared prior to closing.

So in the DDTC, ITAR context, there is a different test. So DDTC is either looking at, at least 50 percent foreign ownership of the voting shares of the registered company or, if no single person earns 50 percent or more, at least a 25 percent foreign ownership interest. If no single U.S. interest has at least 25 percent counterbalance the foreign interest. And then even if these two tests are not met, there is some other arrangement that will result in foreign control over the ITAR registered company. So if we have one of these situations, DDTC needs to be notified. It's a 60-day advance notice prior to closing, so it needs to be taken into effect. Then we have the other two filings that we mentioned. These are on the basis of value of the transaction, so I'm just going to go with BEA first simply because it also deals with foreign investment in the U.S., but any time foreign investment exceeds $3 million, a very low threshold, there is a reporting requirement post-closing. So BEA needs to be notified after the fact, and certain information about the investment needs to be reported.

And then we have the HSR. So HSR does not deal with national security. It does not deal necessarily with foreign acquisitions, it's always in the context of an M&A activity. The current HSR threshold for reporting is $126.4 million. So if the value of the transaction reaches that threshold or if the assets of the company or the combined company after the M&A transaction is complete will reach that threshold — and I'm not an expert here, so I don't want to speak too much to the details of the HSR review — but a pre-notification is required so that the Department of Justice can evaluate the effect of the proposed transaction on the competitiveness of that particular industry sector. So the concern is that, again, we don't accumulate too much power in one market player.

Molly O'Casey: Interesting. So it sounds like ultimately, even though these have different requirements, the type of information that needs to be tracked and reported is pretty consistent in terms of being Foreign Ownership, Control or Influence as well as the transaction value.

Antonia Tzinova: That's right.

Molly O'Casey: How heavy a lift is this for companies? Are all of these mandatory filings?

Antonia Tzinova: So I'm going to start with a yes. And it's a qualified yes. So —

Molly O'Casey: I don't think there's any other kind of yes for a lawyer.

Antonia Tzinova: Right. With the exception —

Molly O'Casey: "Yes, but..."

Antonia Tzinova: Right, with the exception of CFIUS. In all other cases, if you meet the regulatory requirements, then we have a mandatory filing. So I'm talking DCSA on the FOCI reporting, I'm talking DDTC if there will be foreign control over an ITAR-registered company. The other one is the HSR. If the threshold of the value of the transaction is reached — and just again, it's $126.4 million at the moment, also, it's a threshold, so if $3 million is reached, there is a reporting requirement. Why did I say it's a qualified yes? So with respect to CFIUS, only a subset of transactions would trigger a mandatory filing. Investment, whether it's minority or controlling investment in a TID U.S. business. So it's a more nuanced test with respect to critical technologies. If you have a foreign interest gaining control or certain access rights, it's always a mandatory reporting with respect to critical infrastructure and sensitive data. We also care whether the foreign buyer is substantially owned by a foreign government, but these will be the cases where you have a mandatory filing in the context of a TID U.S. business. All other cases that fall out of the TID U.S. business are subject to a voluntary regime. So the parties decide whether they want to file or not, and it's mostly driven by the buyer in that context because if there is a voluntary filing and the parties don't file and add late points, if CFIUS decides to review the transaction, the buyer will bear the cost of any follow-up review and mitigation that CFIUS would impose. And just as a reminder to your listeners, there is no statute of limitations on CFIUS review. So unless a transaction has been reviewed and approved, CFIUS can intervene at any point in the future. And that's why it's buyer beware in the voluntary filing context. But the short answer is yes, in most cases, these are mandatory filings.

Molly O'Casey: Right. And you mentioned the timing on CFIUS where, you know, they can reopen transactions at any point, but for these other filings, when do you have to make them as a general rule?

