National Security and Investment Act 2021:

Summary

The National Security and Investment Act 2021 (the Act) is due to come into force on 4 January 2022. The Act gives the Secretary of State extensive powers to review transactions where it considers there is or may be a risk to national security. Given the recognised importance of energy and infrastructure assets, it is likely that projects in these sectors in the United Kingdom will regularly be caught and scrutinised under the Act. Although intended primarily to apply to M&A transactions, the scope of the Act is much wider and will pose obstacles that need to be considered by parties when planning the financing of energy and infrastructure assets.

The Act will be administered by the Investment Security Unit (the ISU), a newly formed unit within the Department for Business, Energy and Industrial Strategy.

The Act contains two main areas that parties to project finance transactions will need to consider:

1. The Secretary of State’s power to call in and review transactions on national security grounds. This power has a very wide scope and could potentially apply to a project financing at different stages of the project’s cycle: financial close of the funding, on syndication and other transfers of debt, as well as at enforcement and on transfers of equity interests. The Secretary of State’s powers in these circumstances are wide ranging, but have to be exercised in a manner that is proportionate to the national security risk posed. Although the published policy guidance suggests that the Secretary of State will look at financing transactions primarily at the enforcement stage, and only review loan transactions at the funding stage in exceptional circumstances, the risk of call-in should be analysed even at the funding stage, and the making of a voluntary notification to the ISU considered if the project is in a sensitive sector.
2. The obligation to notify the Secretary of State of certain transactions. If a transaction subject to this mandatory notification obligation completes without the prior approval of the Secretary of State, that transaction will be void. The mandatory notification obligation applies to all acquisitions of shareholdings and/or voting rights exceeding 25%, and so would be relevant to a transfer of equity, including on enforcement of security (although there is also some uncertainty about whether it might also apply when taking security over the shares in a Scottish company). The mandatory notification obligation applies to “qualifying entities” that fall within one of the seventeen sensitive sectors, which include the energy, civil nuclear and transport sectors, that satisfy certain technical specifications. The obligation will apply irrespective of the likelihood of any risk to national security (and even applies to purely domestic transactions that satisfy the criteria). This will add process risk and delay to any share transfer, which could have a particular impact in an enforcement scenario.

The Act will therefore need to be taken into account both at the time of lending, if the funders will be acquiring either shares (which can, in some circumstances, be triggered when taking security over the shares) or contractual rights (such as the usual controls contained in the finance documents) giving them control over a qualifying entity or assets, and also at the time of enforcement. A change in the degree of control is also a trigger event subject to the Act. The possible effect on enforcement should also be considered by funders when making their initial assessment of a project prior to lending, as the potential impact on recovery could affect their credit analysis of the project.

Overview of act

Secretary of State’s power to call in and make orders

Under the Act, the Secretary of State has the power to call in transactions where it reasonably suspects that:

1. a trigger event has taken place, or arrangements are in progress or contemplation which will lead to a trigger event taking place; and
2. that trigger event gives rise to or may give rise to a risk to national security.

A trigger event occurs if a person gains control of a qualifying entity or a qualifying asset. Control includes:

1. in respect of a qualifying entity:
   1.1 that person increasing its shareholding in the qualifying entity to above 25%, to above 50% or to 75% or more;
   1.2 that person increasing its voting rights in the qualifying entity to above 25%, to above 50% or to 75% or more;
   1.3 that person acquiring sufficient voting rights to enable it to secure or prevent the passing of any class of resolution governing the affairs of the qualifying entity; or
   1.4 that person becoming able materially to influence the policy of the qualifying entity; and


2. in respect of a qualifying asset:
   2.1 that person becoming able to use the asset, or use it to a greater extent than prior to the acquisition; or
   2.2 that person becoming able to direct or control how the asset is used, or direct or control how it is used to a greater extent than prior to the acquisition.

