Michael Rose (michael.rose@us.gt.com) is a Partner and a leader of Grant Thornton LLP’s National Governance Risk and Compliance practice in Philadelphia, Pennsylvania, USA. Steve Siemborski (ssiemborski@calfeesolutions.com) is Managing Director at Calfee Strategic Solutions in Washington, DC.
This is the third of a three-part series on complying with the new law on foreign investment in the US. In this article, we describe how a sustainable CFIUS compliance function might be established using the Three Lines of Defense model.
CFIUS history
The Committee on Foreign Investment in the United States (CFIUS) reviews transactions of direct foreign investment in a US entity for national security risks. This review addresses the risk that critical technology, intellectual property, critical infrastructure, or personal identifiable information might be transferred outside of the US as a result of investment or control by a foreign entity. The Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA or the Act) expanded CFIUS oversight, nearly doubling the list of national security factors for CFIUS to consider in its risk reviews.[1] As a result, US companies considering investments from foreign entities and foreign corporations looking to invest in the US should prepare for a significant CFIUS review process and ongoing compliance requirements.
Compliance requirements
As part of the foreign investment review and approval process, in situations where a national security threat could exist, a National Security Agreement (NSA) is entered into between the acquirer, acquiree, and CFIUS. The NSA sets out the terms/provisions on which the transaction will be permitted. The NSA can be broad and include a wide range of conditions, which depend on the security risk of the transaction. Examples of some provisions that have been included in NSAs are:
-
Appointment of a third-party monitor.
-
Requirement of an internal security officer and security director.
-
Control must reside in the US company.
-
Communications infrastructure must be located largely or exclusively in the US.
-
Transaction data related to domestic communications is stored largely or exclusively in the US.
-
US customers’ records and data are stored largely or exclusively in the US.
-
Outsourcing to non-US entities is restricted or prohibited (unless part of an agreement with the Department of Homeland Security).
-
Guarantee that any third-party contractor performing a function covered by the NSA will comply with its terms.
-
US government inspections of US-based facilities.
-
US government interviews of US-based personnel on very short notice.
To meet any required NSA provisions, the acquirer and acquiree agree with the relevant CFIUS departments (Treasury, Commerce, Homeland Security, etc.) to design, implement, and operate certain compliance policies, procedures, and controls, and to provide evidence that the provisions of the NSA are being met.
The Three Lines of Defense
The Three Lines of Defense (3LD) model for effective risk management and control could be the foundation for sustained compliance with the provisions defined in the NSA. The 3LD model has its genesis in Basel II created more than a decade ago for the UK and European banking industry.[2] It is widely accepted as a leading framework.
The Institute of Internal Auditors (IIA) defines the Three Lines of Defense as:
-
Functions that own and manage risks.
-
Functions that oversee risks and compliance.
-
Functions that provide independent assurance.
The 3LD model “provides a fresh look at operations, helping to assure the ongoing success of risk management initiatives, and it is appropriate for any organization — regardless of size or complexity,” according to the IIA.[3]
First line of defense: Operational management
Process owners within the acquirer and acquiree are the first line of defense. Operational departments such as manufacturing, sales, accounting, etc. and their managers need to be aware of how their processes affect NSA compliance responsibilities. This line of defense owns and manages the risks. As such, it is responsible for making any changes or modifications in processes or policies to reduce or eliminate risks that are outlined in the NSA. This may include taking corrective action and/or developing policies and controls to be implemented and followed by the operational departments.
Second line of defense: Risk management/compliance function
Internal risk management and compliance functions are put in place by management and have the responsibility to oversee risks. In many companies, this is the primary line of defense, but in the 3LD model, each of the lines should work together, with the risk management/compliance function providing an overall framework for risk management and compliance. Under an NSA, the individual provisions may be overseen by multiple risk management policies and overseers, which could include a formal risk management department; a management or board of directors’ risk committee; and a compliance function that assesses and monitors contract, financial, health and safety, supply chain, environmental, and other risks — in addition to quality monitoring. The compliance function could oversee the readiness phase of implementing the policies and procedures, train the operating departments, and oversee compliance with the NSA provisions.
Third line of defense: Internal audit
Internal audit provides a level of independent assurance to the governing board that risks are being avoided or mitigated. Internal auditors provide independence and objectivity. They also examine the effectiveness of governance, risk management, compliance and internal controls, including the manner in which the first and second lines of defense achieve risk management and control objectives. The third line of defense is important for any organization, regardless of size. For smaller organizations where there is no internal audit department, this critical function can be outsourced to a third party. The internal audit department might be in a position to provide independent assurance that NSA provisions are being adhered to in lieu of an independent entity.
Conclusion
Companies operating under an NSA agreement should take compliance very seriously. The 3LD model provides an excellent way to meet compliance responsibilities. Best practices for compliance include:
-
Risk and control processes should be structured in accordance with the Three Lines of Defense model.
-
Each line of defense should be supported by appropriate policies, procedures, and role definitions.
-
There should be proper coordination among the separate lines of defense to foster efficiency and effectiveness.
-
Risk and control functions operating at the different lines should appropriately share knowledge and information to assist all functions in better accomplishing their roles in an efficient manner.
-
Lines of defense should not be combined in a manner that compromises their effectiveness. Rather, sufficient layers are needed to achieve full compliance with the provisions of the NSA.[4]
Takeaways
-
The Three Lines of Defense model could be an excellent foundation for establishing a sustainable program of compliance required by the National Security Agreement (NSA).
-
The Three Lines of Defense model centers on the functions that (1) own and manage risks, (2) oversee risks and compliance, and (3) provide independent assurance.
-
Each line of defense should be supported by appropriate policies, procedures, and role definitions.
-
Committee on Foreign Investment in the United States transaction participants can be required to have a monitor provide the annual audit/monitoring report demonstrating compliance with the NSA.
-
Preparation/readiness will pave the way for a smoother compliance process, if handled proactively.