Developments in U.S. Sanctions and Foreign Investment Regulatory Regimes

January 11, 2021

2021BoardMemoArticleBanners_1200x140Sanctions png

Economic Sanctions: Developments and Considerations


The new year comes in the midst of an evolving landscape for economic sanctions, including the transition away from a U.S. administration that has relied on tightening economic sanctions as a key component of a number of foreign policy initiatives. In 2021, boards of directors should be aware of the ongoing implementation of new China-related sanctions, sanctions risks relating to ransomware attacks and the potential sanctions implications of foreign-policy shifts by the incoming Biden administration.

China-Related Sanctions

The latter half of 2020 witnessed a flurry of new sanctions relating to China and Hong Kong. In July, President Trump signed into law the Hong Kong Autonomy Act (HKAA), which authorizes blocking sanctions against individuals and entities determined to “materially contribute” to the erosion of Hong Kong’s autonomy. The HKAA further authorizes secondary sanctions, including the imposition of blocking sanctions, against foreign financial institutions that knowingly conduct a significant transaction with foreign persons sanctioned under this authority.

In parallel with the HKAA, President Trump issued Executive Order 13936 eliminating differential treatment for Hong Kong. Among a number of other changes to U.S. policy toward Hong Kong, the executive order authorizes the imposition of sanctions on parties engaged in a number of activities, including developing, adopting or implementing the Law of the People’s Republic of China on Safeguarding National Security in the Hong Kong Administrative Region. It also authorizes the imposition of sanctions on parties engaged in actions relating to the undermining of democracy or autonomy, censorship or serious human rights abuses in Hong Kong. To date, direct U.S. sanctions on China have been narrow and targeted at specific parties.

In addition, in November 2020 President Trump issued Executive Order 13959, which following an initial grace period, prohibits U.S. persons from engaging in transactions in publicly traded securities (debt or equity) issued by companies that the U.S. government designates as tied to the Chinese military, as well as in any securities linked (in an undefined manner) to those targeted Chinese securities. Beginning January 11, 2021, transactions by U.S. persons in listed securities of designated entities, or derivatives or securities “designed to provide economic exposure” to such listed securities, are prohibited unless made to divest, in whole or in part, securities held by U.S. persons as of that date (in which case they are permitted until November 11, 2021). The executive order raises a number of yet unanswered questions regarding scope and implementation. Boards of companies with exposure to any of the listed entities – which include a number of multinational Chinese state-owned enterprises and companies listed on stock exchanges around the world – should continue to monitor developments and future guidance.

Sanctions Considerations Associated With Ransomware Attacks

As the number of ransomware attacks grows, boards, and risk, crisis and cybersecurity committees in particular, should be aware of the sanctions risks associated with making or facilitating cyber-ransom payments. In September 2020, the U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC) issued an advisory highlighting the issue and confirming that OFAC may pursue enforcement actions against ransomware payments that violate U.S. sanctions, including payments within U.S. jurisdiction involving sanctioned countries/territories (Crimea, Cuba, Iran, North Korea and Syria) or parties.

The OFAC advisory further recommends the development of adequate risk-based compliance programs and the reporting of ransomware attacks and suspicious activity to authorities. Boards should thus ensure that cyber-incident response plans include consideration of potential legal liabilities in any risk assessment for engaging with an attacker.

Boards also should consider the advantages and implications of engaging with government authorities both before and after making a payment to a potentially sanctioned ransomware attacker. While companies are not affirmatively obligated to report potential sanctions violations to the government, law enforcement agencies may be able to provide support, including information potentially relevant to an attacker’s identity. Although engagement with authorities may delay payment and result in prolonged business disruptions, early engagement with the U.S. government and a good faith effort to confirm whether an attacker is a sanctions target could reduce the likelihood of an enforcement action if it is later determined that the attacker was sanctioned.

Sanctions Outlook

Boards should anticipate the possibility of significant changes in sanctions policy under the incoming Biden administration, most notably with respect to China. While sanctions aimed at individual Chinese military and political leaders have more political than economic impact, there are three areas that could have significant economic impact:

  • Additional Xinjiang-focused sanctions, which could impose difficult and burdensome diligence requirements on Chinese supply chains;
  • Furthering restrictions on the use of Chinese products and suppliers in information and communications technology in the United States; and
  • The new administration’s treatment of new U.S. trading restrictions on Chinese military-linked companies, which, depending on the clarifying guidance, could disrupt non-U.S. investment markets as well by targeting indirect transactions involving affected securities.

