Foreign Investment in the U.K.: A Proposed New Framework for Increased Scrutiny

What is the national and business context?

The U.K. has historically adopted a relatively liberal approach to foreign investment and remains one of the top recipients of foreign investment in the world. In contrast to its neighbours in Europe and the United States, the U.K. does not currently operate a separate framework for the review of foreign investment transactions that raise national security considerations. Instead, it forms part of the U.K.’s wider legal framework on merger control in a competition context, presided over by the U.K. Competition and Markets Authority (CMA).

The U.K.’s relaxed stance began to shift under the premiership of Theresa May (2016-2019), with her government making initial reforms to the U.K.’s merger control framework to increase the scope of foreign investment transactions that may be subject to review on national security grounds. In line with the change in approach, and on the back of rising geopolitical tensions and security concerns, the new U.K. government led by Prime Minister Boris Johnson set out plans in January 2020 to legislate for a new National Security and Investment Bill. The purpose of the bill is to “strengthen the Government’s powers to scrutinise and intervene in business transactions (takeovers and mergers) to protect national security” while maintaining the U.K.’s “proud and hard-won reputation as one of the most open economies in the world.”

The first draft of the National Security and Investment Bill is expected to be published in the coming weeks. Once published and introduced to Parliament, the bill will be debated by both Houses of Parliament through the usual parliamentary stages before, if passed, receiving Royal Asset and becoming law. Given there is significant cross-party consensus on the bill, this process could be completed relatively quickly. We set out below what to expect and will report on the substantive provisions of the bill once published.

Why is this important?

International businesses will need to analyse whether a proposed investment, acquisition or divestment of U.K. assets raises notifiable national security considerations. This will have important ramifications for deal structure and timing. As with the notification and review framework under the Committee on Foreign Investment in the United States (CFIUS), this will require a comprehensive analysis of a whole range of transaction types, from bread-and-butter M&A to sales of intellectual property assets. In M&A and equity investment transactions, the identity of a proposed acquirer and its beneficial owners – particularly important for private equity and other fund-structured buyers and sellers – and the nature of the target business and/or assets will be crucial. Even in minority investments, issues such as rights to board seats will need to be considered carefully.

The U.K.’s proposed new framework and the framework which exists under CFIUS will each have their nuances and shades of emphasis. However, the broad aims of each framework, the types of national security risks they aim to address, and the trigger thresholds for notification and review can be expected to be broadly similar. As a result, U.S. businesses involved in transactions which require a notification under CFIUS should also give serious consideration to making a parallel notification in the U.K. where the transaction includes underlying U.K. assets (whether subsidiary undertakings or other assets) or otherwise has a material nexus with the U.K.

What mechanisms currently exist for the U.K. to review foreign investment transactions on national security grounds?

The U.K.’s current framework is set out in the Enterprise Act 2002. There is currently no express obligation on a company or person to proactively notify the CMA (or the U.K. government) of a so-called “relevant merger situation” with “public interest” considerations.

Under Section 42, the U.K. government may intervene in a transaction where it has reasonable grounds for suspecting that a transaction has created or will create a relevant merger situation and it believes that it is or may be the case that one or more public interest considerations is relevant to the relevant merger situation concerned. The CMA may be asked by the government to review and report on these transactions, but the government has the final decision. Under Section 58, one of the specified public interest considerations is national security (including public security). Relatedly, on 23 June 2020, in light of the COVID-19 pandemic, further emergency legislation came into force which specifies an additional public interest under Section 58: the need to maintain in the U.K. the capability to combat, and to mitigate the effects, of public health emergencies.

A relevant merger situation (under s. 23(1)) is created if (a) two or more enterprises have ceased to be distinct enterprises; and either (b) the value of the turnover in the United Kingdom of the enterprise being taken over exceeds GBP 1,000,000, if – in the course of the merger – a person or group of persons has brought a relevant enterprise under the ownership or control; or (c) this results in the merged entity supplying at least 25% of goods or services of a particular description in the U.K.

A relevant enterprise is one whose activities consist in or include certain areas deemed sensitive by the U.K. government. Examples include developing or producing restricted goods (i.e., goods, software or information, the export of which is controlled by export control legislation); owning or supplying intellectual property relating to computer processing units and “roots of trust” (i.e., hardware or software components that are inherently trusted to perform critical security functions); and research into or selling services related to quantum computing or simulation, quantum imaging, sensing, timing or navigation, quantum communications or quantum resistant cryptography.

What changes can we expect to the U.K. foreign investment review framework in the National Security and Investment Bill?

The National Security and Investment Bill is expected to largely follow the framework set out in the U.K. government’s July 2018 white paper consultation, “National Security and Investment: A consultation on proposed legislative reforms,” although recent pressure by some MPs to strengthen the framework may result in more stringent measures in certain areas.

Based on the white paper, the structure of the new regime would involve five stages, which we summarise at high level below.

1. Business Activity: When considering an investment activity, the parties will be required to review what regulatory processes may be relevant to their proposed transaction. The trigger events are likely to include any investment or activity that involves the acquisition of: (a) more than 25% of an entity’s shares or voting rights; (b) significant influence or control over an entity; (c) further acquisition of shares or voting rights above the relevant thresholds; (d) more than 50% of an asset; or (e) significant influence or control over an asset.
   
   
2. Notification: Following review of the proposed investment activity, the parties would submit notifications (which are expected to be joint in most cases) and engage in informal dialogue with the government. Notification of trigger events that might give rise to national security concerns will be encouraged, but under the framework outlined in the white paper, notification would not be mandatory. However, it remains to be seen whether the government strengthens this aspect of the framework, to require mandatory notification, in light of accelerating geopolitical trends.
   
