Are you looking to hire a star engineer who is a foreign national? Are you considering raising capital from a foreign venture capital firm or other foreign investor? Are you interested in sourcing components or creating manufacturing capacity overseas? You can avoid costly, value-destroying mistakes down the road, make your company a more attractive investment target, and expand your potential customer base by considering several key legal issues upfront. Rules related to export controls and foreign investment are highly complex and impossible to summarize in a couple of pages. But you can absorb the basic contours of the regulatory landscape through a series of frequently asked questions.
The U.S. implements a variety of regulations that govern U.S.-origin products, software and technology. Different federal agencies are responsible for administering rules applicable to different items, but the vast majority are subject to the Export Administration Regulations (EAR). An export is subject to the EAR if it is a commercial commodity, software or technology or a dual-use item, which has both a potential military and commercial or civilian application.
1. I am in the business of designing software, and I do not physically export anything. Why should I care about export controls? If you are a U.S. company, chances are your products, software and technology are subject to the EAR. The EAR applies to items made in the U.S.; items exported from the U.S. (even if merely transiting the U.S. from one foreign country to another); foreign-made items that contain certain amounts of controlled U.S. parts, technology, software or know-how; and "deemed exports," which are transfers or releases of controlled source code and technology to foreign nationals inside the U.S. For example, if your star engineer is a foreign national, you may already have an export control issue to consider.
2. OK, I understand that my software is subject to certain export control rules, but do I need permission from the U.S. government to design or sell it? Maybe. Depending on how your items are classified (i.e., categorized under the EAR), you might need a license if you plan to release or transfer technology or source code to non-U.S. citizens within the United States (for example, product developers or other employees) or when you are ready to start selling to foreign customers. Keep in mind that an "export" is not only the physical shipment of a commodity but can also include the release of a software as a service (SaaS) application or the transmission of an email containing product design specifications, for example.
3. How do I figure out how my products should be classified? In coordination with technical experts on your team and knowledgeable legal counsel, you can determine the appropriate export control classification number(s) (ECCNs) of your products, software and technology by doing a self-classification or by filing a commodity classification (CCATS) request with the government. Knowing ECCNs at an early stage can help you determine, for example, where to open offices, hire staff, target customers and more.
4. This makes sense, but it does not seem particularly time-sensitive. Why should I worry about export controls now when I am trying to wrap up a financing round and grow my business? There are a few reasons. First, it is common for companies to classify their technologies ahead of financings because investors will ask. Particularly when it comes to foreign investment, it is essential to know whether your company is involved in any way with export-controlled items. As the product classification process can take time (and requesting guidance from the government can add weeks or even months), nailing down this information early can facilitate a more streamlined financing round and provide access to much-needed capital if knowing the ECCN is a financing requirement. Second, being a relatively new company does not entitle you to lighter enforcement. The chief U.S. export control regulator, the Bureau of Industry and Security (BIS), continues to focus enforcement efforts on individuals and companies with no prior engagement with BIS. In fiscal year 2020, BIS conducted more than 658 enforcement outreach visits to individuals and companies with no prior history of submitting applications for export licenses and initiated 77 leads and cases involving allegations of "deemed" export licensing violations (e.g., sharing controlled software or technology with a foreign national employee in the U.S.). The government can also impose a range of consequences for noncompliance with export control laws, including criminal and civil penalties, debarment from doing business with the government and loss of export privileges.
Committee on Foreign Investment in the United States (CFIUS)
CFIUS is a federal government interagency committee with broad authority to review, approve and block certain foreign investments in U.S. businesses – including in startups and early-stage companies – if the investment poses risks to national security.
The activities and operations of CFIUS have grown significantly in recent years. CFIUS reviewed a record 436 transactions in 2021. CFIUS is a powerful group with the potential to influence where you can raise capital, who can sit on your board and even who can acquire your company. But with the right preparation, CFIUS risks can be demystified, evaluated and addressed. CFIUS exercises heightened scrutiny over foreign investors from certain high-risk countries – particularly China and Russia – but certain U.S. businesses can raise national security considerations even for foreign investors from countries that are close allies of the United States. Data compiled by the Center for Security and Emerging Technology (CSET) notes that, as of February 2021, China is the leading source of foreign investment in top U.S. artificial intelligence (AI) startups, with 5 percent of total investors (foreign investors as a whole make up 24 percent of the investors into top U.S. AI startups). In 2021, CFIUS reviewed 44 deals involving Chinese investors, a drastic increase from 17 reviewed in 2020. The key is to perform diligence on the nationality of your investors and discuss with legal counsel the kinds of rights you can grant in your company that may raise alarm bells with CFIUS.
