CFIUS: Is the Known Investor Program the golden ticket for investors?

Policy and procedural changes by the current US administration are improving the environment for foreign investment into the United States compared to the prior administration. This started with the America First Investment Policy (AFIP), which signaled the administration’s early commitment to facilitating investment, including investment by allies into sensitive technologies, and was followed by noticeable changes in practice by the Committee on Foreign Investment in the United States (CFIUS) – including more targeted mitigation agreements and improved review timelines—and then the appointment of a new Assistant Secretary who has consistently signaled a commitment to a more efficient CFIUS process.

Therefore, aside from the decision (which we think was not compelled by law) by CFIUS not to start any new cases during the prolonged US government shutdown due to the lack of funding for one member agency (the effects of which parties may still feel for several months), there is reason for optimism.

CFIUS has undertaken multiple initiatives in an effort to translate the rhetoric into action. We focus here on two of these initiatives – still in the works – that have the potential to be the most consequential by reducing the barriers to investment consistent with US national security interests. The first is the development of the Known Investor Program, a pilot program that in its current form resembles political theater but, if CFIUS has the will, has the potential to become a significant improvement in the CFIUS process. The second is the idea of establishing pre-certified technology risk protocols that function essentially like pre-packaged mitigation that parties can offer to smooth the path to rapid CFIUS clearance of transactions in appropriate instances.

Known Investor Program – Needs a Major Rethink

The AFIP touted a “fast track” program for certain investors. Treasury translated this into a “Known Investor Program” (KIP) that it began piloting last year, offering the opportunity for investors to complete an extensive questionnaire that ostensibly would help CFIUS be better positioned to review any transactions that the investor filed. The particulars of the KIP, including eligibility and how it would benefit an investor, however, were unclear.

CFIUS, however, has signaled its intent to roll out the KIP more broadly, formally seeking public input earlier this year and since then holding it out as a priority. (See Freshfields’ comment letter on the KIP).

CFIUS has an opportunity to give the KIP real meaning. But it would not be the program that CFIUS has thus far described publicly. The burden of assembling, certifying, disclosing, and continually updating the extensive and highly sensitive information that is required to participate in the program could be significant, going well beyond the level of disclosure required in most CFIUS processes.  And it is only proposed to be available to foreign investors that have submitted at least three transactions to CFIUS for review in the prior three years. In the KIP’s current form, it is very likely that the burden of participation will not be commensurate with the benefit that the investor is likely to receive.

Does the stated benefit actually deliver value for investors? Treasury has said that, in return for the extensive disclosure provided by an investor, the KIP would allow CFIUS to front-load the analysis for repeat foreign investors, thus allowing for more efficient reviews once a new transaction comes before CFIUS.

But how much additional efficiency will there really be if, as Treasury has stated, the KIP will not replace CFIUS’s case-by-case analysis, offer preapprovals, or even guarantee conclusion without need for a withdraw/refile? At best, KIP participants may marginally reduce the likelihood that their filing requires a Phase 2 investigation driven by the need for additional CFIUS due diligence. Otherwise, KIP participants face the same odds of receiving mitigation as they would have if they did not participate.

Moreover, how will additional disclosure actually benefit a repeat investor? As a repeat investor, the investor will already be well-known to the Committee. This is why, when a repeat investor comes again to the Committee, the focus is more on the unique considerations presented with a given target. Indeed, this approach was written into the 2018 CFIUS law, which permitted the Office of the Director of National Intelligence to independently publish a threat report within the first few weeks of a case for a repeat investor, in lieu of coordinating a threat report with the more than a dozen intelligence agencies that provide input into the threat analysis for new investors, a much more time- and labor-intensive process that takes 30 days.

Ironically, the investors that would most benefit from front-loading CFIUS’s understanding of the investor –  those that have never filed with CFIUS before –  would not be eligible to participate in KIP because it requires the investor to have made multiple filings in preceding years.

Is demonstrating distance from China—the real key to KIP entry – worth the cost for investors who need it the most? The other purpose is to give investors an opportunity to show that they have distanced themselves from adversaries. If an investor’s responses to the KIP questionnaire show that the investor has extensive investments in sensitive areas in China, that the investor engages in critical R&D or manufacturing in China, or that the investor is critically dependent on China as a market, or is otherwise vulnerable to pressure from China, then the investor is likely to have a difficult time realizing any benefits from the KIP, notwithstanding having provided an enormous amount of disclosure to the Committee.  Many investors are trying to steer a middle path in this bipolar geopolitical environment. Treasury would like to hold entry into the KIP out as an incentive for companies to consciously decide to tilt towards the US market and away from China. The problem, however, is that the benefit that CFIUS offers through the KIP (moving through the process marginally faster on non-sensitive transactions) may not be worth the commercial and geopolitical risk investors may incur by abandoning a middle path. And for investors that are already keeping their distance from China, those investors likely already capture any incremental timing advantage that distance provides, raising the question of what additional value KIP participation would offer them.

