Sign in Subscribe
Startup Central

CFIUS for Foreign-Owned LLCs: National-Security Review Checklist for Nonresident Founders

Practical CFIUS guide for nonresident founders and foreign investors forming U.S. LLCs. Includes a 10-minute triage, formation checklist, investor-rights structuring, and signals for when to engage counsel.

Promise Legal Staff

8 min read
Share
Translucent teal lattice vessel with copper nodes on deep navy; aged paper texture, right space
Loading the Elevenlabs Text to Speech AudioNative Player...

This guide is for nonresident founders and foreign owners/investors forming a U.S. LLC (often Delaware or Wyoming), plus U.S. co-founders and startup counsel who need to spot national-security friction early.

Why it matters: entity formation is mostly a state-law exercise, but some deals can trigger federal scrutiny. In particular, the Committee on Foreign Investment in the United States (CFIUS) is an interagency committee chaired by the U.S. Treasury that reviews certain foreign investments and some real-estate transactions for national-security risk. Even when you “just formed an LLC,” CFIUS questions can surface later in fundraising, bank onboarding, M&A diligence, or when selling to government/defense-adjacent customers.

This article gives you (1) a quick triage to gauge whether CFIUS is likely in play, (2) a practical formation + diligence checklist to keep your operating agreement and investor rights from creating avoidable red flags, and (3) clear signals for when to bring in counsel before timelines slip. For related formation logistics, see Can I form an LLC in a state I don’t live in? and our BOI reporting (CTA) overview.

10-minute CFIUS triage for a foreign-owned LLC

Use this as a first-pass screen. CFIUS risk usually rises when (1) a foreign person gets control or certain special rights, and (2) the business touches “TID” areas (critical technology, critical infrastructure, or sensitive personal data) or covered real estate.

  • CFIUS Likely: A foreign owner/investor can control the LLC or receives board/observer, material nonpublic technical info access, or substantive decision rights and you touch critical tech/infrastructure/sensitive U.S. personal data; you lease/buy near sensitive facilities; or you’re in a government/defense supply chain.
  • CFIUS Maybe: Foreign minority stake with governance/information rights; data-heavy SaaS; AI that could be dual-use; roadmap includes regulated customers (utilities, ports, telecom) or federal procurement.
  • CFIUS Unlikely: Passive foreign ownership with no control rights; low-risk consumer product; minimal non-sensitive data; no covered sectors and no sensitive-location real estate.

Mini-example: A nonresident founder owns 60% of a Delaware LLC building AI for logistics. During a priced round, an investor asks “CFIUS?” late in diligence, slowing the closing. A better approach: write a one-page product/customer roadmap and map it to TID categories early, then structure operating agreement and investor rights intentionally (especially board, veto, and information access). For general formation planning, see forming an LLC out of state.

What CFIUS reviews (and why your LLC paperwork can change the answer)

CFIUS (the Committee on Foreign Investment in the United States) is a U.S. government committee chaired by Treasury that can review certain foreign-involved transactions for national-security risk — including investments into U.S. companies.

For CFIUS purposes, the starting questions are simple: is there a U.S. business (an entity doing business in the U.S.) and a foreign person (a non-U.S. individual or an entity ultimately controlled by non-U.S. persons)? If yes, CFIUS jurisdiction most commonly shows up in (1) control investments and (2) certain non-controlling investments in a TID U.S. business (Technology, Infrastructure, or Data).

  • Critical technologies: products/know-how tied to export controls or sensitive end uses.
  • Critical infrastructure: businesses connected to enumerated infrastructure functions/sectors.
  • Sensitive personal data: U.S. person data where access could create linkage or exploitation risk.

Why structure matters: “control” isn’t just ownership %. CFIUS also focuses on rights. Regulations treat a minority investment into a TID U.S. business as a covered investment when it gives a foreign investor access to material nonpublic technical information, board/observer rights, or involvement in certain substantive decisions (31 C.F.R. § 800.211).

Mini-example: a foreign angel takes 15% but demands a board observer seat and deep product roadmap access. That can turn a “passive” check into a rights package that triggers CFIUS diligence. The fix is often contractual: limit observer/information rights, stage sensitive disclosures, and draft protective provisions narrowly.

Startups usually feel CFIUS risk as a timing and diligence problem: investors, banks, and acquirers ask questions late, then deals pause while everyone figures out whether filings, mitigation, or restructuring are needed. These are the most common startup triggers.