Voting rights refer to rights to vote on all or substantially all matters at general meetings conferred on shareholders in respect of their shares or equivalent rights conferred on members (in respect of qualifying entities which do not have shares). The holding of such voting rights can, however, include where a person has an arrangement (contractual or otherwise), whereby the shareholder will exercise the voting rights in accordance with that person’s instructions or only with that person’s consent. Where that arrangement only applies after the occurrence of a specified event (such as an event of default or the enforcement of security), then the person entering into the arrangement with the shareholder will only be taken to hold the voting rights upon that event occurring or the event becoming under the control of that person.

A qualifying entity is any entity that is not an individual, and includes companies, LLPs, partnerships and unincorporated associations. It also includes entities formed or recognised outside of the United Kingdom, which either carry on activities in the United Kingdom or supply goods or services into the United Kingdom.

A qualifying asset is land, tangible moveable property, and ideas, information or techniques which have industrial, commercial or other economic value (which latter include, for example, trade secrets, plans and designs). Land and moveable property outside the United Kingdom are included if used in connection with activities carried out in, or supply of goods or services to persons in, the United Kingdom.

If the Secretary of State is satisfied, on the balance of probabilities, that a risk to national security has or would arise from the trigger event, the Secretary of State may make an order if it reasonably considers that such order is necessary and proportionate for preventing, remedying or mitigating that risk. The order may include requirements that a person do or not do things and/or appoint a person to conduct or supervise the conduct of activities. It is likely that such orders would reflect the sorts of remedies used in existing public interest cases (such as the ring fencing of certain sensitive information or imposing nationality requirements on directors) or merger control cases (such as requirements to divest of assets, preventing completion or prohibiting the transaction).

There is scope under the Act for the Secretary of State to provide a statement as to how it expects toexercise its call-in powers, and such a statement (the Statement of Policy Intent) was laid before Parliament on 2 November2021. In order to maintain flexibility, the Statement of Policy Intent does not set out thecircumstances when national security is, or may be considered, at risk. It does, however, indicate thatthe Secretary of State will exercise the call-in power where there is potential to harm UK nationalsecurity, which includes risks to government and defence assets (infrastructure, technologies andcapabilities), such as disruption or erosion of military advantage; the potential impact on the UK’scritical infrastructure; and the need to prevent actors with hostile intentions building defence ortechnological capabilities which may present a national security threat. The Statement of PolicyIntent indicates that when exercising the call-in power, the Secretary of State will consider:

1. target risk: whether the target of the qualifying acquisition (the entity or the assets beingacquired) is being used, or could be used, in a way that poses a risk to national security.Qualifying acquisitions are most likely to be considered for call in if they fall within one ofthe 17 sensitive areas of the economy identified in the Notifiable Acquisition Regulations (asreferred to and discussed below) or other areas of the economy closely linked to them;
2. acquirer risk: whether the acquirer has characteristics that suggest there is, or may be, a riskto national security from the acquirer having control of the target, such as the sector(s) ofactivity, technological capabilities and links to entities which may seek to undermine orthreaten the national security of the UK. Some characteristics, such as a history of passive or longer-terminvestments, may indicate low or no acquirer risk;
3. control risk: whether the amount of control that has been, or will be, acquired through the qualifying acquisition poses a risk to national security. A higher level of control may increase the level of national security risk .

For most qualifying acquisitions, the overall consideration of these risk factors is expected to indicate a low risk to national security.

The call in power will also apply to transactions that complete from 12 November 2020 (the day after the Bill in respect of the Act was introduced to Parliament). To that extent, the Act has retrospective effect.

Notification obligation

The Act includes a mandatory notification requirement for any acquisition whereby a person gains control of a qualifying entity of a specified description to be notified to the ISU. Note that for these purposes, control by gaining material influence (as described in 1.4 above) is not sufficient for a mandatory filing obligation (but, as discussed above, it can be subject to a call-in), but instead requires one of the criteria described in paragraphs 1.1, 1.2 or 1.3 above to be satisfied.

