Understanding the Impact of the UK’s National Security and Investment Act on Compliance

The UK’s National Security and Investment Act (NSIA), which came into force in January 2022, represents a major shift in how investments and acquisitions are scrutinized for national security concerns in the UK. With this Act, the government aims to protect national security while providing transparency and stability to businesses and investors to encourage them to continue doing business in the UK. In particular, these regulations apply to organizations operating in affected sectors.

Let’s break down what the NSIA means, its key provisions, and how businesses can meet its requirements.

What is the NSIA?

The NSIA grants the UK government the authority to review and, if necessary, block or impose conditions on transactions involving companies or assets that could impact national security. This Act aims to monitor transactions in activities like takeovers and M&As that can impact national security. It applies to a range of sectors critical to the UK’s infrastructure, defense, and economy. This legislation follows a global trend of tightening foreign investment laws, seen in countries like the US (CFIUS) and Australia.

Here are the key features of this Act.

Mandatory Notifications

Certain transactions involving sensitive sectors must be notified to the government before they can be completed. These include areas like defense, artificial intelligence, data infrastructure, energy, and more. There are 17 specific sectors listed, and the government has the power to adjust these sectors as needed.

Voluntary Notifications

Not all transactions require mandatory notification. However, if a business believes that a transaction might raise national security concerns, it can voluntarily notify the government. This is a proactive step to avoid potential intervention or penalties later.

Call-In Power

The government can “call in” transactions for review if it believes there could be a national security threat, even if they were not initially notified. This call-in power extends for up to five years after a transaction has taken place if it was not initially notified.

Retroactive Powers

Deals that were completed up to five years prior to the NSIA’s enactment can still be reviewed if they pose national security risks.

Fines and Penalties

Non-compliance with the NSIA can lead to severe consequences, including fines (up to 5% of a company’s global turnover or £10 million, whichever is higher) and potential criminal liability for senior executives involved in the transaction.

Next, let’s look into the companies that are impacted by this legislation.

Who is Affected?

The NSIA is not limited to large multinationals or defense contractors. It impacts small and medium enterprises, startups, investors (domestic and foreign), and even academic institutions if their activities fall within the sensitive sectors. Any business involved in mergers, acquisitions, asset sales, or even joint ventures within these sectors must be aware of their obligations.

The list of 17 sectors includes:

1. Advanced Materials
2. Advanced Robotics
3. Artificial Intelligence
4. Civil Nuclear
5. Communications
6. Computing Hardware
7. Critical Suppliers to Government
8. Cryptographic Authentication
9. Data Infrastructure
10. Defense
11. Energy
12. Military and Dual-Use
13. Quantum Technologies
14. Satellite and Space Technologies
15. Suppliers to the Emergency Services
16. Synthetic Biology
17. Transport

Each sector’s detailed definition helps businesses determine if they fall within the scope of mandatory notifications.

Now that you know what NSIA is, let’s see how it impacts businesses that meet the definition of the above 17 sectors.

Impact on Organizations

Below are the ways in which the NSIA impacts organizations of all sizes.

Increased Due Diligence Requirements

Organizations involved in mergers and acquisitions must conduct thorough due diligence to assess whether the NSIA applies to their transactions. Legal teams must understand the nature of the business, the potential national security implications, and whether the government’s approval is required. All these processes can extend transaction timelines and increase costs due to legal consultations and compliance processes.

Potential Deal Delays

With mandatory notifications, companies cannot complete a deal until they receive clearance from the government. The review period can take up to 30 working days, or longer if the government requires a deeper review. Businesses must factor in these potential delays during negotiations, which can influence deal terms and pricing.

Confidentiality Concerns

Filing a mandatory or voluntary notification involves submitting sensitive information about a transaction to the government. Some businesses worry about confidentiality and how such data might be handled. Moreover, proper procedures must be followed to ensure data security and confidentiality during compliance checks.

Greater Risk Assessment

For foreign investors, the NSIA signals the UK’s heightened focus on protecting its national interests. While this is a legitimate concern, it also creates uncertainty for investors who may be unsure whether their deals will face scrutiny. Organizations must weigh these risks and work closely with advisors to understand potential obstacles before entering negotiations.

In light of the above compliance implications, let’s look at some practical strategies that companies can take to meet these requirements.

Compliance Strategies

Companies that come under the mandatory sectors of the NSIA regulations can consider the following strategies to ensure compliance.

