This is part 5 of a five-part series with Tom Fox and the FCPA Compliance Report on mitigating risks within CFIUS compliance with business intelligence.
Monitorships and How They Work Generally, a monitor is used to assess and oversee a company’s compliance with relevant laws and regulatory actions. It can also oversee compliance with a written agreement with a prosecutor, such as the U.S. Department of Justice, or with a regulatory agency through a deferred prosecution agreement (DPA), nonprosecution agreement (NPA), cease and desist order, or other court-approved regulatory directive. Monitors can help organizations comply with Committee on Foreign Investment in the United States (CFIUS) mitigation agreements on an ongoing basis as well as help them to assess compliance programs and internal controls to remediate deficiencies and avoid future problems. Ultimately, a monitor should be able to ensure, for both the government and the company, that whatever the mitigation agreement is, or the regulatory directive might be, it is complied with going forward. The strongest and most effective monitors understand both the business and the regulatory demands.
Monitorships Under CFIUS The breadth and scope of a monitorship under CFIUS, like every monitorship, will depend on the circumstances. The monitorship may have been imposed for a number of reasons: to alleviate national security risks, carry out mitigation requirements, oversee changes to the transaction or to its overall structure, or serve as an oversight mechanism. A monitorship can also refer to the compliance framework needed to implement a mitigation agreement or an order issued by CFIUS or even the U.S. President. The goal of any oversight mechanism or compliance framework is to help the organization comply with the requirements and to ensure there is effective trust, understanding, and oversight between the companies involved in the transaction. The U.S. government-led agencies that are monitoring and ensuring compliance with the mitigation agreement or CFIUS order need to have confidence that it is being implemented.
CFIUS, through a monitor, can require compliance policies and procedures across a full range of issues that might implicate the entire business. This might include cyber risk or access controls, the elements of the transaction, how data is held, and even the appointment of additional personnel such as a security officer or a compliance officer. CFIUS could also reach upward and require an independent board member who is a U.S. national be charged with overseeing the implementation of the compliance procedures that are in place. The monitor would oversee all of this going forward for a specific time frame.
Preparing for a Monitorship Whether an organization is deficient in areas of compliance as diverse as information technology, cybersecurity, or export controls, a monitorship can have a fairly significant impact in terms of how the company does business from a day-to-day perspective. Parties to the CFIUS review process need to be prepared to dedicate the resources and personnel needed to be able to effectively implement the monitoring and compliance framework imposed by CFIUS and overseen by the monitor.
Equally important, companies need to be prepared from the beginning to create a positive work relationship with the monitor, who will be assessing the company’s compliance program and compliance risks on a regular basis. This is another reason it is important for companies to find an experienced monitor with the ability to work in a broad range of environments—one that not only understands business imperatives but that also understands national security considerations. Laying such groundwork before the monitor is formally appointed can go a long way to setting the expectations to be met during the monitorship and making it successful. It starts with setting the tone from the top in terms of governance, with the board and senior management delivering the message that the monitorship will be successful.
A professional monitor is critical to fitting these requirements, so it is important to use good judgment in the recommendation and selection process. Evaluate the monitor’s ability to perform appropriate risk assessments and risk valuations, as well as its strengths in terms of the new business lines, technologies, products, and geographic areas that the company might be entering as part of the new investment.
For more information on K2 Intelligence Financial Integrity Network and its CFIUS Advisory Services practice, click here.