Antonia Tzinova: Right. So CFIUS tends to be the long pole in this. So it needs to be taken into consideration, just like in terms of specificity, the ITAR, the filing with DDTC is 60 calendar days before closing. It's a waiting period, so the parties are not going to receive a letter notifying them that they can proceed, but they have to file at least 60 calendar days in advance. With HSR, it's a 30-day review period unless they have some additional questions. DCSA under the NISPOM doesn't have any particular timelines, but if there is also a parallel CFIUS filing involved, they will work on the CFIUS schedule. And I also want to mention that both the State Department, where DDTC sits, and the DOJ, which reviews HSR filings, are represented on the CFIUS, and as people probably have learned, CFIUS is an interagency of 16 departments. They act by consensus. So each of these agencies that we're talking about is also represented there, and they will need to give their OK in order for CFIUS approval to be secured. And the CFIUS regulations have some timelines that are instructive. There is a pre-filing of the full notice, and then there is like an initial 45-calendar-day review period that can be followed by a 45-calendar-day investigation, and then, if CFIUS needs more time, it can incrementally add additional 45-calendar-day periods they kind of just attach at the end of the review through a procedure called "Withdraw and Refile." So I think that on average, parties should estimate about 100 and 520 days to complete a full CFIUS review, and all the other regimes kind of fit within this period. So budget about three months, I would say.

Molly O'Casey: Got it. I mean, three months sounds like a while, if you're moving on a pretty fast M&A transaction.

Antonia Tzinova: True, and so it's a good point you're making for a very large M&A transaction, one that, you know, approaches a billion or exceeds $1 billion, that's probably nothing, and so all these things that are being taken care of and, you know, allowed to develop. For smaller transactions, that can be a bummer and I want to emphasize that in the case of the ITAR, or in the case of the FOCI mitigation, in case of CFIUS, there is no value threshold. Right. So it could be as small an investment as like half a million, that may delay closing, but again, if there is a mandatory filing and parties choose not to file or fail to file, there are substantial penalties associated with failure to file. It could be up to the value of the transaction or multiply to $50,000 and then in some cases there may be jail time. So it's —

Molly O'Casey: Serious.

Antonia Tzinova: It's something to keep in mind.

Molly O'Casey: Yeah, I think jail time is always something to keep in mind, which segues beautifully into my next question: What are the biggest consequences that companies should keep in mind for not, you know, breaching these regulatory regimes?

Antonia Tzinova: Well, it really depends on the context, but, for example, a cleared company may lose its clearance, or it may be prohibited from bidding on new work. A DDTC-regulated company, the one that's in the defense trade business, may lose its export privileges. So we have an infamous case from a number of years ago, but I still like to refer to it because it's far enough removed that we can now talk about it calmly. ITT, about 10 or more years ago, was so blatantly violating the ITAR that it lost its exporting privileges for three years, plus it had to pay a penalty of $100 million. And so that can have a huge impact on the bottom line of any business if, you know, they cannot operate in their field. In the context of CFIUS, I mean, the penalties are quite large and, as I said, up to the value of the transaction, but you can also have mitigation imposed post-closing that you haven't budgeted for, and CFIUS may also order the vestiture, so different consequences, if you will, depending on the type of filing we're dealing with.

Molly O'Casey: And do all filings results in some sort of mitigation? I imagine there's overlap in what that mitigation tends to look like.

Antonia Tzinova: So, I mean, in each case, there is some mitigation measures that can be considered. So for FOCI mitigation, it's part of the name, right? So if you have a foreign interest acquiring equity in a cleared contractor, there will be some sort of a mitigation. Depends on the type of investment, is it a minority, is it passive investment, is it a controlling interest? We've discussed various FOCI mitigation forms. We have special security agreements, security control agreements, proxy agreements. In some cases where the investment is passive or it's a minority interest, we may have board resolutions, relatively mild effect, comparatively speaking. In the context of CFIUS, so the regulations provide for mitigation agreements, nowadays called national security agreement to confuse everybody with the NSA, you know, the agency that's out there. And these are now a little bit more predictable in terms of form and shape they take. There is not a list of mitigation measures that's provided somewhere out there. But what we've seen is it could be, you know, a benign supply assurance requirements.

