chevron-down Created with Sketch Beta.

International Law News

International Law News, Fall 2023

Compliance Risks and CFIUS Enforcement: Lessons from the Beijing UniStrong Case

Nathaniel Fleming Reid


  • Beijing UniStrong announced that it entered into an agreement with CFIUS to divest of Hemisphere GNSS, a Canadian/American subsidiary on August 23, 2022.
  • While the decision to divest was nominally voluntary, it likely reflected communications from CFIUS to Beijing UniStrong that the Hemisphere GNSS acquisition had been determined to be a national security risk.
  • This article looks at the role that proper compliance plays in decreasing enforcement risks that the increased use of commercial products in UAV and other weapons can present to foreign investors.
Compliance Risks and CFIUS Enforcement: Lessons from the Beijing UniStrong Case
Ian.CuiYi via Getty Images

Jump to:

On August 23, 2022, Beijing UniStrong Science & Technology Co., Ltd. (Beijing UniStrong) announced that it had entered into an agreement with the Committee on Foreign Investment in the United States (CFIUS) to divest of Hemisphere GNSS, a Canadian/American subsidiary.

Beijing UniStrong acquired Hemisphere GNSS in 2013, nearly ten years earlier. The Hemisphere GNSS acquisition had been a critical success for Beijing UniStrong, allowing the Chinese technology distributor to enter the R&D market. In the four years following the acquisition, Beijing UniStrong’s revenue jumped from $77 million to $370 million. As such, the decision to abandon such a successful partnership would come as a surprise.

While the decision to divest was nominally voluntary, it likely reflected communications from CFIUS to Beijing UniStrong that the Hemisphere GNSS acquisition had been determined to be a national security risk that could not be resolved through mitigation. However, the initial divestment announcement provided no information as to the possible security risk that could lead to such an outcome.

Some clarity was provided in December 2022 when Beijing UniStrong was listed on the Department of Commerce Bureau of Industry and Security’s (BIS) Entity List for “facilitat[ing]” the “export of U.S.-origin electronics…to Iran for use in the production of military unmanned aerial vehicles and missile systems used in attacks throughout the Middle East.”

The Beijing UniStrong case is one in an emerging trend of U.S.-origin goods being discovered in drones and weapons used in battlefields in the Middle East and Ukraine. For example, a recent analysis conducted of the components of three downed Iranian drones used in Ukraine concluded that out of over 500 total components, more than 80% were manufactured by companies based in the U.S. Another report has documented how American semiconductors are being sold by third parties to Russia in potential contravention of export controls. And it’s not just cutting edge microchips that are of concern. Agricultural drones, older semiconductors, and even voice recognition software can be used in military applications.

Like the specific goods in the Beijing UniStrong case, some of these technologies are subject to less-restrictive controls. However, as the Beijing UniStrong case illustrates, the cost for compliance lapses involving dual use goods, even those subject to less-restrictive controls, can be severe. The downside risks are especially acute for foreign investors in U.S. businesses caught in these investigations, who may be ordered to divest by CFIUS.

This article looks at the role that proper compliance plays in decreasing enforcement risks that the increased use of commercial products in UAV and other weapons can present to foreign investors.

CFIUS, Export Controls, and Compliance Risks

CFIUS is an interagency government panel charged with investigating the impact on national security from foreign investments in the United States. CFIUS has jurisdiction over controlling acquisitions of U.S. businesses as well as certain non-controlling investments into U.S. businesses. While “national security” is not defined by statute or regulations, CFIUS cases have generally focused on three issues: critical technologies, critical infrastructure (e.g., the Dubai Ports World case), and sensitive personal information (e.g., Grindr and TikTok).

In the CFIUS context, critical technologies generally refer to goods or technologies that are controlled by U.S. export control laws. Critical technologies include a number of commercial items with military applications. For example, a number of commercial items such as the microchips that power our phones and computers, the GPS technology in our phones or Fitbits, as well as the AI used by Uber all have military uses. The export of dual use goods is governed by the Export Administration Regulations (EAR) which are administered by The Bureau of Industry and Security (BIS), part of the U.S. Department of Commerce.