The specific descriptions will be set out in secondary legislation. Draft regulations (the Notifiable Acquisition Regulations) were published on 20 July 2021, with a revised draft published on 6 September 2021. The draft Notifiable Acquisition Regulations list 17 areas of the economy where the Government consider national security risks are more likely to arise than in the wider economy. The 17 areas listed are Advanced Materials, Advanced Robotics, Artificial Intelligence, Civil Nuclear, Communications, Computing Hardware, Critical Suppliers to Government, Cryptographic Authentication, Data Infrastructure, Defence, Energy, Military and Dual-Use, Quantum Technologies, Satellite and Space Technologies, Suppliers to the Emergency Services, Synthetic Biology and Transport. Within each of those areas, the draft Notifiable Acquisition Regulations specify the criteria for entities that will be subject to the mandatory notification requirement. These criteria comprise some quite technical specifications on the types of activities and size and nature of facilities being operated. Projects should be assessed against these criteria to identify whether the transaction will be subject to the mandatory notification obligation.

The Act and the draft Notifiable Acquisition Regulations require that the qualifying entity be “carrying on” the relevant activity. “Carrying on” is not defined for these purposes. Although it would seem unlikely that a single purpose vehicle project company at financial close on a greenfield project, with permitting and licences in place but construction not having commenced, would be caught, this cannot be ruled out.

Any transaction which falls within the mandatory notification obligation and which completes without the approval of the Secretary of State will be void and the party/parties acquiring control will be subject to fines. There are no safe harbours and the notification obligation applies irrespective of the identity of the purchaser, even where the transaction is entirely domestic.

Voluntary notification

Where the transaction does not fall within the mandatory notification obligation but where the parties are concerned about a risk that the transaction might be called in, it is open to parties to make a voluntary notification (e.g. because there is only the acquisition of material influence, or because it relates to an interest in a relevant asset). Submitting a voluntary notification can provide certainty to the parties, as it requires the Secretary of State to either call the transaction in or give notice that it will not do so. This process can also be preceded by informal discussions with the ISU, to obtain initial (albeit non-binding) guidance about the likelihood of a proposed transaction being called in for review.

The Statement of Policy Intent provides a degree of guidance when considering whether to make a voluntary notification, as it gives illustrative examples of the factors the Secretary of State will take into account. However, the Statement of Policy Intent is generally widely drafted and states that qualifying acquisitions will be assessed on a case by case basis, taking into account all relevant considerations. Currently allvoluntary notifications are being submitted on a confidential basis, and it will take time for there to be a body of published decisions which provide parties and their advisers with the necessary guidanceas to how the Act and the powers it confers on the Secretary of State are exercised in practice. Untilsuch time as that body of decisions has developed, practitioners can be expected to take a cautiousapproach to making voluntary notifications.

Timelines

The Secretary of State may exercise the call in powers within six months after becoming aware of the trigger event, subject to a longstop of five years from the occurrence of the trigger event. The five year period does not apply to transactions which are subject to the mandatory notification obligation and have completed without the Secretary of State’s approval (and are therefore void under the Act).

Where a notification (mandatory or voluntary) is made, the Secretary of State has 30 working days from the date on which it accepts the notification to either give a call-in notice or approve the transaction. Once a call-in notice has been given, the Secretary of State has a further period of 30 working days to assess the transaction. This period can be extended by the Secretary of State for an additional 45 working days, and beyond that with the agreement of the acquirer. Prior to the Secretary of State accepting a notification, there can be an (unlimited) period of informal discussion, and the Secretary of State may reject the notification if it does not meet the requirements of the Act or the Notifiable Acquisition Regulations or if it does not contain sufficient information to allow the Secretary of State to decide whether to give a call-in notice.

Issues for project finance transactions

Financing stage

Project financing is (subject to the points discussed below) unlikely in itself to trigger the mandatory notification obligation, even if the project company developing the project and holding the project assets (the SPV) would fall within the descriptions specified in the Notifiable Acquisition Regulations. Situations where, if the project falls within the activities listed in the Notifiable Acquisition Regulations, the risk of a mandatory notification obligation applying at the initial financing stage should be considered include:

1. taking security over shares if, in addition to the right to exercise the rights attaching to the shares for the purpose of preserving the value of the security (or realising it), the voting rights attached to the shares are (even prior to enforcement) exercisable only in accordance with the Security Agent’s instructions. This would not, however, be expected to apply unless the undertakings given by the shareholder granting the security went beyond what is customarily given to senior funders. Furthermore a trigger event can occur where the Security Agent (or its nominee) is registered as the shareholder when the security is taken. Legal mortgages over shares in this manner are unusual under English law, but is normal under Scots law as it is the only way to create fixed security. Where this is a risk and parties are seeking to avoid the need to make a notification, they should consider structuring the transaction to avoid the need for such Scottish share security (for example, by using an England and Wales incorporated SPV or holding company); and
2. if the transaction also involves an acquisition of an SPV that satisfies the criteria for mandatory notification. This can also apply on a reorganisation, as intra-group transfers are not excluded from the Act’s scope.