Build a Strong Compliance Team

Organizations should consider forming dedicated compliance teams or working with external legal advisors familiar with the NSIA. These teams can monitor transactions, assess their national security implications, and manage the notification process with the government.

Conduct Sector-Specific Risk Assessments

Understand how your business activities relate to the NSIA’s sensitive sectors. If you operate in a sector listed by the Act, map out potential national security risks and determine how your operations might be perceived by government authorities.

Proactive Engagement with Authorities

In cases of uncertainty, proactive engagement through voluntary notifications can provide clarity and reduce risks of future intervention. This is particularly important for organizations whose transactions, even if not subject to mandatory reporting, may still pose concerns.

Monitor Legal and Regulatory Updates

Given that the UK government has the flexibility to amend sectors and regulations covered under the NSIA, staying informed is key. Establish regular reviews of compliance obligations and be ready to adapt as changes are announced.

Prepare for Contingency Planning

Compliance risks under the NSIA may not always be predictable. Make contingency plans for transactions that could be called in for review, delayed, or modified. These plans should account for the legal, operational, and reputational risks involved.

Establish Internal Training Programs

Ensure that your team members, especially those involved in mergers and acquisitions, legal, and compliance functions, are well-versed in the requirements of the NSIA. Provide regular training sessions and workshops to help employees understand the scope of the legislation, identify red flags early on, and adhere to internal compliance procedures.

Use Transaction Screening Tools

Leverage technology and specialized software to screen transactions for potential national security risks. Automated tools can flag areas of concern based on criteria defined under the NSIA, making it easier for your compliance team to assess deals quickly and accurately.

Engage with External Legal Experts

While internal compliance teams play a key role, partnering with external legal experts who specialize in NSIA compliance can be invaluable. They bring a wealth of experience, stay updated on regulatory changes, and offer insights on navigating complex scenarios, reducing the likelihood of missteps during a transaction.

Develop a Notification Protocol

Create a step-by-step notification protocol for transactions that may require government review. This protocol should outline when and how to make a mandatory or voluntary notification, assign roles and responsibilities within the organization, and include procedures for compiling relevant documents and data for submission.

Conduct Regular Audits of Past Transactions

Given the NSIA’s retroactive powers to review transactions that occurred up to five years prior, conduct periodic audits of past deals to ensure compliance. Identify transactions that could raise potential security concerns and determine whether additional actions or voluntary notifications are necessary.

Implement a Cross-Departmental Risk Assessment Process

Integrate a cross-departmental approach to risk assessment by involving teams from legal, compliance, cybersecurity, and operations. This ensures that diverse perspectives are considered when evaluating a transaction’s national security implications. It can also help in creating comprehensive risk mitigation strategies.

Strengthen Cybersecurity and Data Privacy Measures

Organizations that manage sensitive data or technology should enhance their cybersecurity and data privacy frameworks to demonstrate robust controls. Strong protections can reduce national security risks and mitigate potential concerns from government authorities during a compliance review.

Document Decision-Making Processes

Maintain detailed records of how compliance decisions are made, especially for transactions involving NSIA-covered sectors. This documentation can demonstrate due diligence and informed decision-making, which is valuable if the government calls in a transaction for review.

Monitor the Global Investment Landscape

Stay attuned to how similar legislation is evolving in other countries, such as the U.S. CFIUS regulations or the EU’s foreign investment screening mechanisms. Also, make sure to understand other related UK legislation to create a comprehensive compliance process. Learning from international compliance trends can offer a broader perspective and help refine strategies for dealing with UK regulatory requirements.

Assess Reputational Risks

Consider the reputational implications of transactions under NSIA scrutiny. Ensure that communications strategies are in place to address public or stakeholder concerns, particularly if the government’s review or intervention in a deal becomes a matter of public knowledge.

With these strategies, businesses can confidently meet the NSIA’s regulations.

Final Thoughts

In all, the UK’s National Security and Investment Act represents a major change in how the government assesses the impact of foreign and domestic investments on national security. Businesses must adapt their businesses according to the Act’s provisions and must accordingly create compliance frameworks and transaction strategies. The focus on protecting critical sectors is understandable, but navigating the complex compliance requirements can be challenging. With proper planning, due diligence, and engagement with advisors, companies can ensure they meet their obligations and minimize risks while continuing to grow and invest.