Educational only; not legal advice. SPP explains diligence issue-spotting, evidence collection, risk triage, and the accountant and certified-fraud-examiner workflow. It does not give filing advice, sanctions opinions, export classifications, CFIUS legal opinions, privacy opinions, forfeiture-defense advice, whistleblower advice, or voluntary self-disclosure advice. Regulatory status is current as of drafting (2026-06-16); see the status note at the end.
The buyer does not experience national-security diligence as six clean legal silos. The buyer experiences it as a messy deal room.
A foreign limited partner has information rights. A target sells dual-use components. A distributor serves customers in high-risk jurisdictions. A bank asks questions about payment flows. A founder cannot explain the original source of funds. A data platform uses offshore engineers. A customer list includes government contractors. An internal hotline report mentions a sanctions workaround. A vendor agreement gives a country-of-concern support team administrator access to United States personal data. The seller says none of it is material. The purchase agreement calendar says signing is next Friday.
That is why this series has one central thesis: six screens, several remedies, one diligence workflow. Committee on Foreign Investment in the United States (CFIUS) review, outbound investment rules, Office of Foreign Assets Control (OFAC) sanctions, Bureau of Industry and Security (BIS) export controls, Bank Secrecy Act and anti-money-laundering (BSA/AML) obligations, the Department of Justice (DOJ) Data Security Program, asset forfeiture, and whistleblower incentives are not one statute. They are not one regulator. They do not share one remedy. But they now collide inside the same buy-side file.
The practical answer is not a bigger checklist. A checklist catches known questions. National-security diligence needs a workflow that can take an unfamiliar fact, route it to the correct screen, preserve the source document, identify the remedy set, write the risk memo, and escalate to counsel before the deal team has already priced the issue as a general compliance exception.
D1 is the operating manual for that workflow. The earlier spokes teach the regimes. This piece teaches the workstream: intake, red-flag triage, source-document collection, public and synthetic screening, evidence gaps, counsel escalation, risk memo, deal terms, post-close remediation, and quarterly refresh. Its practitioner artifact is the stage-gated workflow. Its Applied DD Lab uses synthetic deal-intake flags to produce a lead-only triage output. The lab does not clear a deal. It teaches the shape of the memo.
What problem this workflow was built to solve
The problem is fragmentation. Each regime has its own vocabulary, agency, trigger, timing, and remedy. CFIUS asks whether a foreign person is acquiring control or certain rights in a United States business, especially a technology, infrastructure, or data business. Outbound investment asks whether a United States person is putting money or rights into a covered foreign person in covered national-security technologies. OFAC asks whether a party, owner, bank, country, transaction, service, or property interest is blocked or prohibited. BIS and export-control counsel ask what the item is, where it is going, who will use it, and whether a foreign-national employee has access to controlled technology. FinCEN asks whether a financial institution or regulated actor knows its customer, monitors activity, files required reports, and maintains a program. DOJ’s Data Security Program asks whether countries of concern or covered persons can access government-related data or bulk United States sensitive personal data. Forfeiture asks whether property or money in the deal is proceeds, involved property, facilitating property, substitute property, or restrained property. Whistleblower programs ask whether someone with original information has an award or disclosure lane.
The deal team usually sees the facts before it sees the law. That creates a sorting problem. The same fact can trigger more than one screen. A foreign investor with board observer rights can matter to CFIUS and the Data Security Program. A sanctioned owner can matter to OFAC, BSA/AML, source-of-funds diligence, and forfeiture. A controlled-technology target can matter to CFIUS, export controls, outbound investment if the buyer later funds foreign expansion, and DOJ voluntary self-disclosure posture if past violations exist. A data platform can matter to CFIUS, DOJ Data Security Program, privacy counsel, FTC data-broker issues, and securities disclosure if the buyer is public.