In other jurisdictions, a new nuclear deal with Iran may roll back secondary sanctions targeting transactions outside U.S. jurisdiction. While enforcement of existing Russia sanctions continued under the Trump administration, it is possible that the Alexei Navalny poisoning and a scheduled post-election evaluation could lead to expanded sanctions. Cuba policy may revert to the slightly more liberal approach that we saw under the Obama administration, but statutory restrictions limit the possibility of fundamental change. Finally, Venezuelan sanctions policy has generally been unsuccessful, but in the absence of meaningful change or alternatives (neither of which is in evidence), inertia may result in changes being limited to the margins.

CFIUS Reforms Fully Implemented and Expanded


In 2021, boards of directors will continue to face a complicated landscape in reviews of foreign investment by the Committee on Foreign Investment in the United States (CFIUS), particularly in light of some key developments during 2020.

In February 2020, regulations became effective implementing most of the provisions of the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), which updated the statute authorizing CFIUS review of foreign investment.[1] The regulations largely tracked the September 2019 proposed regulations to implement FIRRMA’s expansion of CFIUS jurisdiction. FIRRMA and the final regulations codified existing CFIUS practice as it has evolved in recent years, particularly with respect to a focus on U.S. businesses involving critical technologies, critical infrastructure and sensitive personal data, and added a limited mandatory filing regime.

Since the final regulations became effective, there have been a number of key developments.

On October 15, 2020, the U.S. Department of the Treasury final rule (the Critical Technology Rule)[2] went into effect, significantly changing the scope of the CFIUS mandatory notification requirement for foreign investments in U.S. critical technology businesses and expanding it to investments in all industries. The Critical Technology Rule eliminates the then-existing limitation of mandatory notifications to targets active in specified industries and instead focuses on whether the target develops, tests or manufactures technologies that would require a license for export – whether or not the technologies are in fact exported or sold to third parties (e.g., proprietary manufacturing technologies) – to the jurisdiction of the investor and any entity in its chain of ownership, effectively creating different mandatory notification requirements for different countries.

In addition, during 2020, the U.S. Department of Commerce, Bureau of Industry and Security (BIS) took steps in furtherance of the incremental and deliberative process of identifying “emerging and foundational” technologies pursuant to the Export Control Reform Act of 2018.[3] In particular, BIS identified a number of emerging technologies and issued an advance notice of proposed rulemaking requesting public comment on the definition of, and criteria for identifying, foundational technologies that are essential to U.S. national security and should be subject to more stringent export controls. The identified emerging technologies are, and technologies designated as emerging or foundational in the future will be, considered critical technologies for purposes of the CFIUS mandatory notification requirement. The steps taken by BIS during 2020 appear to signal that BIS intends to focus on proposing new controls in multilateral fora, such as the Wassenaar Arrangement and the Australia Group, rather than rapidly imposing new unilateral controls. We expect the process of identifying emerging and foundational technologies will continue in 2021 under the Biden administration.

Further, effective May 1, 2020, CFIUS now assesses tiered filing fees for notifications based on the value of the notified transaction, ranging from no fee for transactions valued at less than $500,000 to a fee of $300,000 for transactions valued at greater than $750 million. Payment must be received by Treasury before CFIUS accepts a notification for review. Submission of a short-form declaration – either in response to CFIUS’s new mandatory notification requirements or voluntarily – will not require payment of a filing fee.[4]

We do not expect significant changes to CFIUS under the Biden administration. Instead, CFIUS will continue to review transactions involving foreign investors to evaluate the impact such transactions could have on U.S. national security. CFIUS largely is staffed and the process is led by career civil servants and the professional national security community, not political appointees, so change in administration does not typically lead to significant change in approach. Broad themes of CFIUS concern, including technology transfer in the semiconductor space, network security and cybersecurity and access to personal data, predated the Trump administration and will continue. Also, although the current trade war between the United States and China may subside under the Biden administration, we expect that Chinese investments into the United States will remain subject to the highest level of CFIUS scrutiny.

In 2021, boards should continue to identify the advisability or requirement to file a notification with CFIUS early in a transaction. To the extent a transaction does not trigger a mandatory notification, boards also should continue to assess the benefits and risks of voluntarily filing with CFIUS and consider structuring investments and acquisitions to mitigate CFIUS scrutiny. Further, boards should be aware that CFIUS continues to devote significant resources to identifying and investigating transactions that are not voluntarily notified. Finally, boards should continue to bear in mind CFIUS risk as a potential constraint on strategic exits for both existing and new investments.

Global Foreign Direct Investment Review Landscape Expands and Evolves


In 2021, boards of directors will face an expanding and evolving global foreign direct investment (FDI) landscape requiring that multinational transactions undergo multijurisdictional FDI reviews alongside multijurisdictional merger control reviews.