The EAR and the Commerce Control List specify the control levels for items covered by the EAR. In recent years, BIS has advanced a number of innovative targeted enforcement tools that focus on prohibited end uses and end users. These fall into a combination of ways to restrict the foreign production of critical technologies that utilize U.S. origin goods and technologies and a variety of end-user and end use controls, including the Entity List, the Military End User List, and the Unverified List. BIS may also send so-called “is informed” letters, notifying exporters or license requirements outside of the EAR. It is likely that Hemisphere GNSS received such an “is informed” letter.

Civil violations of export control licensing requirements are a strict liability offense. That being said, not all instances are prosecuted. Former Pentagon official Gregory Allen, now at the Center for Strategic International Studies, explains in the context of Iran why not all U.S.-origin products that end up in the wrong hands lead to enforcement actions:

U.S. companies probably are not aware of exactly how their parts reached Iran. These kinds of components, which are in widespread commercial use, are routinely sold to overseas distributors. Companies usually have large compliance departments that thoroughly vet buyers of their products. Larger distributors, however, may sell to smaller distributors or resellers. The first few transactions may be legal sales to reputable entities, but the fourth or fifth sale down the line could go to a smuggler with links to the Iranian military. Compliance departments cannot do much to track parts sold years ago that could have changed hands several times.

The key issue is an effective compliance program that identifies risks and ensures that adequate due diligence is conducted. Effective compliance programs also identify violations and help qualify for incentives for voluntary self-disclosures. Recent enforcement policies issued by CFIUS have similarly emphasized compliance.

In October 2022, CFIUS published the CFIUS Enforcement Penalty Guidelines (Guidelines). The Guidelines provide clarity on the violations that CFIUS monitors as well as how it discovers and investigates potential violations. The Guidelines list six aggravating and mitigating factors that CFIUS considers in determining whether to take action as well as in assessing the appropriate penalty. Those factors are (1) accountability and future compliance; (2) harm; (3) negligence, awareness, and intent; (4) persistence and timing; (5) response and remediation; and (6) sophistication and record of compliance.

An effective compliance program could significantly decrease the risk of adverse findings for all of the Guidelines’ criteria for enforcement.

Export Control Compliance Risks in the Beijing UniStrong Case

The Beijing UniStrong case illustrates a number of compliance risks.

Changes in regulations and business practices

The Beijing UniStrong case illustrates the compliance risks from changes in regulations. The Department of Justice makes note of this in its Evaluation of Corporate Compliance Programs: “a company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the applicable industry standards.”

While the technology classification at issue in the Beijing UniStrong (7A994) is not new, it was historically only controlled for anti-terrorism, meaning that a license was only required for sales to countries subject to a U.S. embargo. However, in 2020 goods under ECCN 7A994 were added to a list of specific technologies that required export licenses for sales to targeted military end-users and military end-uses. Parties who knowingly provided U.S. origin 7A994 goods to certain military end users or for end uses without a license could be liable for violation of export controls.

Insufficient end-user due diligence

Insufficient end-user due diligence is a common compliance issue. This is in part because of the skill which state actors and sophisticated parties have in setting up shell companies to evade U.S. sanctions. When they are discovered and highlighted by governments, new shell companies are created. In the words of Gregory Allen of CSIS, it’s a game of “Whack-a-Mole.” Making matters worse for compliance, businesses are often a step behind governments in identifying shell companies. However, businesses still must perform sufficient end user due diligence.

To aid this process, BIS has published a non-exhaustive checklist of red flag indicators for KYC. These include issues such as customers or purchasing agents who are reluctant to offer information about the end use or end users or abnormal shipping routes. Businesses would do well to incorporate these checks into their export compliance programs.

Comprehensive sanctions and embargoes

Another common compliance difficulty, particularly for non-U.S. parties, are the U.S. embargoes and comprehensive sanctions regimes. Violations of embargoes, such as sales to Iran, have been a key issue in a number of export control cases involving Chinese companies, including ZTE and Huawei, in addition to the Beijing UniStrong case.

While most countries do not have laws as strict as the U.S.’s embargo on Iran, great attention must be paid by investors to ensure that Iranian sanctions are not violated. The U.S. has been vigilant in enforcing these laws, and any compliance failure that leads to U.S.-origin technology being used by Iran or its proxies on a battlefield could be the grounds for an export control enforcement action and potential divestment order by CFIUS.

Other Considerations Raised by the Beijing UniStrong Case

In addition to the specific compliance risks raised in the Beijing UniStrong case, there are a number of practical considerations raised by the case which deserve discussion.

