On January 19, 2021, the Commerce Department issued an interim final rule to implement the Executive Order on Securing the Information and Communications Technology and Services Supply Chain (E.O. 13873), which was issued on May 15, 2019. The interim rule comes after the November 2019 proposed rule implementing E.O. 13873.
The interim final rule empowers the Commerce Department to conduct CFIUS-like reviews of transactions involving the acquisition, importation, transfer, installation, dealing in, or use of “information and communications technology or services” (“ICTS Transactions”) between U.S. persons and certain “foreign adversaries,” across six defined categories of products. These reviews may be self-initiated by the Commerce Department or requested by parties to a transaction and add a significant new consideration for applicable mergers and acquisitions, sourcing and managed service arrangements, cross-border investment and other commercial arrangements that have touchpoints with China, Hong Kong, Russia and several sanctioned jurisdictions.
The impact is immediate, enabling the Commerce Department to review ICTS Transactions initiated, pending, or completed on or after January 19, 2021.
Who is Considered a “Foreign Adversary”
The interim final rule maintains the definition for “foreign adversaries” in the proposed rule of E.O. 13783, which means:
“any foreign government or non-government person determined by the Secretary of Commerce (the “Secretary”) to have engaged in a long-term pattern or serious instances of conduct significantly adverse to national security of the U.S. or security and safety of U.S. persons for the purposes of E.O. 13783.”
The interim final rule initially defines “foreign adversaries” to include the following foreign governments and non-government persons:
- China, including Hong Kong;
- North Korea;
- Russia; and
- the Maduro Regime in Venezuela.
The scope of prohibited ICTS Transactions include transactions between U.S. persons and a “person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.” The definition of this category of persons includes the following:
- Any person, wherever located, who acts as an agent, representative, employee, or any other capacity at the order, request, direction, or control of a foreign adversary;
- A person whose activities are directly or indirectly supervised, directed, controlled, financed or subsidized in whole or in majority part by a foreign adversary;
- Any person wherever located who is a citizen or resident of a nation-state controlled by a foreign adversary;
- Any corporation, partnership, association, or organization organized under the laws of a nation-state controlled by a foreign adversary; or
- Any corporation, partnership, association, or organization, regardless of where it is organized, that is owned or controlled by a foreign adversary.
The interim final rule broadly captures the aforementioned category of persons regardless of whether they are owned or controlled by a foreign government. The Commerce Department will periodically consult with appropriate agency heads and may add to, subtract from, supplement, or otherwise amend the list. Subsequent changes will be announced in the Federal Register.
ICTS Transactions Impacted by the Rule
Consistent with the proposed rule, the scope of impacted ICTS transactions remains broad across sectors with no categorical exemptions of specific industries or geographic locations.
Transactions involving certain technologies, hardware, or software are considered covered ICTS Transactions, including the following:
- Critical Infrastructure: ICTS used by a party to a transaction in a sector designated as critical infrastructure by Presidential Policy Directive 21 – Critical Infrastructure Security and Resilience, including any subsectors or subsequently designated sectors;
- Internet Connectivity: Software, hardware, or other products or services integral to connecting to the Internet;
- Data Hosting and Computing: Software, hardware, or other products or services integral to data hosting or computing services;
- Monitoring, Networking Devices, and Unmanned Aerial Systems: Certain ICTS products used for surveillance or monitoring (e.g., webcams and sensors), home networking devices (e.g., routers and modems), or unmanned aerial systems (e.g., drones), which more than one million units have been sold to U.S. persons in the year prior to an ICTS Transaction;
- Communication Software: Software designed primarily for connecting with and communicating via the Internet that is in use by more than one million U.S. persons in the year prior to an ICTS Transaction; and
- Emerging Technology: ICTS integral to artificial intelligence and machine learning, quantum key distribution, quantum computing, drones, autonomous systems, or advanced robotics.
Moreover, any act or service with respect to an ICTS Transaction, such as execution of any provision of a managed service contract or installation of software updates, will be considered an ICTS Transaction covered by the rule on the date the service or update is provided. Transactions involving a U.S. person as a party to a transaction authorized under a U.S. government industrial security program and transactions solely involving personal hardware devices (e.g., handsets) will not be covered.
Seeking Regulatory Approval
The interim final rule becomes effective March 22, 2021. The rule establishes a process by which the Commerce Department can review ICTS Transactions that are deemed to meet a broad definition of “undue or unacceptable risk.” In response to public comments concerning the open-endedness of the process as outlined the proposed rule, the interim final rule states that investigations will last no more than 180 days unless the Commerce Department decides to extend the period.
This evaluation will be made on a case-by-case basis. A general outline of the process is below:
- Initial Determination and Consultation: After reviewing and consulting with relevant U.S. Government agencies, the Commerce Department may determine that a transaction is a covered ICTS Transaction. In this case, the Secretary will issue a written determination of whether to prohibit the transaction or propose mitigation measures instead.
- Parties’ Response: The interim final rule also establishes a process for parties to respond to the Secretary’s initial determination. Similar to the proposed rule, within 30 days of being notified of an initial determination, parties to that transaction may respond with their own evidence and arguments and propose remedial steps that may negate the basis for the Commerce Department’s initial determination. A response is due within 30 days of the initial determination; otherwise, the initial determination becomes final.
- Second Interagency Consultation: After parties are allowed to respond, the Commerce Department will initiate a second interagency consultation with relevant US Government agencies to discuss the transaction, the initial determination, and any response.
- Final Determination: The Commerce Department will issue its final determination as to whether the transaction is prohibited, not prohibited, or permitted pursuant to the adoption of the agreed upon mitigation measures.
The Commerce Department will also establish a voluntary process for entities to seek pre-approval of their ICTS Transaction in advance. As the process is voluntary, entities will have to evaluate whether to seek regulatory approval, weighing the benefits of obtaining a license against the risks of future intervention that could potentially prohibit or restrict the transaction.
Much of the details related to the licensing process for ICTS Transactions remains unknown and is not due to be implemented until May 2021; however, the interim final rule does note that license applications will be reviewed on a fixed timeline of 120 days from the date which they are accepted. If no license decision is issued within 120 days from this date, then the application is deemed to be granted.
Interplay with Other Foreign Transaction Reviews
The Commerce Department’s review of ICTS Transactions may overlap with other U.S. government review processes for foreign transactions.
The Committee on Foreign Investment in the United States (CFIUS), an interagency committee chaired by the Secretary of the Treasury, reviews certain investments in U.S. businesses or real estate for national security concerns. The Commerce Department clarified that the interim final rule does not apply to ICTS Transactions that are currently or have previously been under CFIUS review. However, future ICTS Transactions do not automatically qualify for safe harbor established by CFIUS’ regulations. Also, a subsequent transaction involving ICTS that is separate from the transaction reviewed and cleared by CFIUS may be subject to review under the ICTS rule.
Despite differing objectives, the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (Team Telecom) may also overlap with the Commerce Department’s review process for ICTS Transactions discussed in the interim final rule. Team Telecom addresses investment transactions that require FCC licensing, while the interim final rule focuses on ICTS Transactions. To the extent that a transaction falls under the jurisdiction of both Team Telecom and a covered ICTS Transaction, the interim final rule does not provide for an integrated review, suggesting that both review processes will be required. Information provided to Team Telecom in connection with its review process may also be used by the Commerce Department in its review of ICTS Transactions.