The National Security and Investment Act 2021 – a law that will introduce a screening process for certain acquisitions and investments.
The National Security and Investment Act 2021 will introduce a new mandatory notification regime for transactions that comes into force on 4 January 2022. We take a look at what it will cover.
Key features of the Act
- Notification of transactions: The Act obliges anyone acquiring a stake of more than 25% in an entity that is active in certain specific sectors (see below) to notify the Government of the transaction (and prohibits completion of the transaction until Government approval has been obtained). This has been raised from 15% as originally drafted, as a result of criticism from businesses who argued that this was too low. This change reduces the scope of the Act significantly, but not so much as to totally alleviate the concerns we address below. It will, however, be welcome news to those within the venture capital space, given a significant number of venture capital deals will fall under the 25% threshold. Of the transactions that are notified, the Government can scrutinise certain deals if they consider there to be a national security element. The Government has 30 working days to review notifications and “call in” those which could raise national security concerns. The indication from policy papers and commentary to date indicates that the vast majority of transactions will not be “called in”. There is also a broad “voluntary” regime where one can elect to give notice of a transaction that falls outside these parameters, to seek approval and thereby guard against the risk of the Government calling in the transaction for review post-completion.
- The target sectors: The mandatory notification obligation applies to 17 specific sectors which will be kept under review and will be subject to updates to address emerging technology or newly identified national security risks. The current sectors are civil nuclear; communications; data infrastructure; defence; energy; transport; artificial intelligence; advanced robotics; computing hardware; cryptographic authentication; advanced materials; quantum technologies; synthetic biology; critical suppliers to Government; suppliers to the emergency services; military or dual-use technologies; and satellite and space technologies. At first blush, these cover the usual suspects (defence, civil nuclear, critical suppliers to Government; suppliers to the emergency services, military technology) but also a swathe of other more generic technologies (such as transport, communications and data infrastructure) that do not immediately raise national security question marks or rapidly advancing and proliferating technologies (such as AI or quantum tech) which will have increasing prevalence as adoption across industries increases. The Government published what is expected to be a final draft set of definitions on 20 July 2021. These set clearer parameters around what will and won’t fall within the remit of the Act and to ensure that the more benign applications of the target sector technologies will not be captured. For example, the definition of artificial intelligence has been narrowed to specifically focus on three higher risk applications: the identification and tracking of objects, people, and events; advanced robotics and cyber security. However, the draft definitions remain very broad. The final definitions will be set out in a Statutory Instrument that is anticipated to be finalised in the coming weeks.
- Not a FDI regime: The Act applies to UK buyers/investors as well as overseas acquirers and does not have exclusions for investors/buyers from “trusted jurisdictions” (unlike the US CFIUS regime where, for example, UK or Australian investors are exempt). It also extends to non-UK targets so long as they carry out at least some operations in the UK.
- No safe-harbour or thresholds: The Act does not contain any value thresholds beneath which notification is not required. So long as the investment exceeds the percentage thresholds, and involves a target entity active in a specified sector in the UK, prior approval will be required (regardless of the size of the transaction or of the target’s activities in the specified sector).
Remedies and sanction: Failure to obtain prior approval for a notifiable transaction, or other breaches of the regime, may result in civil fines of up to 5% of worldwide turnover or £10 million (whichever is higher) and/or criminal sanction (up to 5 years imprisonment). Importantly, any transactions covered by the mandatory regime which take place without clearance will be legally void. This has similarities to the remedies under the CFIUS regime.
Key concerns raised prior to receiving Royal Assent
In Parliamentary debates during the legislative process, a number of concerns were expressed, including:
- No definition of “National Security”: The Act does not contain a definition of “national security”. The Act appears to afford discretion without any guidance as to industrial strategy or geopolitical focus, raising concerns about the Secretary of State’s powers being drawn too broadly. The counter argument put forward by Government was that avoiding a precise definition of national security allows the Government the flexibility to respond to evolving threats whilst remaining absolutely committed to the free flow of trade and investment. This mirrors the approach of CFIUS which purposefully did not define national security to allow maximum flexibility in determining the outcome of a transaction.
- Bureaucratic Headache: The mandatory and voluntary schemes could result in a debilitating bureaucratic process for the Government to handle, meaning it is only able to focus on clearing backlogged notifications rather than considering carefully those transactions which are more likely to raise concerns.
- Impact on SMEs: The Act could threaten investment into small firms and stifle growth. Under the previous CMA regime, the target business must have had UK turnover of more than £70million or the merger must meet a minimum 25% share of supply threshold. As there is no value or share of supply in the new Act, even small businesses could be caught and therefore go through the notification process. It is expected that SMEs will make up 80% of the transactions under the new regime, almost none of which will be likely to raise concerns. On the flip side, requiring SMEs to comply with this process (and delay their transactions whilst the review takes place) is disproportionately burdensome when weighed against the size of the transaction as a whole.
Our concerns largely mirror those raised in the second reading of the Act. However, the Act is now a reality and we are working closely with our clients to help them prepare for the new regime and to minimise its impact.
The Government has indicated they expect circa 1,800 notifications per year but given the lack of any materiality threshold and the breadth of the target sectors (albeit that this has been partially addressed through the proposed definitions) the true number could be far higher. The regime has the potential to bring “routine” corporate transactions within scope, including venture capital investments and similar fundraisings which invariably involve technology businesses looking to scale quickly – all of which face the potential for disruption or delay if a notification needs to be made.
The UK’s regime appears somewhat unique in not imposing some sort of gateway threshold to filter transactions requiring disclosure review. For example, many European countries’ FDI-restrictions are not engaged unless the target business exceeds a certain annual turnover within the relevant jurisdiction. Alternatively, CFIUS has no value threshold but only applies to overseas investors (and specifically excludes a trusted group of countries – such as Canada, Australia and the UK). The UK’s regime contains neither exception.
Camilla de Coverly Veale, Head of Regulation at The Coalition for a Digital Economy (Coadec), supports the intention of the Act but shares our reservations - in particular as to the broad application of the new regime. Despite some refinement to the 17 target sectors, the duties associated with technologies that are increasingly foundational to businesses, such as AI, remain significant. Coadec is also concerned that the new regime could become overburdensome, wasting the time and resources of both businesses and civil servants while making it harder to capture genuinely risky cases.
Coadec successfully fought to remove the majority of early-stage startup funding rounds from the Act’s scope. It is now focused on working with the Government to ensure startups’ experience of the new regime is as smooth as possible.
The Government has taken on board some of the industry’s concerns about scope by tightening the 17 target sectors. We think this does go some way to addressing the scope issue, but we have doubts as to whether it is enough on its own.
- Don’t assume it doesn’t apply to you – This is an Act that bears “national security” in its name but which will catch many transactions that clearly do not give rise to any national security concerns whatsoever. It will impact the full spectrum of transactions so it will be important to consider whether the regime applies at an early stage in any transaction and make any notification promptly so as to minimise any disruption to the transaction timetable.
- Historical application – The new mandatory notification regime starts on 4 January 2022, although the Act will allow the Government to retrospectively review any transaction entered into from 12 November 2020 (for up to five years from when the regime comes into force).
- Transaction mechanics – Consider whether conditionality in respect of clearance being granted needs to be included for certain transactions. At the very least, this will introduce an interim period between signing and closing with the additional complexity this adds (e.g. conduct of business in the interim period, repeated warranties, price adjustments, etc.)