   In contrast, under CFIUS, certain filings are mandatory. This is the case where, for example, (1) a foreign government controls or acquires a “substantial interest” in a U.S. company that (a) produces, designs, tests, manufactures, fabricates, or develops one or more “critical technologies,” (b) performs certain identified functions with respect to “critical infrastructure,” or (c) maintains or collects, directly or indirectly, sensitive personal data of U.S. citizens (with such a U.S. company being a TID U.S. business); (2) a foreign person controls or has a “covered investment” in a TID U.S. business; or (3) a foreign person (whether or not affiliated with a foreign government) would gain access to material, non-public information about certain categories of TID U.S. businesses.
   
   Upon receipt of a valid notification, the U.K. government would have a prescribed period (potentially up to 30 working days) in which to exercise its “call-in” power. The U.K. expects the framework to result in approximately 200 notifications each year. By way of comparison, CFIUS received 231 notices in 2019 (and 229 in 2018).
   
   
3. Screening: In this stage, the government calls in notifications with national security concerns, with other notifications being able to proceed. While the initial notification by the parties would be confidential, the U.K. government proposes that its decision to call in a trigger event would be made public.
   
   There would be a two-limb test for a call-in: The government must have (1) reasonable grounds for suspecting that it is or may be the case that a trigger event has taken place or is in progress or contemplation; and (2) a reasonable suspicion that the trigger event may give rise to a risk to national security due to the nature of the activities of the entity or the nature of the asset over which control is being acquired. This will involve an assessment of three risk types:
   
   • Target Risk. This includes the risk of entities and assets within “cores areas” of the economy, e.g. national infrastructure (civil nuclear, communications, defence, energy, transport), advanced technologies (AI and machine learning, autonomous robotic systems, computing hardware, cryptographic technology, nanotechnologies, materials and manufacturing science, networking, quantum technology and synthetic biology), critical suppliers to government and emergency services, and military or dual-use technologies.
   • Trigger Event Risk. This includes the risk that the trigger event may give the acquirer the means or ability to undermine the U.K.’s national security through disruption, espionage, inappropriate leverage or some other means.
   • Acquirer Risk. This includes the risk that the acquirer may seek to use their acquisition of control over the entity or asset to undermine national security.
   As noted above, while the white paper does not propose requiring mandatory notification, the parties to a proposed transaction would be well advised to carry out an initial assessment of the transaction based on these criteria to determine whether the U.K. government would be likely to exercise its call-in power.
   
   If the parties do not make a notification, the white paper proposes that the government would have six months after becoming aware of the transaction (assuming it was covered by the framework and whether completed or not) to exercise the call-in power. This could lead to the U.K. government imposing conditions or even requiring that the transaction be unwound.
   
   Having a time limit on the call-in power would stand in stark contrast to CFIUS, which imposes no time limit on post-transaction review and intervention. Assuming the proposed six months’ time limit on post-transaction intervention is included in the bill (and survives the legislative process), this should provide some degree of comfort and certainty for investors and/or transaction parties.
   
   
4. National Security Assessment: The U.K. will scrutinise transactions with national security concerns following a prescribed process. Once a transaction has been called in, the parties must not complete the trigger event until approval has been granted. The government will have powers to request and require information to be provided and will have 30 working days to make its assessment of the national security risks. This will be subject to extension for a further 45 working days where a national security risk has been identified but the case requires more detailed review.
   
   
5. Intervention and Remedies: Where necessary and proportionate, the U.K. will impose conditions and mitigation measures. If the government concludes that no remedy is able to address or mitigate the risk to national security, it will have the power to block a deal or unwind it if it has already taken place.
   
   Potential Conditions
   
   The types of conditions the U.K. envisions imposing include: (1) personnel conditions – requiring the buyer to secure government approval for appointments of any directors or other key personnel; (2) monitoring conditions – requiring that the government be given access to information on the target’s activities; (3) IP conditions – restricting the transfer or sale of IP rights; (4) supply chain conditions – requiring a new buyer retain the target’s existing supply chain for a set period; and (5) information/operations conditions – requiring that only personnel with appropriate U.K. security clearances have access to confidential information or that only such personnel should be part of the operational management of the business.
   
   Offences and enforcement
   
   The proposed headline offences under the U.K.’s new framework would include:
   
   
   • Breach of a call-in notice. When the government exercises its call-in power through a formal notice, those parties involved in the transaction are, among other obligations, required to refrain from completing the trigger event for the duration of the government’s review. This offence would deal with a party or the parties proceeding with the transaction despite the call-in notice.
   • Breach of interim restrictions. The call-in notice will set out a series of interim restrictions which the parties to the transaction must comply for the duration of the government’s review. This offence would deal with a party breaching an interim restriction.
   • Breach of a condition. Following the government’s review, it may permit the transaction to proceed subject to certain conditions (such as the examples set out above). This offence would deal with a party breaching a condition.
   
   In terms of enforcement, breaches of call-in notices, interim restrictions and/or conditions would result in both criminal and civil liability. Offending companies may be fined up to 10% of their annual worldwide turnover and offending individuals may be fined up to £500,000 or 10% of their total income (whichever is higher). These offences would also potentially carry up to five years imprisonment where tried on indictment. Directors and/or other relevant persons may also be subject to disqualification from holding the office of a director. Other offences may only incur civil liability (although backed with significant fines) – for example, the failure to provide information as part of the government’s national security assessment.
   
   Under the CFIUS framework, certain fines are linked to transaction value. For example, the failure to make a filing where required is subject to penalties up to the value of the transaction. In contrast, the U.K.’s white paper does not propose linking fines to transaction value, focusing instead on percentages of global turnover for the most serious offences.