The workflow is built to solve that sorting problem without pretending the accountant becomes the lawyer. The accountant or certified fraud examiner can recognize the fact pattern, preserve the documents, build the ownership and funds-flow evidence, identify the missing fields, and write the issue in a way counsel can act on. The accountant cannot decide whether a CFIUS filing is mandatory, whether a license is required, whether a sanctions match is a true hit, whether an Export Control Classification Number is correct, whether a company should self-disclose, whether a whistleblower is eligible, or whether a buyer is a bona fide purchaser for forfeiture purposes.
The workflow also solves a timing problem. These issues should not wait until the final purchase-agreement markup. CFIUS conditions precedent, export-control remediation, blocked-property handling, data-segregation controls, source-of-funds tracing, voluntary self-disclosure decisions, and whistleblower timing cannot be bolted on cleanly after signing if the deal team ignored them during intake. The workflow pushes the questions forward.
Finally, the workflow solves a record problem. National-security diligence depends on traceable source evidence. A spreadsheet of names without source dates is weak. A sanctions screen without list version and identifier support is weak. An ownership chart without beneficial-owner documents is weak. A data-flow map without system access roles is weak. A seller representation without underlying records is weak. Diligence needs a file that can survive a later counsel memo, regulator question, audit committee discussion, lender review, or post-close remediation plan.
The workflow is therefore not just a compliance ritual. It is a way to protect deal value. A buyer that can name the screen, source the fact, identify the remedy, and write the unresolved issue cleanly has options. It can slow down, price the risk, request a condition precedent, carve out an asset, require remediation, escrow funds, demand special indemnity, restructure ownership rights, block a payment, require a counsel opinion, or walk away. A buyer that sees the issue late has fewer options.
Who runs, investigates, and enforces the screens
The workflow starts by recognizing that no single national-security agency owns the whole stack.
CFIUS is an interagency committee chaired by Treasury. Its member agencies include departments with defense, homeland security, commerce, state, energy, justice, intelligence, and economic equities. In a deal file, CFIUS is the foreign-investment screen. Its remedies are mitigation agreements, monitoring, civil penalties, blocked deals, non-notified review, and forced divestiture. It is not primarily a forfeiture process.
Treasury also runs the outbound investment program through its Office of Investment Security. That screen reverses the direction of capital. Instead of foreign money entering a United States business, it asks whether United States persons are investing in covered technologies and covered foreign persons. The remedies flow through Treasury, the International Emergency Economic Powers Act (IEEPA), notifications, prohibitions, penalties, and possible unwind or divestment authority.
OFAC, also in Treasury, administers and enforces economic sanctions. OFAC matters in diligence because parties, beneficial owners, vessels, banks, goods, services, countries, and property interests can be blocked or prohibited. The diligence workflow must treat a sanctions issue as a live property and payment issue, not just a reputational concern.
BIS, within Commerce, administers the Export Administration Regulations (EAR), while the State Department Directorate of Defense Trade Controls administers the International Traffic in Arms Regulations (ITAR). Export controls matter because a target’s products, software, technology, source code, customer base, end users, foreign-national employees, and cloud access can create license and violation issues. The accountant does not classify the item. The accountant asks for the classification support and routes gaps to export-control counsel.
FinCEN administers much of the BSA/AML framework. Banks, money services businesses, casinos, broker-dealers, and other covered institutions have program, reporting, and recordkeeping obligations. FinCEN also sits next to the Corporate Transparency Act beneficial ownership information system, but that system is confidential and access-limited, and the current reporting-company scope has been narrowed. The workflow should never treat BOI as a public bulk verification source.
DOJ’s National Security Division runs the Data Security Program under Executive Order 14117 and 28 CFR Part 202. The data-security screen is not a consumer-privacy checklist. It asks whether countries of concern or covered persons can access government-related data or bulk United States sensitive personal data through data brokerage, vendor, employment, or investment relationships, and whether the transaction is prohibited, restricted, exempt, licensed, or unresolved.
DOJ also runs forfeiture and white-collar enforcement through multiple components, including the Criminal Division, U.S. Attorneys’ Offices, the Asset Forfeiture Program, and specialized sections or task forces. Forfeiture becomes relevant when the deal includes tainted capital, criminal proceeds, sanctioned assets, money-laundering property, corruption proceeds, or assets named in seizure or forfeiture matters.