Extraterritorial Jurisdiction of CFIUS and Export Controls

In addition to end-user and end-use controls, U.S. export controls have garnered much attention for their development of tools to target certain non-U.S. origin goods. Through the de minimis rules and the Foreign Direct Product Rule, BIS has been able to extend jurisdiction to certain foreign-produced goods that incorporate specified amounts of U.S. goods or technologies or that are the foreign direct product of U.S. goods or technologies.

The complexity of the foreign direct product rules and the end user controls of the EAR can be contrasted with the deceptive simplicity of CFIUS’s jurisdiction. CFIUS’s jurisdiction covers investments in U.S. businesses, which it defines as “any entity, irrespective of the nationality of the persons that control it, engaged in interstate commerce in the United States.” The sheer breadth of this definition is illustrated when contrasted with previous definitions of U.S. business as “any entity, irrespective of the nationality of the persons that control it, engaged in interstate commerce in the United States, but only to the extent of its activities in interstate commerce” (emphasis added). The former definition contained a critical limitation, whereas the current definition extends to any business that engages in interstate commerce in the U.S.–a very broad definition.

Thus, while an investor may conduct an evaluation of export controls and determine that the products are beyond the scope of the EAR and thus not require a mandatory CFIUS filing, the investor needs to understand that CFIUS jurisdiction can reach beyond even the Foreign Direct Product Rule, and CFIUS has shown a willingness to push in cases where it perceives a threat to critical national security.

A recent CFIUS case illustrates this risk. In March 2021, South Korean semiconductor manufacturer Magnachip Semiconductor Corporation announced that it had entered into a $1.4 billion agreement with Chinese state-affiliated Wise Road Capital to go private. Magnachip was listed on the New York Stock Exchange, but otherwise had no jurisdictional ties to the U.S. Magnachip’s manufacturing and research take place in South Korea, and most of its sales take place in South Korea or the Asia region. Notwithstanding, CFIUS initiated an investigation and requested that the parties file a notice. After negotiations, Magnachip and Wise Road agreed to voluntarily dismiss the acquisition in December 2021.

CFIUS’s Safe Harbor and Statute of Limitations

A critical consideration illustrated by this case is the protections provided by CFIUS’s safe harbor rule. Transactions that have received approval from CFIUS, whether through voluntary or mandatory filings, receive a safe harbor. This means that absent egregious circumstances such as material violations of mitigation agreements or materially false statements made to CFIUS during the investigation, CFIUS cannot revisit the transaction. This is true even if certain technologies or issues are later determined to be of greater national security concerns.

To illustrate, if Beijing UniStrong had sought and obtained CFIUS approval of the Hemisphere acquisition before BIS increased the controls on the items, CFIUS would not have authority to claw back and order a divestment.

On the other hand, for those that opt not to file, there is no statute of limitations for CFIUS. As illustrated by the Beijing UniStrong case, CFIUS will investigate transactions from as far back as a decade ago if it deems the acquisition a risk to U.S. national security.

Government Focus on Increases the Chances of Scrutiny

The Beijing UniStrong case provides a prime example of the ways in which export controls and CFIUS cases can be developed. It is quite possible that the Beijing UniStrong case developed with something like the study of downed drones in Ukraine cited above: a downed drone was disassembled by a foreign intelligence agency, and its parts were searched for evidence of foreign-origin items. The engineers noticed English names or a serial number or other indicia of foreign origin. From there they began tracing the item. They likely first looked at the original parts manufacturer, Hemisphere GNSS, and then from there Beijing UniStrong. At this point, the U.S. Government may have gotten involved, investigating Beijing UniStrong, noticing that Hemisphere GNSS was actually a covered transaction under CFIUS. While there is not publicly available corroboration, such a process seems plausible.

The Biden administration has launched a number of task forces to combat sanctions evasion, such as a reported task force investigating the use of Iranian-made drones in Russia and the Disruptive Technology Strike Force. These programs all increase the likelihood that a compliance lapse will be discovered and investigated.


The Beijing UniStrong case presents a cautionary tale for foreign investors considering investing U.S. business that develops or manufactures critical technologies. There are a number of common risks in the Beijing UniStrong case, that if mitigated with an effective compliance program, potentially could have avoided a divestment.