  • Trigger 1: “Critical tech” + foreign money. Watch for defense/space, drones/robotics, advanced semiconductors, certain cybersecurity tools, and AI/ML used for sensitive end uses. Founder move: run an early export-control classification screen and document the result.
  • Trigger 2: Sensitive personal data at scale. Biometrics, precise geolocation, health, financial, children’s data, and government personnel data are repeat flags. Founder move: create a data map, minimize collection, and segregate datasets by role/access.
  • Trigger 3: Government/critical-infrastructure customers. Federal/state/local agencies, primes, utilities, ports, telecom, and energy can pull you into heightened scrutiny. Founder move: build a procurement roadmap and baseline security plan early.
  • Trigger 4: Real estate proximity. Leases, warehouses, labs, and data centers near sensitive facilities can raise separate issues. Founder move: pre-screen locations before signing.

Mini-example: A Wyoming LLC with a foreign founder leases a warehouse near a military installation for drone R&D. During diligence, the location triggers national-security questions, delaying funding. The fix: pre-screen sites, document intended use, and implement physical/IT access controls before the lease is signed.

Formation reality check: your state choice doesn’t “sidestep” federal review

Forming in Delaware, Wyoming, or Nevada can be a smart state-law move for governance and tax planning — but it doesn’t change whether a transaction is potentially within CFIUS jurisdiction. If a foreign person gains control or certain rights in a U.S. business that implicates national-security concerns, the federal analysis is the same no matter where the LLC is formed.

Also: foreign-owned is not illegal. The practical issue is that national-security rules are risk-based, and sometimes require a filing, deal conditions, or mitigation steps that affect timeline and terms.

  • Banking friction: enhanced KYC/AML and beneficial-ownership questions, often with requests for passports, proof of address, and a clear “who controls what” story.
  • Fundraising & M&A diligence: investors/acquirers may demand CFIUS-related reps, covenants, and closing conditions — especially if you touch tech, infrastructure, or sensitive data.
  • Customer security questionnaires: enterprise and public-sector customers often ask where data is hosted, who has access, and whether any foreign persons have privileged access.

Mini-example: Nonresident founders form a Delaware LLC and go to open a bank account. The bank asks for an ownership chart, passports, and a control narrative; the back-and-forth delays account opening and slows hiring and vendor onboarding. The fix is simple: prepare a clean ownership/control packet on day one (cap table, org chart, IDs, and a short description of governance rights). For broader formation logistics, see forming an LLC out of state.

A practical CFIUS-prep checklist (before money comes in)

The goal isn’t to “make CFIUS go away” — it’s to prevent last-minute diligence surprises by packaging the facts CFIUS, banks, and sophisticated investors will ask for.

  • Step 1: Build an ownership + control map. Keep a current cap table, beneficial owners (including upstream entities), and each owner’s citizenship/residency. List governance rights that can equal “control” in practice: board seats/observer rights, vetoes, supermajority approvals, and special information rights.
  • Step 2: Classify what you do (and next steps). Write a one-page product summary with end users and deployment environment. Flag “TID” indicators: export-control-adjacent tech, infrastructure touchpoints, and what personal data you collect (type, volume, who can access it).
  • Step 3: Structure around control and access. Use role-based access, staged diligence, and clean-room approaches for sensitive technical info/data. In some fact patterns, consider U.S.-person control of certain functions (case-by-case).
  • Step 4: Plan filing timing. At a high level, CFIUS has a short-form declaration option (an assessment period of up to 30 days) and a fuller notice process (initial review period up to 45 days). Build buffers into financing/M&A timelines and avoid “sign-and-close next week” assumptions for flagged deals.
  • Step 5: Document security posture. Prepare a lightweight security memo: data minimization, encryption, logging, vendor management, and incident response basics — so you can credibly support a mitigation narrative if needed.

Mini-example: A foreign seed investor asks for standard “major investor rights,” including broad information rights into sensitive datasets. Instead of rejecting the investment, the company offers an alternative package (financial reporting + limited observer rights + no access to certain technical/data repositories). A practical tool is a term-sheet rider that narrows board/observer and information rights for national-security-sensitive areas while preserving core economic terms. For related formation readiness, see our BOI reporting (CTA) overview.