5. What transactions can CFIUS review? CFIUS has jurisdiction over many foreign acquisitions and investments in U.S. businesses. Although many convertible notes, licensing agreements, debt issuances and joint ventures fall outside of its purview, CFIUS could review transactions in each of those categories depending on the specific rights acquired. CFIUS can also review any transaction it deems is intended to evade its jurisdiction.
6. All the entities on my cap table are U.S.-based, so I don't need to worry about CFIUS. Not necessarily. A foreign person is a non-U.S. national or non-U.S. entity, or an entity over which control can be exercised by a non-U.S. national or entity. For example, if a U.S.-based investment fund is under the control of one or more foreign general partners, that fund may be a foreign person. Similarly, a foreign ultimate parent can trigger CFIUS jurisdiction even if a U.S. subsidiary presents itself as a potential investor in your company. It's important to conduct diligence regarding the ownership and control of your investors.
7. Does that mean all foreign investments in my company could be reviewed by CFIUS? Not necessarily, but a risk assessment during your financing round (or whenever you are considering foreign investment) can be helpful to determine whether a CFIUS filing is mandatory (certain transactions must be cleared by CFIUS or could be subject to monetary penalties among other measures) or voluntary (some transactions are optional but are still advisable if there are national security considerations).
8. If most CFIUS filings are optional, why would I choose the regulatory headache, especially if my financing round already closed and it did not garner much public attention? In some cases, CFIUS has forced companies to divest from closed transactions, sometimes years later. A voluntary filing avoids that potential disruption down the road. CFIUS has dozens of investigators who use a range of tools, including proprietary and intelligence-based means, to monitor and uncover "non-notified" transactions (i.e., parties hoping their transaction will fly under the radar). If you do not make a filing that is subject to CFIUS jurisdiction, there is no safe harbor available, and the monitoring staff could compel a filing and impose a range of mitigation measure (including divestiture) – even for transactions that closed months or years prior, as there is no statute of limitations. In 2021, CFIUS reported identifying 135 non-notified transactions, and in recent months, CFIUS officials have publicly emphasized their continued focus on identifying these transactions.
9. I am a startup, and my financing round will only involve small stakes from foreign investors. I thought CFIUS only focused on mergers and acquisitions, and I need the cash infusion now. CFIUS recently expanded its jurisdiction to include certain non-controlling investments (even under 10 percent) in companies that 1) work with particularly sensitive technologies, 2) own, operate or support U.S. critical infrastructure such as financial services or telecommunications providers or 3) have access to certain sensitive personal data of U.S. citizens. Collectively, these categories are known as "TID U.S. businesses" for critical technologies, critical infrastructure and sensitive personal data. For CFIUS to have jurisdiction over minority investments in TID U.S. businesses, the foreign investor must receive certain non-passive rights (e.g., access to certain material non-public technical information, board membership or observer rights, or involvement in decision-making regarding sensitive aspects of the company). There are options for structuring a transaction to facilitate immediate foreign investment in your business in certain instances while CFIUS undertakes its review.
10. I thought CFIUS was only focused on national security issues. I'm not a defense contractor, so why does it apply to me? Although CFIUS continues to focus attention on U.S. businesses with government contracts, those that operate in the infrastructure sector, or those that have export-controlled technology as noted above, CFIUS now has expanded jurisdiction and is heavily scrutinizing foreign investment in TID U.S. businesses, including a range of early-stage technology companies such as those working in data analytics, AI and machine learning, additive manufacturing, robotics, quantum computing, cybersecurity, financial technology (FinTech) and biotechnology.
