CFIUS & Export Controls: Putting Buyers, Sellers, and M&A Practitioners at Risk


In recent memory, enforcement of the Committee on Foreign Investment in the United States (“CFIUS” or the “Committee”) regulations has been mostly limited and sporadic. But recently, the U.S. government is reviving and enhancing these regulations as a direct response to the national security and foreign policy concerns ensuing from an increasingly tumultuous geopolitical environment. However, the disconnect between the aggressive shift towards strictly enforcing these regulations and the often limited resources invested in CFIUS due diligence reviews presents a great risk to parties involved in mergers, acquisitions (“M&A”), and other foreign investment transactions. 

I. What Changed? 

In 2018, the U.S. government fired the first warning shot announcing its intention to focus on foreign investments when the Foreign Investment Risk Review Modernization Act (“FIRRMA”) was enacted [See 50 U.S.C. § 4565]. This law expanded the scope of foreign investment transactions subject to review and granted CFIUS special hiring authority with increased funding to ramp up enforcement. 

In 2022, the President signed Executive Order (“E.O.”) 14083, which reiterated the U.S. government’s intention to enforce a “robust foreign investment review process.” The E.O. directed the Committee to consider additional factors when reviewing foreign investment transactions, such as supply chain resilience, cybersecurity risks, and U.S. technological leadership. 

More recently, the U.S. Department of the Treasury released the first-ever CFIUS Enforcement and Penalty Guidelines. And, on May 31, 2023, the testimony of the Assistant Secretary for Investment Security before the U.S. Senate stressed that the Committee is taking an active approach to enforcing foreign investment regulations. Notably, the first penalties pursuant to the CFIUS Enforcement and Penalty Guidelines have been issued.

It is now clear that the surface-level CFIUS due diligence reviews that were sufficient to mitigate the risk of violations in the past are, indeed, not sufficient any longer in light of these developments. 

II. Enforcement 

While conducting an appropriate CFIUS due diligence review can create a substantial burden on foreign investors and target entities, the penalties for violating the Committee’s regulations dramatically offsets any potential savings resulting from a surface-level CFIUS due diligence review or neglecting it altogether. The regulations provide the U.S. government with the authority to review, prohibit, suspend, and even unwind foreign investment transactions. The Committee also has the authority to implement harsh mitigation plans, such as ordering the cancellation or assignment of lucrative contracts or assets involving critical technologies, critical infrastructure, or sensitive personal data of U.S. citizens. Violations of these regulations can also lead to severe penalties, up to USD $250,000 or the value of the transaction, whichever is greater. 

III. Required Due Diligence  

A CFIUS due diligence review is fundamentally related to export control laws and regulations — even for businesses that have never engaged in any exports. As such, while gathering the necessary information to conduct an appropriate CFIUS due diligence review is likely to present a heightened burden and cost for businesses with primarily or exclusively domestic operations, this information is crucial to determine whether a transaction is subject to CFIUS’ Mandatory Declaration requirements (“Mandatory Declarations”). 

When a transaction involves a TID U.S. Business (critical technology, critical infrastructure, and sensitive data), a Mandatory Declaration may be required. In the context of a CFIUS due diligence review, TID U.S. Businesses are entities that:

  1. Produce, design, test, manufacture, fabricate, or develop Critical Technologies;
  2. Own or operate critical infrastructure, such as internet networks, electric power generation facilities, oil or gas pipelines, or facilities that serve military installations; or
  3. Maintain, collect, directly or indirectly, sensitive personal data of U.S. citizens.

Analyzing the first prong usually creates the biggest challenge because every product in a business’ portfolio, even those never marketed or still in development, must be reviewed. Whether a product meets the definition of “Critical Technology” is determined, in part, by its export classification. Again, this review is required even when the products have never been exported and/or whether or not the foreign investor intends to export them. 

Businesses with minimal or no international operations are likely to be surprised by the in-depth process necessary to classify products for export purposes. Export classifications involve a quasi-legal and technical review. The key information required is the product’s uses and detailed technical specifications. This information is reviewed against the Commerce Control List and the United States Munitions List to make a legal determination as to the appropriate export classification. The export classification of a product is then analyzed to determine if the product is considered a Critical Technology under the Committee’s regulations. If so, the target entity is a TID U.S. Business. 

IV. Mandatory Declarations 

The regulations apply the analysis for export license requirements to M&A and other foreign investment transactions even when no exports are involved. Private foreign investors (i.e., with no relation to foreign governments) and target entities are required to file a Mandatory Declaration when the target entity is a TID U.S. Business due to the Critical Technology prong, and a U.S. government authorization (“License”) would be required for the export, reexport, transfer (in-country), or retransfer of such Critical Technology to the foreign investor. 

In transactions where the national or subnational governments of a single foreign government have a substantial interest in the foreign investor and the target entity is a TID U.S. Business, no export license analysis is needed. However, due to the heightened national security risk presented by this type of foreign investment, a Mandatory Declaration is always required when the target entity is a TID U.S. Business due to any of the three prongs listed above. 

Consequently, when a target entity is deemed a TID U.S. Business, M&A practitioners should understand the importance of conducting a careful CFIUS due diligence review on the foreign investors’ identity, chain of ownership, and relationships with third parties. 