CFIUS can provide a benefit that will justify participation and enhance national security.  CFIUS should afford approved Known Investors a form of excepted-investor treatment. Under the current rules, a narrow band of investors from Australia, Canada, New Zealand, and the United Kingdom (“excepted investors”), are exempted from non-control (“covered investment”) jurisdiction, real estate jurisdiction, and mandatory filing requirements. Affording investors who qualify through the KIP a status similar to that of excepted investors would be a strong incentive for investors to accept the resource and disclosure costs of participating in the program and to change corporate strategy as it relates to China.

Extending such benefits to KIP participants is well-founded from a national security perspective insofar as the KIP would involve an individualized threat determination based on investor-specific information, prior CFIUS experience, and US government threat analysis, as opposed to relying principally on country-level assumptions as a proxy for threat, like the current excepted-investor framework. CFIUS could establish a two-tier system that builds on the existing approach: the current regime would remain for investors that currently qualify as an excepted investor, while a second tier would extend benefits to approved Known Investors from a wider set of US allied and partner nations.

This framework would align with the AFIP by allowing trusted foreign investors to deploy capital to US businesses more quickly and by reducing the number of filings that CFIUS must review. This outcome would benefit CFIUS, foreign investors, and US businesses alike – including both start-ups and well-established businesses.

Vulnerability Protection Protocols – Pre-packaged mitigation could be a win-win

In recent public remarks, Treasury signaled that it is working on developing technology risk mitigation protocols that parties could certify to at the time of filing, with the goal of enabling a more efficient review. Beyond that, Treasury has not elaborated on what the program would look like in practice. It is, however, a potentially valuable initiative – and one that, if implemented thoughtfully, addresses a structural feature of the current CFIUS process that creates real friction for investors.

CFIUS analysis has been increasingly driven by vulnerability – or target sensitivity – assessment. In recent years, CFIUS has increasingly focused not only on whether a foreign investor is itself a threat, but on whether the transaction creates or amplifies vulnerabilities in the US business that any foreign investor – even one not identified as a threat – might inadvertently expose. The concern is often not malicious intent but rather ordinary business decisions that a foreign-owned or foreign-influenced company might make – decisions about where data is stored, which vendors are used, how IT systems are integrated – that could, in CFIUS's view, create risk. This means that even investors with a clean threat profile can find themselves subject to mitigation requirements driven entirely by the characteristics of the target business.

This is where pre-certified protocols offer the greatest potential. If the risk that CFIUS perceives is not a function of adversarial intent but of operational and structural vulnerabilities – the same types of vulnerabilities that exist across industry more broadly – then those risks are, by definition, more readily addressed by industry best practices than by bespoke, negotiated mitigation agreements. An investor and target that can demonstrate at the time of filing that they have already implemented the relevant controls are, in a meaningful sense, self-mitigating the very risk CFIUS would otherwise spend weeks or months investigating and, in some cases, negotiating to address.

While Treasury framed this initiative in terms of technology risk – and there are natural applications across a range of technology areas, including AI systems, semiconductor-related businesses, and cybersecurity software – the underlying logic extends beyond technology transactions. Critical infrastructure investments present similarly defined and well-understood vulnerability profiles, and are equally amenable to a protocol-based approach.

In most cases, the target would need to certify to the relevant protocols, since the vulnerabilities CFIUS is concerned about are primarily characteristics of the US business. But where the transaction involves integration of the target into the acquirer – including connection of IT systems, shared services, or a merger of operations – the acquirer may need to certify as well.

Given the vulnerability-focused nature of the risk, the ideal solution (both from a fairness perspective for the parties and from a national security perspective more generally) is promulgation of law or regulation that resolves such vulnerabilities on an industry-wide basis. However, in practice, that is not likely to happen reliably and does not address the CFIUS’s need in the context of a particular transaction to address the risk before it. Reliance upon standardized risk mitigation protocols is the next best option.

CFIUS should lean on existing industry standards. On the question of what protocols CFIUS should require parties to certify to, the answer should, to the maximum extent possible, be existing, published industry-standard frameworks rather than CFIUS-developed ones. This is not merely a matter of convenience. Industry-standard protocols have been tested in practice, are well understood by companies and their advisors, have established auditing infrastructure, and do not require negotiation in the context of a particular transaction – which is what this initiative presumably is intended to avoid. There will be circumstances where a custom, CFIUS-published protocol is appropriate for risks that do not map cleanly onto existing standards, but those should be the exception.

The offered benefit should be a more defined path to clearance. The most practical path would be an internal CFIUS policy establishing that it will clear a transaction on a Declaration – or clear a Notice at the review stage without proceeding to investigation – where it concludes that the investor presents a low threat and the relevant parties have certified to the applicable protocols. Participants in the KIP would have the significant advantage of entering any given transaction already knowing that CFIUS views them as a low-threat investor, positioning them to take full advantage of the protocol certification pathway from the outset. That combination – confirmed low-threat status plus pre-certified vulnerability mitigation – is precisely what an expedited clearance framework should reward. Publishing template National Security Agreements and standard mitigation provisions alongside these protocols would further reinforce the framework, giving parties greater certainty and reducing the need to withdraw and refile notices solely to accommodate mitigation negotiations.

With thanks to Freshfields Christine Laciak, Aimen Mir, Brian Reissaus, Colin Costello and Andrew Gabel for their contributions to this update.