The jurisdictional thresholds, review timelines and other aspects of FDI reviews vary, sometimes significantly, by country. FDI review analyses are often also subjective and driven by factors of interest to a particular country. For example, some FDI review regimes, such as the Investment Canada Act, take economic considerations into account, whereas others, such as the Committee on Foreign Investment in United States (CFIUS), do not and focus only on national security or national interest. National security reviews typically, but not always, focus on investments in companies that develop and manufacture sensitive export controlled products, companies that supply products used in defense applications, companies active in critical infrastructure and companies that collect and maintain sensitive data.

Some recent FDI-related developments can be attributed to the COVID-19 pandemic, such as Australia’s Foreign Investment Review Board lowering the monetary threshold for FDI review to zero (thereby subjecting all foreign investment to review), India requiring government approval for investments from China and other neighboring countries and the focus on foreign investments in the healthcare/medical sectors and essential supply chains. Other developments, particularly in Europe, occurred independent of the pandemic and, much like CFIUS, tightened restrictions focused on protecting national interest and national security. On the other hand, developments in countries such as China and the UAE[5] are intended to relax existing foreign investment restrictions and encourage foreign investment in previously restricted sectors.

Below are examples of key European FDI-related developments during 2020, which occurred in parallel with significant reforms to the CFIUS regime in the United States:

  • European Union. On October 11, 2020, Regulation (EU) 2019/452 took full effect.[6] The regulation does not provide the European Commission with the ability to veto investments, but instead sets forth a common framework for FDI reviews to be undertaken by individual EU member states and seeks to increase cooperation among member states.
  • France. Under new rules that extended and clarified the scope of the French FDI review regime, which entered into force in April 2020,[7] transactions subject to foreign investment control in France include acquisitions by non-French investors of a controlling interest in (or all or part of a line of business of) a French entity operating in certain sensitive sectors, including defense, critical infrastructure, protection of public health, media and key technologies, such as biotechnologies. In addition, direct or indirect acquisitions by a non-EU/EEA investor of at least 25% of the voting rights in such an entity are subject to FDI review. In response to the pandemic, the French government lowered the threshold for foreign investments in French-listed companies active in sensitive sectors from 25% to 10% for non-EU/EEA investors until December 31, 2020.
  • Germany. During 2020, Germany updated its FDI review regime for the third time since 2017.[8] The latest changes resulted in a stricter FDI regime by, for example, expanding the scope of transactions subject to a mandatory notification in the healthcare sector and requiring FDI clearance before transactions can be closed. The German government can intervene if a non-EU/EFTA investor directly or indirectly acquires at least 10% of a German entity active in certain sensitive sectors, (e.g., critical infrastructure, key technologies and healthcare), 25% of any other German entity, and, in both scenarios, the transaction is likely to affect the public order or security of Germany, of another EU Member State, or certain projects of EU interest. The German government also can intervene if any foreign investor, directly or indirectly, acquires at least 10% of a German entity active in the defense or cryptography sectors and the transaction endangers essential security interests of Germany. Further revisions of the German FDI review to align with the EU regulation are currently contemplated by the German government. These changes will specifically address advanced technologies.
  • United Kingdom. On November 11, 2020, the UK government proposed a new national security screening regime that would allow the government to intervene in “potentially hostile” foreign investments that threaten UK national security while “ensuring the UK remains a global champion of free trade and an attractive place to invest.”[9] If approved by the UK Parliament without changes, the UK would have a mandatory and suspensory CFIUS-like regime. We expect the new regime will come into force in the first half of 2021, assuming it receives parliamentary approval. The sectors expected to fall within the mandatory notification regime include advanced technologies such as artificial intelligence and quantum computing, critical suppliers to the UK government, satellite and space and critical national infrastructure (military, defense, energy and communications).

The global FDI review landscape likely will continue to expand and evolve during 2021. As a result, boards should ensure that multinational transactions are undergoing multijurisdictional FDI review analyses before closing, and even earlier on in a transaction involving sensitive countries or industries. Such reviews often can be undertaken in parallel with multijurisdictional merger control reviews.

[1] For additional details on the regulations, see our January Alert Memo here.

[2] For additional details on the Critical Technology Rule, see our September Alert Memo here.

[3] For additional details on these developments, see our August Alert Memo here and our October Alert Memo here.

[4] Parties may now choose to submit an abbreviated declaration for any transaction, although they may not receive a clearance providing a safe harbor from future CFIUS review in response.

[5] For additional details, see our November Alert Memo here.

[6] For additional details, see our October Alert Memo here.

[7] For additional details on the French FDI rules, see our March blog post here.

[8] For additional details, see our June blog post here.

[9] For additional details, see our November Alert Memo here.