CFIUS and Encryption Software – Resolving Whether a CFIUS Filing Is Mandatory

November.01.2021

Introduction

Every week, scores of U.S. companies are sold to foreign investors or execute equity financing transactions involving foreign investors. Parties to these transactions must assess whether they are legally required to file with the Committee on Foreign Investment in the United States (CFIUS) regarding the transactions. In many cases, the assessment boils down to whether there is a CFIUS filing requirement by virtue of the export control status of the U.S. company’s software with encryption functionality.

This article describes how parties can resolve whether a U.S. company’s design, development or testing of encryption software can give rise to a CFIUS filing requirement in the context of foreign investment in or a foreign acquisition of the U.S. company.

Circumstances in Which Critical Technology Renders CFIUS Filing Mandatory

CFIUS is a cabinet-level federal body that assesses whether foreign investment transactions present a national security risk. It supports the president’s administration of Defense Production Act provisions that authorize the president to block foreign investment transactions or order divestment to address national security concerns.

The president and CFIUS have authority to examine and, to protect U.S. security, disturb certain types of “covered transactions”:

transactions that could result in a foreign person gaining control over a U.S. business; and
investments that could provide a foreign person certain types of corporate governance rights (“triggering rights”) regarding a U.S. business if the U.S. business is connected in specified ways to a so-called “critical technology” or other types of security-sensitive factors.^[1]

Ordinarily, the Defense Production Act does not require parties to covered transactions to submit filings with CFIUS about the transactions. The statute does, however, generally require parties to file with CFIUS regarding a foreign person’s investment in a U.S. business if:

the transaction could result in the foreign person controlling the U.S. business or providing the foreign person “triggering rights” regarding the U.S. business; and
the U.S. business produces, designs, tests, manufactures, fabricates or develops one or more “critical technologies” for which a U.S. government authorization would be required for supply of the critical technology to the principal place of business of the foreign person or certain types of its affiliates.^[2]

Given this potential CFIUS filing requirement, it is often important to resolve whether a U.S. company that is the subject of an equity financing or other type of investment transaction produces, designs, tests, manufactures, fabricates or develops one or more critical technologies if any investment in the U.S. company will be from a foreign person. A critical technology is an item—such as a good, service, substance, material, software program or item of technical know-how—that falls into one of the following categories:

commodities, software and technology that are on the Export Administration Regulations (EAR) “Commerce Control List” and that are, in general, export controlled for a reason other than merely anti-terrorism considerations;^[3]
defense articles and defense services on the International Traffic in Arms Regulations (ITAR) “U.S. Munitions List”;
specially designed and prepared nuclear equipment, parts and components, materials, software and technology covered by Energy Department regulations regarding assistance to foreign atomic energy activities;
nuclear facilities, equipment and material covered by Energy Department regulations regarding exports and imports of nuclear equipment and material; and
items that are controlled under the federal “select agents and toxins” program.

It is important, then, for parties to foreign investment transactions to know or learn whether products and other items that the U.S. target designs, develops, produces or tests fall into one of these categories of critical technologies. Depending on the circumstances, the parties’ critical technology assessment may need to account for more than one of the categories. Commonly, though, the central, and sometimes only, question is whether one or more items are on the EAR Commerce Control List and fall into an export control classification number that is subject to more than just anti-terrorism controls.

A critical technology can give rise to a CFIUS filing requirement notwithstanding that the U.S. investment target has never exported and has no plans to export the critical technology. Consequently, the parties need to account for all items that the U.S. investment target designs, develops, produces or tests regardless of whether the investment target exports the items.

Encryption Software that Qualifies as Critical Technology and Gives Rise to CFIUS Filing Requirement

This critical technology assessment can be especially important for the thousands of U.S. companies that develop software—either to sell as products or to deploy in support of their businesses. A common example is “software as a service” (SaaS) companies. SaaS companies develop and administer software platforms that ordinarily have encryption functionality but are not exported.

Among software programs that qualify as “critical technology” are those that are classified in EAR export control classification number (ECCN) 5D002. ECCN 5D002 covers “encryption software,” meaning certain types of software that are capable of encrypting or decrypting information. ECCN 5D002 often covers programs for which encryption functionality is not the program’s purpose. Furthermore, ECCN 5D002 can cover programs that do not incorporate encryption algorithms. ECCN 5D002 programs might be designed to “call” encryption algorithms from open-source internet sites.