Supply Chain Security
Given the nature of global commerce and the reality for businesses of all sizes – including early-stage companies looking for high-quality parts or support services from less-expensive international markets – the product supply chain, spanning from research and development through sourcing of components to final assembly and the servicing of products, often involves a patchwork of suppliers, vendors, manufacturers and engineers from multiple countries. Mapping your supply chain is crucial not only for quality assurance and accountability but because government regulations could complicate your business or prohibit the use of your products based on your international touchpoints.
11. I have a good sense of the actors in my supply chain. What are the practical implications of additional government scrutiny? Although the implications can vary, a main focus of regulatory attention is on supply chains with a nexus to Russia or China (including Hong Kong), and in particular, a number of Chinese entities determined to be closely connected to the Chinese Communist Party. But even companies headquartered in countries with close ties to the U.S. such as the European Union (EU) and Israel can be problematic, depending on who owns or controls the companies and the nature of your business. It is important to perform due diligence of your vendors, suppliers and service providers to understand where products are sourced, the ownership structure and any affiliations with foreign interests.
12. Are there particular U.S. industries more targeted for regulatory scrutiny? Although the landscape is evolving, there are several industries currently in the spotlight. U.S. businesses that procure information and communications technology or services from China or Russia are under a microscope, along with companies that operate in the semiconductor and solar industries. The government may refuse to use your products that incorporate or utilize certain Chinese and Russian parts, components, vendors or service providers in their supply chains or may require domestic sourcing of certain products under "Buy America" rules. Finally, there are separate human rights restrictions from a range of U.S. government agencies, including the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC), BIS, and U.S. Customs and Border Protection (CBP), regarding Chinese products manufactured wholly or in part in the Xinjiang region of China, particularly after the enactment of the Uyghur Forced Labor Prevention Act (UFLPA).
OFAC implements economic and trade sanctions based on foreign policy and national security goals targeting foreign countries and regimes and certain restricted parties, including Specially Designated Nationals and Blocked Persons (SDNs). Under its various programs, OFAC sanctions can be either comprehensive or selective in blocking assets, restricting trade or limiting transactions in particular industries. Every U.S. business – regardless of industry or size – must comply with OFAC's rules, so it is important to have some baseline compliance measures to screen your transactions, including with customers and contract counterparties. Sanctions and related issues have increasingly become front-of-mind for industry and a priority for the U.S. government following Russia's invasion of Ukraine. The U.S. and its allies have taken unprecedented action sanctioning hundreds of individuals and entities for their role in the war in Ukraine.
13. My business is in product development and beta testing mode. I do not have any current customers – much less international customers – so why should I care about sanctions? This is one of those topics where it is easy and useful to start small, because these issues are often overlooked when companies hit their stride and become a problem when investors ask questions (or uncover violations) in due diligence. OFAC recognizes this and recently issued a comprehensive framework explaining that all U.S. persons and businesses are expected to employ a risk-based approach to sanctions compliance by developing and implementing a program that is tailored to their profile.
14. I do not want to dedicate significant resources to this effort, as my company has a low sanctions risk profile. What do I need to do to comply with OFAC requirements? There is no one-size-fits-all approach. Baseline sanctions compliance programs typically address two elements. First, OFAC maintains comprehensive sanctions programs against several countries. Although some exemptions exist, these country-based programs prohibit virtually all trade and transactions with these jurisdictions, their nationals and entities. Second, sanctions can be targeted at particular individuals or entities. OFAC publishes a list of SDNs containing the names of individuals and entities whose property is blocked and with which U.S. persons are prohibited from dealing. Entities owned 50 percent or more by SDNs are also blocked. You should take note of whether your company has adequate screening to prevent transactions with restricted countries, governments, individuals and entities and their subsidiaries.
15. I have a written sanctions compliance policy. Does that mean I have met my obligations to OFAC? Not necessarily. It is important to periodically evaluate your compliance program and train your staff on implementation. Violating U.S. sanctions can result in criminal, civil and administrative penalties imposed on the responsible individuals as well as the companies that employ them. Moreover, strict liability may be imposed for a violation of sanctions such that a person may be subject to liability, even where such a person was unaware or did not have reason to know it was engaging in a prohibited transaction.