Even if these considerations do apply, the full test might not be satisfied (for example, if the project has not yet been constructed and the SPV is not considered to be “carrying on” the relevant activity).

The granting of a loan could be at risk of a call-in if it constitutes an acquisition of a material interest in, or in relation to, a qualifying entity and/or a qualifying asset, which satisfies the tests for control set out above, and this gives rise to or may give rise to a risk to national security. This might occur upon entering into the finance documents or at financial close if the provisions of those finance documents contain sufficient control over the business of the SPV to constitute a material influence on the policy of the SPV and/or control over any project asset which is a qualifying asset, particularly if this is combined with taking security over the shares in and assets of the SPV. Given the detailed controls contained in project finance documentation, this could potentially be a risk, as funder controls in finance documents can include positive as well as negative control, which control is aimed at ensuring that the SPV implements the project in the manner envisaged by the financial model and due diligence. The Statement of Policy Intent provides comfort here, stating that “loans … are unlikely to pose a risk to national security and so are unlikely to be called in”. However, this does not rule out the possibility of calling in a loan transaction, and it is also not clear whether this statement contemplates loan transactions having the level of control that is customary in project finance. Each transaction should, therefore, be considered on a case by case basis. The question is one of degree, and funders should consider whether to require that a voluntary notification and obtaining clearance be made a condition precedent. When determining whether to do so, the risk of call-in should be analysed, taking into account the Statement of Policy Intent. The funders should consider the nature of the SPV and the project, and in particular whether it operates (or will operate, once construction is complete) in one of the sensitive areas listed in the Notifiable Acquisition Regulations, and the identity of the proposed funder group (i.e. whether any of them might be expected to cause the Secretary of State to have national security concerns).

A transaction may be caught by the Act even where it is only one of the members of the funder syndicate that raises national security concerns for the Secretary of State. Typically there may be multiple funders collectively agreeing to certain parameters within which the SPV must operate and use its assets, and consent requirements in relation to the likes of any changes to budgets and expenditure, with all the funders’ rights being exercised through a facility agent. While none of the individual funders will likely acquire control for the purposes of the Act, the Act explicitly captures the situation where, and it provides that, “two or more persons who share a common purpose in relation to an asset or entity are each to be treated as holding the combined interest or rights of both or all of them.” A common purpose will include cases in which the persons co-ordinate their influence on the activities, operations, governance or strategy of the entity.

Secondary markets

Changes to equity ownership during the life of the project can trigger the mandatory notification obligation and/or be grounds for the Secretary of State to call the transaction in. Indirect holdings of shares can constitute control for the purposes of the Act, and so a change in equity ownership higher in the corporate structure could also be caught. Risks will primarily sit with the sponsors (particularly the purchaser), but funders should also be aware, particularly in situations where share security granted by an outgoing shareholder is released on the strength of new share security granted by a purchaser, if there is a risk that the purchaser’s acquisition may be void or subject to an order following call in.

Changes to debt holdings within a syndicate of funders could also be caught. If the finance documents contain sufficient controls to satisfy the test for control in respect of the SPV (including under the “material influence” limb of the test for control) and/or any project asset which is a qualifying asset, then a change in the syndicate may also constitute a trigger event that could be subject to call in.