There are a variety of bases on which encryption software may not fall into ECCN 5D002. Encryption software does not fall into ECCN 5D002 and ordinarily is not a critical technology if:

it is an open-source program (meaning the software’s source code is available for examination or download from the internet or some other public source without restriction);^[4]
its primary function or set of functions is other than computing, networking, communication or information security, and the program’s encryption functionality is limited to supporting its primary function or set of functions;
it qualifies as a “mass market” item; or
it falls into any of a variety of other exceptions, e.g., banking software.

As indicated above, ECCN 5D002 software programs are a form of critical technology. And the EAR control exports of 5D002 programs to every country except for Canada. But, subject to conditions and restrictions, EAR License Exception ENC generally authorizes most exports of 5D002 programs to most parties throughout the world. And, crucially, CFIUS regulations establish that 5D002 software, although a critical technology, does not give rise to a CFIUS filing requirement if ENC § (b) authorizes its export to the principal place of business of the foreign investor and certain types of its affiliates.

The License Exception ENC-coverage exception normally establishes that a U.S. investment target’s design, development, production or testing of an ECCN 5D002 encryption software program does not give rise to a CFIUS filing requirement. License Exception ENC § (b)(1) authorizes most exports of 5D002 encryption software with no need for advance interaction with export control regulators. For some types of 5D002 encryption software, however—including all 5D002 source code—ENC exporting authorization requires prior submission of a “classification request” to Commerce Department export control regulators.

If a company develops an encryption software program, it probably develops the program’s source code. The Commerce Department considers a company to develop encryption source code even if the company does not develop any component of the program’s encryption functionality. If a company develops software with encryption functionality (e.g., software that calls upon encryption), then the company develops encryption source code for purposes of the EAR.

Companies do not often export source code for software products or business platforms. Again, however, whether an investment target actually exports the encryption software is irrelevant to the CFIUS filing requirement assessment. Consequently, that a company develops 5D002 encryption source code ordinarily means that the investment target must submit a classification request to the Commerce Department to establish that ENC authorization is available for the source code such that there is no CFIUS filing requirement.

If a classification request is needed, in general, License Exception ENC authorizes a company to export 5D002 encryption software to non-embargoed locations immediately on the company’s submission of the classification request to the Commerce Department. Accordingly, parties to a foreign investment transaction are ordinarily free to close the transaction without a CFIUS filing immediately after the target submits a classification request to the Commerce Department.

There are exceptions to this general rule, however. The ENC authorization would not immediately cover exports of the encryption source code to government end users but, instead, would be available for exports to government end users 30 days following submission of the classification request. If, then, a foreign investor or covered affiliate is a government end user, the parties to the investment transaction might have to wait 30 days after submission of the classification request to close the transaction to ensure that there is no mandatory CFIUS filing.

Likewise, for other specialized encryption software listed at ENC § (b)(2) and (b)(3), the authorization would not immediately cover exports to end users that are located outside of a list of “favorable treatment” countries at EAR Part 740, Supplement 3. In general, the authorization would be available for exports of such specialized encryption software to non-favorable treatment countries 30 days following a target company’s submission of a classification request. If, then, a foreign investor or covered affiliate is in a non-favorable treatment country and the target company works with specialized encryption software covered by ENC § (b)(2) or (b)(3), then the parties to the investment transaction might have to wait 30 days after submission of the classification request to ensure that there is no mandatory CFIUS filing.^[5]

Steps to Resolve Whether Encryption Software Gives Rise to a CFIUS Filing Requirement

In sum, then, if a foreign investment transaction involves other criteria that could lead to a CFIUS filing requirement (foreign investor control over or triggering rights regarding the U.S. target company), parties to the transaction should ordinarily take the following steps to resolve whether encryption software in fact gives rise to a CFIUS filing requirement. ^[6]