Other federal regimes that trip up foreign-owned LLCs (separate from CFIUS)

CFIUS is only one piece of the puzzle. These regimes can create parallel diligence, contract, and operational constraints — even when there’s no CFIUS filing.

  • Export controls & sanctions: matters for dual-use software, advanced compute, encryption, and cross-border collaboration. Do: screen customers/partners and tightly control access to controlled technical data (especially by geography and user role).
  • Government contracting (FOCI/security): if you sell to DoD/intelligence or through primes, foreign ownership can affect eligibility and security requirements (including handling CUI and flow-downs). Do: plan your contracting pathway early and align governance with what customers will require.
  • Telecom/communications and infrastructure approvals: spectrum, network services, and certain infrastructure projects can require additional regulatory analysis. Do: map regulated touchpoints before signing major customer or deployment contracts.
  • Data localization / “foreign adversary” constraints: sector-dependent rules and buyer policies may restrict hosting, vendor selection, and administrator access for sensitive datasets. Do: vet vendors and make deliberate hosting-and-access decisions.
  • BOI reporting (CTA): don’t assume “foreign founders” means exempt. FinCEN’s rules can change quickly; as of March 26, 2025, FinCEN states U.S.-created entities are exempt while certain foreign entities registered to do business in the U.S. must still report under updated deadlines. Do: build BOI into onboarding and keep ownership records current (see BOI reporting requirements).

For related formation logistics, see forming an LLC out of state.

FAQs for foreign founders and nonresident owners

  • Does CFIUS apply just because a founder is foreign? Not automatically. CFIUS focuses on certain transactions (investment/rights changes or covered real estate) that raise national-security risk.
  • If we form in Delaware (or Wyoming), does that reduce CFIUS risk? No. State of formation affects governance/tax mechanics, not whether CFIUS can review a covered transaction.
  • What ownership percentage triggers CFIUS? There isn’t a single bright-line percentage. “Control” can exist below 50% depending on vetoes, board rights, or other governance terms.
  • Can minority investors trigger CFIUS if they get special rights? Yes. In TID businesses, non-controlling investments can be covered if they include board/observer rights, access to material nonpublic technical information, or substantive decision involvement.
  • Are SAFE notes or convertible notes a CFIUS issue? Potentially — usually when they convert into equity with control/special rights, or when side letters grant information/governance rights before conversion.
  • What if we pivot later into defense, critical infrastructure, or sensitive data? Plan for it early. A low-risk consumer product can become high-scrutiny if the roadmap shifts; update your triage and investor rights as you pivot.
  • Will banks ask about CFIUS or just beneficial ownership? Usually beneficial ownership/control (KYC/AML) first, but sophisticated banks and deal teams may ask CFIUS-style questions if your business touches sensitive tech, data, or government customers.
  • When should we talk to counsel (and what info should we bring)? Talk early if you’re in critical tech/data/gov pathways or you’re granting board/observer/veto/info rights to foreign persons. Bring an ownership/control chart, draft term sheet or operating agreement, and a one-page product + data summary.

For related compliance housekeeping that often overlaps with banking diligence, see BOI reporting requirements under the CTA.

Actionable next steps (founder checklist)

  • Run the 10-minute triage before you sign a term sheet: foreign ownership + control rights + TID indicators (tech/infrastructure/data) + any sensitive-location real estate exposure.
  • Maintain a one-page ownership/control diagram (cap table + entity chain + citizenship/residency + who has board/veto/info rights). Keep it current for banks, investors, and acquirers.
  • Draft a product + data “risk memo.” In one page: what you build, who you sell to (now and next), where you deploy/host, what data you collect, and who can access it.
  • Scrub your documents for “accidental control.” Review the operating agreement, side letters, and financing docs for board/observer seats, vetoes, supermajority approvals, and broad information rights — then narrow or stage access where needed.
  • Budget time if you’re in critical tech, sensitive data, or a government path. Build diligence time into your fundraising/M&A calendar and avoid assuming a fast close if CFIUS or mitigation might be needed.
  • Make BOI + sanctions screening standard operating procedure. Integrate beneficial ownership updates and counterparty screening into onboarding and vendor/customer processes (see BOI reporting requirements under the CTA).

If you want help pressure-testing your formation and fundraising plan, schedule a consult for a CFIUS + national-security readiness review tailored to your cap table, operating agreement, and customer roadmap.