On a refinancing, the considerations set out in the section above in respect of the financing stage will apply. However, as the circumstances may have changed the transaction would have to be analysed again. For example, if construction has been completed since the original financing, the SPV may now be “carrying on” an activity listed in the Notifiable Acquisition Regulations. If the elements required to establish an acquisition of control over the SPV are met (which might be the case if, for example, there were a corporate reorganisation to bring projects into a portfolio financing), then the refinancing transaction may be subject to the mandatory notification obligation. Even if the refinancing is not caught by the mandatory notification obligation, it may constitute a new trigger event that is at risk of call-in and the parties should consider whether to make a voluntary notification.

Enforcement

The most material impact that the Act will have on project financings (from the funder perspective) will be at the enforcement stage. If enforcement involves the sale of the shares in an SPV which satisfies the criteria for mandatory notification, including the Security Agent (or its nominee) taking possession of such shares as part of a workout process (although rights exercisable by an administrator or creditors in any insolvency situation are excluded), then that would be subject to the pre-condition to give a mandatory notification. That could add a significant delay to the enforcement process, at a stage when time may be critical. As the share transfer would be void if notification is not made, this delay cannot be avoided. Funders should engage with the ISU as early as possible. Confidentiality issues will have to be borne in mind when considering the extent of the information to disclose to the ISU, as the ISU will be expected to engage with other departments (e.g. Ministry of Defence and/or Foreign, Commonwealth and Development Office) when assessing any transfer. If the transaction is subject to the mandatory notification obligation, while any pre-notification discussions can be confidential, the formal notification will be made public by the ISU (although the detailed information in the notification form may not be).

If any transfer pursuant to enforcement action does not satisfy the criteria for mandatory notification, it may still be susceptible to being called in. Consideration should be made of whether it is preferable to make a voluntary notification, and accept the potential delay to completion, or to proceed without notification, with the purchaser taking the risk of the transaction subsequently being called in.

Enforcement by asset sale may also be vulnerable to call in, if the project assets include any “qualifying assets” for the purposes of the Act. Structuring enforcement as an asset sale will not, therefore, remove the risk of call in. Asset sales would, however, not be subject to the mandatory notification obligation. They could, therefore, usefully be considered for projects which fall within the criteria that would make a share sale subject to mandatory notification, but where the parties consider the risk of call in to be very low.

Funders should consider carefully the identity of the Security Agent. If enforcement is effected by the Security Agent, or a wholly owned subsidiary of it, taking possession of the project (either the shares in the SPV or the project assets), the Secretary of State would be considering the acquirer risk in respect of the Security Agent.

If there is a need to notify the ISU of the transaction (either as a result of the mandatory notification obligation or because there is a risk of call in and the parties agree to make a voluntary notification), it will add delay to the enforcement process. The Secretary of State has up to 30 working days from the date on which it accepts the notice to either call in the transaction or to approve it. The notification may not be accepted upon first submission (for example, if the Secretary of State does not consider that it contains sufficient information about the transaction for the Secretary of State to assess it). Some additional engagement may therefore also be required prior to the time period commencing.

Cross border considerations

The Act also applies to entities formed or recognised outside of the United Kingdom, which either carry on activities in the United Kingdom or supply goods or services into the United Kingdom and to assets which are used in connection with activities carried out in the United Kingdom or the supply of goods or services to persons in the United Kingdom. The Secretary of State can make orders applying to persons outside the United Kingdom and to persons within the United Kingdom (such as customers and suppliers) who may be connected with a transaction which is called in, even if not themselves the acquirer. The Act should, therefore, be considered on any transaction which may be within its scope where there is a nexus to the United Kingdom, even if it is not the most obviously relevant jurisdiction.

Other jurisdictions also have legislation relating to investments and national security concerns. Where there is a cross border element to the project, the impact of these should be considered for all jurisdictions relevant to the transaction. Please see our Multi-jurisdiction guide for screening foreign investments (available here) for further details.

Conclusion

As can be seen from the above, the Act is wide reaching and has the potential to impact transactions at all stages of a project. Projects are very likely to fall within one of the 17 sensitive areas of the economy identified by the government as being at higher risk of national security concerns. The consequences of failing to address the implications of the Act can be very significant, particularly if the transaction is subject to the mandatory notification obligation. Sponsors and funders should therefore consider the risks arising from the Act as part of the due diligence process as early as possible when planning any transaction at any stage of a project’s life.