So let's say that the company is a contractor to the U.S. government and they want to make sure that for the next three years they will be able to purchase the U.S. business products so there will be continuity in product supply. It could be the requirement to keep sensitive data in the U.S., it could be, you know, more serious where a security officer is introduced in the structure of the company, overseeing communication with the foreign owners and, you know, serving as a point of contact for the government with respect to compliance with the national security agreement requirements. In the context of a company that's registered under the ITAR and deals in defense trade, typically the minimum we would see is a technology control plan. Now, that's an interesting document, it originated with — nowadays DCSA, it used to be called DSS — that was intended for the use of cleared contractors that were being acquired by foreign companies so that they have some policy document addressing non-classified information like export control information and other non-classified controlled information, what we now know as CUI. But then it kind of was adopted by the industry at large, and so now TCP, technology control plan, is something that DDTC would expect to see at a minimum. If a foreign person will be acquiring control over an ITAR-registered company, it doesn't have to be a TCP, it could be an export compliance manual, it could be titled any way, but at the minimum it should spell out the obligations of the ITAR-registered person with respect to foreign nationals. And then a bigger picture, you know, not necessarily a formal document, but in the context of CFIUS and FOCI and DDTC and HSR, there may be a requirement to restructure the transaction to sell or spin off a portion of the business, like a business line that requires special controls, and the government has concerns if that particular foreign interest acquires it. So you may have certain requests that are not necessarily formalized in one of these mitigation measures that we spoke about, but, you know, they're taken ahead of time to address potential concerns with the transaction.

Molly O'Casey: Got it. So it sounds like the mitigation will probably look like reviewing the transaction, coming to some kind of agreement with the government and the TCP, technology control plan, is usually a good place to start.

Antonia Tzinova: That's right.

Molly O'Casey: Cool. What are some strategies to navigate the field?

Antonia Tzinova: That's a question that every lawyer loves. Take a holistic approach to due diligence and start early. You need to identify the issues because we talked about penalties, we talked about mandatory filing requirements, and so investors and companies that are subject to these investments need to go experience counsel so that these issues are identified early on and addressed accordingly. Whether it be a spin-off of a business line or filing with the regulators, it is important to coordinate the different filings so that the same information is fed to the different regulators, and as part of that, it's not a bad idea to review what the company has listed on its website and whether that conforms with the information that's being provided to the regulators because they take the time to check. And then, you know, allow yourself some time. As I said, it can take three months to go through these, depending on the nature of the national security concerns identified, and also consider for the eventuality of not obtaining approval. I mean, that happens occasionally. And so how do you protect yourself depending on whether you're the seller or the buyer in this transaction? Do you require a certain deposit that if approval is not obtained, you as the seller can keep? If you're the buyer or even if you're the seller and review takes too long to obtain approval, do you have a protection that will allow you to move on and cut your losses and go and not have to continue spending money and time on the transaction? So these are some of the things to consider. That's why you need experts, I would say, and you need to go to them early on so that they can provide a holistic advice on the various regulatory regimes.

Molly O'Casey: Get help, get it early.

Antonia Tzinova: Get it early. I mean, you and I know oftentimes we get like a call from an M&A colleague and we have this transaction and it's scheduled to close next week or by the end of the month. I mean, that's not a very helpful context. It's just like, OK.

Molly O'Casey: And it's like, well, let's talk about that closing.

Antonia Tzinova: Let's see. Let's see. Right. But, you know, having a week or having like less than 30 days is not helpful here because you're running off all the waiting periods.

Molly O'Casey: Yeah. My palms are sweating just thinking about it. Thank you so much for your thoughts, Antonia.

Antonia Tzinova: Absolutely. Always a pleasure.

Molly O'Casey: This area is full of acronyms. Just this week we had CFIUS, or the Committee on Foreign Investment in the U.S., HSR, or Hart-Scott-Rodino, ITAR, International Traffic in Arms Regulations, DDTC, Directorate of Defense Trade Controls, and BEA, the Bureau of Economic Analysis. Each episode, we ask our speaker to explain an acronym that featured in the episode with wrong answers only. Antonia, would you like to pick an acronym?

Antonia Tzinova: Sure. I think because this is probably never going to come up again, or it's the first time that it showed up on your podcast, I am going to go with HSR. And I'm going to go with high-speed rail. So I don't claim originality here. I have to admit, I looked it up and apparently that is how HSR is mostly used out there, unless you're an M&A lawyer, of course. But I think that it reinforces the point nicely. If you want your transaction to fly smoothly through closing, you need to identify the various regulatory requirements early on and line up the right team to get you to the finish line.

Molly O'Casey: Amazing. I wish we had more HSR in the U.S. I am terrified of cars.

Antonia Tzinova: OK. And I love high-speed rail anyway. I mean, just the idea of it is… I feel like we live in the year 3000.

Molly O'Casey: Well, thank you again to Antonia for taking the time to meet with us today and talk about your experience.

Antonia Tzinova: Thank you, Molly.

Molly O'Casey: I hope everyone has a great week.