Determine whether the U.S. investment target, directly or through a contractor or other party, designs, develops, produces or tests software with encryption functionality.
If so, assess whether the encryption software falls within EAR ECCN 5D002.
If so, the investment target will ordinarily need to submit (or have submitted) a classification request regarding the 5D002 source code and technology to Commerce Department export control regulators.
1. Provided the encryption software is not a cryptanalytic item and no foreign investor or covered affiliate is a government end user or based in a non-favorable treatment country, as soon as the investment target submits the classification request, there is no CFIUS filing requirement due to the 5D002 software.
2. If a foreign investor or covered affiliate is a government end user and the encryption software is not a cryptanalytic item, the parties can be confident that there is no CFIUS filing requirement due to the 5D002 software only when 30 days have elapsed following submission of the classification request.
3. If a foreign investor or covered affiliate is based in a non-favorable treatment country and the encryption software is not among the tightly controlled ENC § (b)(2) items, then the parties can be confident that there is no CFIUS filing requirement due to the 5D002 software only when 30 days have elapsed following submission of the classification request.
4. If a foreign investor or covered affiliate is based in a non-favorable treatment country and the encryption software is a tightly controlled ENC § (b)(2) item, then a CFIUS filing may unavoidably be required for the transaction.

^[1] CFIUS also has jurisdiction over some types of foreign investment in U.S. real estate.

^[2] CFIUS filings are also generally required for a transaction involving a foreign person’s acquisition of 25% or more of a U.S. business’s voting interests if 49% or more of the foreign person’s voting interests are held by one or more governments of a foreign nation if the U.S. business has critical technology or is connected to certain other types of security-sensitive factors. By the same token, certain types of investments by “excepted investors” associated with Australia, Canada or the United Kingdom never give rise to a CFIUS filing requirement.

^[3] In addition, the regulations specify that critical technologies include “emerging and foundational technologies controlled under section 1758 of the Export Control Reform Act of 2018.” Any such items would also be expected to qualify as critical technologies by virtue of their inclusion on the Commerce Control List.

^[4] To ensure that encryption software is not classified in ECCN 5D002, it may be necessary to email the U.S. government a copy of or link to its source code.

^[5] For a small subset of encryption software covered by ENC § (b)(2), ENC does not provide authorization even after 30 days for exports to non-favorable treatment countries. If a target company designs, develops or produces such software and the foreign investor is from a non-favorable treatment country, then a CFIUS filing requirement may unavoidably apply to the transaction.

^[6] This analysis assumes that no foreign investor acquiring a 25% or greater voting interest is 49% or more owned by a foreign government (circumstances that can, in certain cases, give rise to a CFIUS filing requirement even without a critical technology) and that the foreign investment transaction is not an Australia, Canada or U.K.-related excepted investment.

Authors

Harry Clark Partner, International Trade and Investment, Mergers & Acquisitions

Washington, D.C.

See my bio

D:+1 202 339 8499
E: [email protected]

Practice:

Technology & Innovation Sector
International Trade and Investment
Mergers & Acquisitions
Environmental, Social & Corporate Governance (ESG)
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Harry Clark Partner

Washington, D.C.

Harry is experienced in areas such as CFIUS/Exon-Florio examinations of foreign investment, military and “dual use” export control regulations (ITAR/EAR), economic sanctions administered by the U.S. Treasury Department (OFAC), customs regulations, the Foreign Corrupt Practices Act, anti-money laundering rules, anti-boycott requirements and defense industrial security requirements. He executes internal corporate investigations regarding trade and investment rules and advises on such rules in the context of corporate transactions.

Additionally, Harry has extensive experience with government contracting matters. His government contracting work has included, for example, design and implementation of U.S. Defense Department renewable energy projects. He also represents broad industry coalitions on major trade litigations and international negotiations. His experience in these areas includes a leading role in what is often considered the largest-ever international trade dispute: the controversy regarding unfair softwood lumber imports from Canada. It has involved myriad administrative proceedings before federal agencies, NAFTA panel appeals, WTO dispute proceedings, judicial proceedings and international settlement agreements.

Harry has represented a coalition of major U.S. oil companies in antidumping and countervailing duty litigation. As a related matter, he pursues policy issues with congressional and executive branch officials and advises on international trade rules (e.g., GATT, WTO agreements and NAFTA).

Chambers 2022 recognizes Harry as a leader in the field of export controls and economic sanctions (Chambers Global and Chambers USA), as well as CFIUS (Chambers USA). Previous editions have also recognized Harry’s achievements regarding his work related to the Foreign Corrupt Practices Act. Clients note that Harry provides “accurate, straightforward guidance incredibly efficiently” and “he has an ability to translate complex legal requirements and rules into business-friendly jargon.”

Jeanine P. McGuinness Partner, International Trade and Investment, FCPA & Anti–Corruption

Washington, D.C.

