Welcome to a  sponsored podcast series where I am exploring how to navigate risk from the Committee on Foreign Investment in the United States (CFIUS), sponsored by K2 Intelligence Financial Integrity Network (K2 Intelligence FIN). Over this five-part series I will visit with David Holley and Him Das the co-leads of CFIUS Advisory Practice at K2 Intelligence FIN. We will consider navigating the CFIUS process through using business intelligence to identify CFIUS threats and vulnerabilities, using a proactive approach to navigate the CFIUS process, CFIUS and cyber risk and access control, and effective monitoring for CFIUS. Today, in Episode 3, I visit with Him Das on the CFIUS process regarding compliance frameworks for sanctions, export control, financial crimes risk and anticorruption risks.

Sanctions and Export Control

The US imposes a broad range of economic sanctions, primarily for foreign policy or national security reasons. There are comprehensive sanctions with respect to certain countries, such as  North Korea, Iran, Cuba, Syria, parts of Ukraine and the Crimea region. There are broad targeted sanctions on bad actors such as terrorists, transnational criminal organizations, persons who are engaged in corruption, or human rights violations; for example, in Venezuela or Zimbabwe. There are a range of spectral sectoral sanctions as well on some countries such as Venezuela or Russia.

From this CFIUS will often examine whether the investor or the investment partner complies with US sanctions, to the extent that they are applicable, and to understand whether or not the foreign investor presents a threat to national security. Das provided the following example, “if the foreign investor regularly engages in transactions with Iran and has violated or violates US sanctions or export control laws by dealing with Iran, either through the US financial system or by exporting US origin items which do not have a commerce license and are subject export controls, that’s going to present a national security concern.” Interestingly, this is a key area of dialogue to help create credibility with CFIUS. It will be important to obtain CFIUS approval because at the end of the day, “US enforcement only goes so far and ultimately the US government agencies are going to rely a little bit on the trust of the partnership with the parties to the transaction.”

Vulnerable Sectors

Here Das pointed out that if an entity is involved in critical technologies, there will be a substantial government interest in the transaction. This means you can expect the CFIUS to very closely evaluate the investment, to understand the national security threats and vulnerabilities. Some of the questions which may be posed are: What the foreign government involvement is going forward? Whether there is a concerted foreign government effort to acquire sensitive technologies? Whether or not there is a potential adverse impacts to the US supply chain? Will this acquisition be an overall threat in terms of a US leadership with respect to certain technologies? What particular sectors might be vulnerable to the new export control rules? These are all questions which CFIUS may well pose and you should be ready to answer them.

What can companies do to mitigate these issues?

Das noted there are four key issues for any company going through the CFIUS process. Firstly, you must understand your technologies, what you manufacturer and what you use in that process from a Supply Chain perspective. Second, it is important to understand your investor and their interest in your company and technologies. Next you must evaluate whether or not there might be a national security threat of vulnerability or sanctions exposure. Finally, you must understand the investor and what is in their investment portfolio to get a better understanding of whether or not they have strategic objectives with respect to a technology or range of technologies or a particular sector that might have some impact or implications with CFIUS.

After considering these four keys issues, Das said it is important for organizations to consider appropriate mitigation either by shaping your transaction to prevent access by a foreign investor to material nonpublic information or by imposing appropriate access controls in business units, engaged in sensitive technologies. Lastly, a company should set up a monitoring regime or a security officer to make sure the remediation is followed. This type of framework will help build trust with CFIUS and demonstrate to CFIUS that you are thinking about the compliance framework and the future as well.

Join us tomorrow as David Holley joins me to consider CFIUS, cyber risk and access control.

For more information on K2 Intelligence Financial Integrity Network and their CFIUS Advisory Services practice, click here.