green sphere

Perspectives

CFIUS compliance and independent monitoring

Put the power of Deloitte into your CFIUS review process

Deloitte’s Committee on Foreign Investment in the United States (CFIUS) consulting provides premium monitoring and assessment services. Our global resources and scale in systems security, data access controls, and NSA compliance—as well as deep experience working with monitoring agencies—provides organizations with unparalleled CFIUS compliance.

A growing priority for national security and other critical US interests

The United States continues to be an appealing market for foreign direct investment (FDI) inflows.1 Yet a significant risk landscape exists with FDI: foreign individuals and organizations who attempt to exploit ownership in US companies by misappropriating sensitive data and information in ways that might be detrimental to US national security.

For this reason, the Committee on Foreign Investment in the United States (CFIUS) has significantly increased the scope and frequency of its reviews of mergers and acquisitions and other inbound investment activity to determine the potential for national security implications and impacts on other critical US interests. Such reviews frequently result in the negotiation of “National Security Agreements” (NSAs), which allow the FDI transaction to proceed only in accordance with CFIUS-mandated terms and conditions designed to protect the interests of the United States. And with new legislation, it’s never been more crucial for organizations involved in any FDI to be aware of new CFIUS regulations.

Back to top

Key developments in CFIUS legislation and its impact

  • Expand all
  • Collapse All

Under the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), CFIUS was strengthened and modernized “to address national security concerns more effectively” while still encouraging investment in US businesses and workers.2

In addition to the historical focus on threats to US national security, recent CFIUS regulations implementing FIRRMA provide for heightened scrutiny of foreign investment in US companies involved in critical technologies, critical infrastructures, and the personal data of US nationals.

FIRRMA expands CFIUS’s jurisdiction, bridges several gaps that had created opportunities for exploitation by foreign investors, and creates a “declaration” process that may expedite certain filings while mandating declarations in certain instances3 for CFIUS compliance.

Key implications for companies involved in FDI

  • Expand all
  • Collapse All

CFIUS reviews in many FDI transactions seem likely to increase in number, scope, and complexity, with more mandatory filing requirements accompanying the historically voluntary filing regime.

More companies likely will be required to engage an independent external security monitor and a compliance auditor to monitor and assess adherence to government-mandated NSA terms stipulated as a condition to their specific FDI arrangement.

Because of CFIUS© emphasis on independent assessment of control measures, it can be expected that external consultants will be increasingly needed to assist IT departments and legal counsel in developing internal controls and security measures in response to CFIUS NSA requirements.

Our CFIUS consulting: How Deloitte can help

We are a leader in government and compliance monitoring services, and we offer specific CFIUS monitoring, NSA compliance assessments, independent third-party auditing, and consulting knowledge and experience.

We help our clients achieve timely and effective CFIUS compliance with detailed, complex, and multifaceted requirements that CFIUS NSAs typically entail. By integrating a range of disciplines from across the Deloitte network, we can assist in various ways:

  • Serving as an NSA-mandated independent security monitor
  • Assessing NSA compliance as an independent compliance auditor
  • Supporting corporate IT departments in developing the types of internal controls and security measures (controls catalog) required under a CFIUS NSA
  • Assessing existing CFIUS compliance programs, controls, and systems
  • Enhancing programs, controls, and systems in alignment with CFIUS requirements
  • Establishing monitoring, auditing, and testing programs for transparency to safeguard the company’s intellectual property, trade secrets, and reputation
  • Establishing robust incident management and internal investigation procedures for potential NSA breaches, designed to engender government and public trust

Back to top

green sphere

A fresh approach

For situations where we are not serving as the security monitor, we incorporate centralized, ongoing engagement and quality management throughout the phases of our CFIUS services, working with our clients to develop an approach that is:

  • Proactive. Identifying objectives and achievement factors up-front to guide CFIUS compliance activities.
  • Accelerated. Augmenting the company’s efforts to comply with the requirements with an objective, external perspective, beginning with easily customized compliance frameworks.
  • Strategic. Emphasizing services that not only consider CFIUS requirements, but also seek opportunities to leverage existing internal control processes and procedures for related business improvements and incremental process efficiencies.

Back to top

green sphere

The benefits of our CFIUS consulting approach

  • Expand all
  • Collapse All

Operating under a CFIUS-mandated NSA is often seen as disruptive, drawing company resources away from critical day-to-day business operations. We can help internal resources to perhaps better understand and attend to responsibilities and priorities associated with NSA requirements and staying compliant.

Areas of a company that are under monitoring and scrutiny can span multiple business divisions and geographies. Drawing upon one of the largest pools of professional resources in the world, Deloitte can bring to bear local resources and specialist experience to help clients address NSA compliance requirements and bring added transparency to key processes.

The considerable costs that can accompany a CFIUS-mandated NSA can be a source of ongoing frustration and friction. We bring insights into, and ways to derive, near- and long-term benefits that can help meet NSA compliance requirements and drive additional value for the business.

The Deloitte difference

Our mission is to help make the world more trustworthy, resilient, and secure. Our CFIUS consulting is set apart by:

  • Extensive experience assisting companies in translating CFIUS NSA requirements into practical plans: We assemble multidisciplinary teams of regulatory, compliance, and controls specialists who understand the importance and significance of the broad scope of CFIUS compliance standards.
  • Technical experience in testing high-risk areas such as legal and regulatory compliance regarding third-party relations, audit reports, and service agreements: We place heavy emphasis on practices, policies, and processes for monitoring the controls that can lead to implementation and operating effectiveness.
  • Compliance strategy for testing key information security and governance controls regarding data management, data ownership, and cybersecurity: We bring familiarity with recent developments in keeping intellectual property and source code secure and protected.
  • Cross-industry insights from our extensive post-merger integration work: We support our clients in a variety of industries within the United States and internationally.
  • Boots on the ground and rapid response capabilities to help address time-sensitive requirements and assist in virtually any location around the world.
  • Trusted adviser status, working with our clients to identify opportunities to enhance business controls and processes to maintain compliance with CFIUS-mandated NSA requirements.

Back to top

green sphere

Learn more about how Deloitte can help you and your company operating under CFIUS NSA arrangements and leverage opportunities to improve the business as part of the process.

References

1 2015 FDI – $482 billion; 2016 – $486 billion; 2017 – $292 billion; and 2018 – $268 billion, according to OFII, “Foreign Direct Investment in the United States 2019,” https://ofii-docs.ofii.org/dmfile/FDIUS-2019-Report.pdf.

2 US Department of the Treasury, "The Committee on Foreign Investment in the United States," https://home.treasury.gov/policy-issues/international/the-committee-on-foreign-investment-in-the-united-states-cfius.

3 Jalinous, Mildorf, Schomig, and Sowerby, White & Case, 12-27-2019, “Foreign direct investment reviews 2019: United States,” https://www.whitecase.com/publications/insight/foreign-directinvestment-reviews-2019-united-states.

Did you find this useful?