An Update: UK National Security Investment Controls now in Effect

The UK National Security and Investment Act 2021 took full effect on 4 January 2022, giving the UK Government unprecedented new powers to intervene in deals it suspects could threaten UK security. Early experience is that there can still be surprise at the extent of the Act’s scope and application, and that it will take some time for assessments to standardise and become routine. This piece summarises the key questions and issues for deal-makers both in the UK and beyond.

Mandatory notification

The Act’s mandatory notification obligation became ‘live’ on 4 January. Within-scope acquisitions are void if they complete without approval, with the acquirer vulnerable to significant civil and criminal penalties.

What entities are covered?

The obligation to notify arises where an investor acquires “control” (see below) over an entity (any non-natural person or body) active in any of the 17 high-risk sectors identified by the Government:

• Advanced Materials
• Advanced Robotics
• Artificial Intelligence
• Civil Nuclear
• Communications
• Computing Hardware
• Critical Suppliers to Government
• Cryptographic Authentication
•  Data Infrastructure
• Defence

What level of control triggers notification?

A person gains control over a within-scope entity where they acquire:

• Shares or voting rights that take them above thresholds of 25%, 50% or 75% (with a new notifiable acquisition each time); or
• Voting rights that can ensure or prevent the passage of any class of resolution governing the entity’s affairs.

The ‘resolution’ threshold creates a grey area if investors only have the ability to veto resolutions over particular matters. This should be resolved in time, but given the stark consequences of completing without approval investors may want to be cautious when considering their veto rights.

The acquirer’s identity does not matter: the obligation applies equally to UK and non-UK buyers, and indeed even if there is no change in ultimate ownership – i.e. intra-group reorganisations will be caught. This creates scope for a very large number of deals to be notified.

What are the consequences of a deal being notifiable?

A notifiable acquisition that completes without approval is void. Such a deal can be retrospectively validated by the Government, but even an interim ‘void’ status would be very messy and best avoided.

Completing without approval can also have significant consequences for the acquirer (including any director, manager etc. of a body corporate), including up to 5 years imprisonment and/or an unlimited criminal fine, or a civil penalty of up to the higher of 5% of turnover or £10 million. A reasonable excuse will provide a defence, so buyers can hedge this penalty risk through warranties confirming the target is outside scope.

A notification requires substantial detail about the target and acquirer. The Government’s Investment Security Unit (“ISU”) has an initial 30 working day screening process to decide whether to initiate a detailed review by issuing a ‘call-in notice’. If so, it then has 30 to 75 working days (further extendible by agreement) for that full review. These timings could add weeks or even months to completion timetables.

The ‘call-in’ regime

What deals can the Government review?

While notifiable acquisitions come with the most risk, the Act also empowers the Government to review other deals if it has national security concerns. This power can be used where a “trigger event” takes place in relation to a qualifying entity (defined above) or a “qualifying asset”.

In relation to entities, a trigger event occurs where a person gains either control (defined above) or “material influence” over the target’s “policy”. The latter will generally catch vetoes over key matters such as budgets, business plans and/or board appointments. Such a deal would not have to be notified, but could be called in by the Government.

That power can be used for assets where a person acquires a right or interest in, or in relation to, a “qualifying asset” that means they can use the asset or direct or control how it is used (or do so to a greater extent). There is, again, no minimum turnover or deal value threshold.

“Qualifying asset” is very broad, covering land, corporeal moveable property and “ideas, information or techniques which have industrial, commercial or other economic value” (e.g. trade secrets; databases; source code; algorithms; formulae; designs; plans, drawings and specifications; and software). The asset must be either within the UK or its territorial sea, or otherwise used in connection with activities carried on in the UK or the supply of goods and services to persons in the UK.

A call-in notice can be issued within six months of the Government becoming aware of the acquisition, with a ‘backstop’ of five years from the acquisition date. These lengthy risk periods can be avoided by voluntarily notifying the transaction, before or after completion. That process follows the same timings as a mandatory notification.

What deals will the Government actually want to review?

The Government has issued a Statement on how it will exercise its call-in power. There is a significant focus on the 17 key sectors. The Government is more likely to call in acquisitions of entities or assets that are closely linked to the specified activities. Acquisitions outside those key sectors are said to be “unlikely” to be called in.

There is then the related question of when the Government will care about a deal, whether it is the subject of a mandatory or voluntary notification, or the Government learns about it from public or other sources.

The Statement identifies the following risk factors:

• Target risk: the entity / asset could inherently be used to undermine UK national security. The 17 key sectors are more likely to involve target risk.
• Acquirer risk: the acquirer’s characteristics suggest risk. Relevant factors include: who controls or can exploit the acquirer; its pre-existing holdings and any links to criminal activities, hostile states or organisations. The Statement disavows judgments based solely on country of origin, though foreign state involvement will inevitably be relevant.
• Control risk: the level of control acquired will be relevant to overall risk – even a hostile acquirer may be unable to do much with limited control of a target.

These factors will be considered in combination, and the Statement says the Government would expect all three to be present for a call-in. However, that is not guaranteed and all assessments will be on a case-by-case basis.

What can the Government do if it has concerns?

The Government can impose remedies to deal with any national security risks. The Act confers wide powers, but the most obvious options are blocking an uncompleted deal and unwinding a completed deal through divestment. More nuanced remedies would include operational restrictions, such as requiring that UK nationals supervise or control sensitive activities, or making UK security clearance a condition of accessing certain information, working at particular sites or holding a management role.

The Government can impose interim orders to prevent the process being frustrated, including restricting what the acquirer can do with the target pending a decision. Such orders are routine and extremely onerous in merger control, but may be even stricter in the national security context.

Are non-UK transactions covered?

The mandatory notification obligation is not limited to UK entities: any target carrying on notifiable activities in the UK will be caught. The broader call-in power covers entities carrying on activities in the UK or supplying goods or services to UK persons, and to assets used in connection with such activities or supply.

A non-UK entity that is “sufficiently involved” in the carrying on of activities or supply of goods or services in the UK will be caught. Examples in Government guidance include:

• doing business from a UK office;
• having a UK R&D facility;
• producing goods for exporting to UK customers, or distributing goods to them;
• overseeing a subsidiary with UK activities;
• doing work for UK customers / clients similar to that done from a regional office (e.g. regular service to UK customers).

For non-UK assets, the guidance points to the asset being used by a person in the UK, for the supply of goods or services into the UK (e.g. machinery used to produce equipment that is then used in the UK) or to generate energy or materials used in the UK.

The Government can pursue civil or criminal penalties against non-UK entities that breach the notification requirement.

Conclusion

The consequences of failing to comply with the Act are potentially severe, and at present appear to be resulting in an abundance of caution, at least in the short-term. Over time, practice and precedent will build up around the Act and remove some of the uncertainties. In the meantime, those involved in deals will need to understand the key questions above and consider them on a case-by-case basis.