V. Additional Considerations
An appropriate CFIUS due diligence review is not always sufficient to eliminate all risks of violations, or the potential of CFIUS seeking to review a transaction post-closing. For example, public sources and data rooms may contain incomplete or insufficient information. As such, parties to foreign investment transactions should strategically allocate risks through representations, warranties, and covenants, though these are not a substitute for an appropriate CFIUS due diligence review. 

Representations and Warranties

Foreign investors and target entities can rely on contractual representations and warranties to mitigate CIFUS risks. Target entities should request representations on the foreign investor’s nationality (or nationalities) and relationships with foreign governments. Similarly, foreign investor should request representations stating the target company is not involved with Critical Technologies, critical infrastructure, or sensitive personal data of U.S. citizens that would trigger a Mandatory Declaration. In connection with these requests, foreign investors and target entities can further mitigate exposure by allocating risks (via indemnity clauses) if CFIUS related representations are ultimately inaccurate. 

Also worth noting, is the standard representation in M&A transactions that the target entity is in compliance with all applicable federal laws. Foreign investors and their counsel should be aware that, if a target entity ever exported products — including technical data — from the U.S. to a foreign subsidiary or branch office, without reviewing the product’s export classification, it is possible the target entity violated export controls laws. In such cases, a careful review by experienced counsel becomes necessary to determine whether this representation can be properly made.


Including CFIUS covenants can also help parties mitigate risks when a transaction will be submitted for CFIUS review. Foreign investors and target entities should request covenants allocating the responsibility of preparing the CFIUS filling and shepherding the review process. However, foreign investors should carefully review these covenants. Counsel should strategically draft such covenants to limit (or eliminate) the resulting impact on the target entity from a potential mitigation plan required by CFIUS as a condition to grant clearance. 

V. Voluntary Review 
The sole method to completely eliminating all CFIUS related risks is by voluntarily seeking a CFIUS review. In making such determination, parties should be aware of the associated risks and benefits of requesting a review. The primary benefit is two-fold: first, it allows parties to actively participate in discussions with the Committee and shape any potential mitigation plans. Second, once a transaction has been cleared by the Committee, the transaction will be immune from future CFIUS-related interference. 

CFIUS maintains the right to unilaterally initiate a review of certain foreign investments if the Committee believes the transaction may pose a national security threat. The Committee has a 3-year timeframe to review transaction — even after closing — which creates substantial legal, financial, and business risks. This is of particular concern to foreign investors, because, while these risks can be allocated contractually as discussed above, the foreign investor will ultimately bear most of the post-closing risks.

The risk of submitting a transaction for voluntary review is largely found in the additional cost and the potential for closing delays. Avoiding such fees and potential delays must be weighed against the future risk of unilateral CFIUS review and the associated penalties for violating the Committee’s regulations. Indeed, parties may reasonably conclude that foregoing submission for voluntary review is desirable, but such determination should come only after a multi-disciplinary CFIUS diligence review has been conducted.  

Closing Conditions 

Where it has been determined that a CFIUS declaration is mandatory or advisable, parties should include CFIUS approval as a condition to close the transaction. However, if a CFIUS filling will be submitted, it is important to consider the timeline of CFIUS review in the deal timeline. A CFIUS review can span from 30-days to several months, depending on the complexity of the transaction. In conducting its review, the Committee considers the national security risks that arise a foreign investor’s connections with other countries, its customers, suppliers, joint venture partners, and more. Practically, this means M&A practitioners should be particularly thorough in their due diligence in foreign investment transactions. 

IV. Final Thoughts 

The United States government has made it clear that enforcement of foreign investment regulations is now a priority. This is evident by the enactment of FIRRMA, the President’s E.O., and the first-ever released CFIUS Enforcement and Penalty Guidelines. Unfortunately, these warning shots have not been heeded by parties involved in foreign investment transactions. 

While the burden placed on parties with primarily domestic operations or that have never engaged in exports by CFIUS regulations is significant, the powerful enforcement mechanisms provided to the Committee such as unwinding transactions, cancellation or assignment of lucrative contracts or assets, and penalties up to the value of the transaction provide a significant incentive to spend the resources needed to conduct an appropriate CFIUS due diligence review. Moreover, these regulations are critical to national security. 

In many circumstances, international trade controls are the last issue a company is considering when doing a transaction largely due to the assumption that the transaction is purely domestic. But, with global supply chains, the reality is that every transaction is now international, and companies should consider enhanced compliance programs ahead of time, rather than trying to cobble one together when necessitated by a transaction. This program would include a policy and procedure as to compliance with international trade laws, a classification matrix of parts and services from an export control perspective, a training program, audit features, and ensuring necessary terms and conditions are included in contracts.

Involving experienced international trade counsel in foreign investment transactions is crucial. Particularly, when Critical Technologies, critical infrastructure, or sensitive personal data of U.S. citizens may be involved. As enforcement of foreign investment regulations (and the related export laws and regulations) continues to increase, parties involved in M&A and other foreign investment transactions should ensure that appropriate CFIUS due diligence reviews are conducted the underlying transactional documents include the necessary clauses to mitigate CFIUS risks.


No comments on this item Please log in to comment by clicking here