See my bio

D:+1 202 339 8543
E: [email protected]

Practice:

International Trade and Investment
FCPA & Anti–Corruption
Geldwäschebekämpfung und Bankgeheimnis
Mergers & Acquisitions
Environmental, Social & Corporate Governance (ESG)
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Jeanine P. McGuinness Partner

Washington, D.C.

Jeanine’s clients include major U.S. and foreign financial institutions, and pharmaceutical, technology, telecommunications, energy, and natural resources companies.

Examples of Jeanine’s experience include:

Represents clients in preparing voluntary self-disclosures, administrative subpoena responses and license applications, and represents companies in connection with enforcement actions by the Treasury Department’s Office of Foreign Assets Control (OFAC)
Provides policy and compliance advice to clients affected by frequent changes in U.S. sanctions, including sanctions targeting Iran, Cuba, and Russia/Ukraine
Assists foreign purchasers of U.S. companies in national security reviews, including navigating the CFIUS process, through preparation of notices, meetings with CFIUS member agencies, advising on follow-on investigations, and negotiating and implementing mitigation agreements
Assists clients in developing and updating economic sanctions, anti-money laundering, and anti-corruption compliance policies and procedures
Represents financial institutions in connection with U.S. federal and state enforcement actions regarding compliance with U.S. anti-money laundering laws and regulations
Represents lenders, underwriters, borrowers, and issuers in international lending and capital markets transactions regarding sanctions, anti-corruption, and anti-money laundering issues
Advises a U.S. trade association and its member banks regarding U.S. sanctions, anti-corruption, and anti-money laundering issues in lending transactions, and prepares guidance for the industry on these matters
Advises financial institutions on the application of U.S. anti-money laundering regulations, with specific emphasis on customer identification program (CIP)/know your customer (KYC)/customer due diligence (CDD) requirements and suspicious activity reporting requirements
Regularly advises private equity and hedge funds regarding compliance with U.S. anti-money laundering and sanctions laws and regulations, including with respect to appropriate provisions in subscription materials and enhanced due diligence on high-risk investors
Advises clients regarding sanctions-related inquiries from the Securities and Exchange Commission (SEC) and state agencies implementing divestment laws and assists clients in preparing sanctions-related disclosure for inclusion in annual reports to the SEC

Jeanine is ranked in both the CFIUS Experts and Export Controls & Economic Sanctions categories by Chambers USA in 2019, 2020, 2021, and 2022. An interviewee had this to say of their experience working with Jeanine, “I am continuously impressed by her extensive knowledge, excellent communication skills and her ability to wrap her subject matter expertise around the details of the matter and then drive conclusions or recommendations for next steps."

Gregory I. Hume Economist and Compliance Specialist, Mergers & Acquisitions, International Trade and Investment

Washington, D.C.

See my bio

Practice:

Mergers & Acquisitions
International Trade and Investment
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Gregory I. Hume Economist and Compliance Specialist

Washington, D.C.

Greg assists in a variety of regulatory and investigatory activities relating to the Committee for Foreign Investment in the United States (CFIUS), export controls, economic sanctions and anti-boycott regulations, including the preparation of CFIUS Notices, voluntary disclosures, internal audit documentation and compliance policies and procedures. He also actively participates in corporate transaction due diligence related to Trade Controls and the Foreign Corrupt Practices Act, as well as internal investigatory activities.

With over 20 years' experience in antidumping and countervailing duty investigations (and consequent administrative reviews) of unfairly-traded goods, Greg has been centrally involved in the statistical, economic and financial analysis of the confidential pricing, logistical, marketing and accounting information submitted by parties in such cases, as well as supporting the drafting and review of briefs and other pleadings filed by parties in the cases. Among the unfair trade cases in which he has participated are those involving crystalline solar voltaic panels, softwood lumber, warmwater shrimp, wooden bedroom furniture, outboard motors and various flat-rolled steel products.

Greg has frequently presented litigation-related testimony before the International Trade Administration and actively participates in representing firm clients before the U.S. Department of Commerce, the International Trade Commission, the Court of International Trade, the Court of Appeals for the Federal Circuit and the World Trade Organization.

Greg actively participated in the negotiation of a major international trade agreement involving billions of dollars of trade, and the subsequent monitoring of that agreement. In binding arbitration emerging from that agreement, he developed a damages estimate adopted by the U.S. Government and accepted by the arbitral panel.

Greg also supports a variety of litigation efforts requiring data analysis, and has developed and analyzed damages estimates for various arbitration and litigation matters.