Finally, whistleblower and bounty programs sit across DOJ, FinCEN/Treasury, SEC, CFTC, and the courts. The False Claims Act is a court and DOJ lane. SEC and CFTC programs are agency award lanes. FinCEN’s anti-money-laundering whistleblower program is a Treasury and DOJ lane. DOJ’s Corporate Whistleblower Awards Pilot Program is a Criminal Division forfeiture-based lane. The diligence team should not pick the lane. It should identify that a lane may exist.
The institutional map matters because it prevents the deal memo from flattening remedies. “Regulatory risk” is not a remedy. CFIUS mitigation is different from an OFAC block. A BIS denial order is different from an export license condition. A FinCEN penalty is different from a suspicious activity report. A DOJ Data Security Program prohibited transaction is different from a restricted transaction. A civil forfeiture complaint is different from a final forfeiture order. An internal whistleblower report is different from an award determination.
What changed from 2024 to 2026
The laws are mostly older than the current deal cycle. CFIUS has roots in the Defense Production Act and Exon-Florio. OFAC sanctions have older roots in the Trading with the Enemy Act and IEEPA. Export controls predate the Export Control Reform Act of 2018. The Bank Secrecy Act dates to 1970. Forfeiture is older still. The False Claims Act is older than all of them.
What changed from 2024 to 2026 is convergence.
Inbound investment expanded and became more operational. FIRRMA already moved CFIUS beyond simple control deals into certain non-controlling rights involving technology, infrastructure, and data. Later rules and enforcement posture increased the importance of non-notified review, mitigation monitoring, civil penalties, and real-estate proximity. A buyer can no longer assume that CFIUS is only a foreign acquirer problem at signing. It can arise through limited partners, governance rights, sensitive data, real estate, technology, and post-close review.
Outbound investment became a live screen. Treasury’s outbound program took effect in 2025, and later statutory developments made the outbound question more durable. The buyer-side implication is direct. A United States fund, parent company, or portfolio company cannot treat foreign expansion or follow-on financing as a purely commercial investment if covered technology and countries of concern are present.
Sanctions enforcement became a corporate and M&A issue. DOJ and OFAC messaging made sanctions, export controls, and voluntary self-disclosure part of mainstream corporate enforcement. A buyer that discovers a target’s sanctions or export violation after closing may face successor-liability, remediation, and disclosure decisions. The diligence file therefore has to identify the issue before the post-close clock starts.
Data became a national-security asset. DOJ’s Data Security Program turned data categories, access paths, countries of concern, and covered persons into deal facts. A target’s data inventory and vendor map now sit beside its cap table and customer list. A buyer that does not know the data count, system access, and foreign support path cannot write a complete risk memo.
FinCEN’s frontier shifted. Some expected obligations did not land the way market commentary predicted. The Residential Real Estate rule is vacated and on appeal. The Investment Adviser AML rule is delayed to January 1, 2028. Corporate Transparency Act reporting is narrowed to foreign-formed reporting companies, and BOI is confidential and access-limited. Diligence has to say what is actually operative, not what a stale alert expected.
Forfeiture and whistleblower incentives became deal-adjacent. The forfeiture article shows how tainted capital can become a property problem. The whistleblower article shows how an internal report or original information can change disclosure timing and enforcement posture. Neither makes every deal a law-enforcement matter. Both make evidence preservation and counsel escalation more important.
The professional-control lesson also got sharper. ACFE’s public 2026 report summary says the report analyzed 2,402 real-world occupational fraud cases across 143 countries and territories, with more than 3.4 billion dollars in losses, median loss of 104,000 dollars per case, and tips in 43 percent of cases. That is not national-security law. It is a control lesson. People, reporting channels, data monitoring, management review, surprise audits, training, and internal controls surface problems before a neat legal category does.
The 2024 to 2026 change is not that the buyer must become a regulator. It is that the buyer must treat national-security diligence as a workstream, not an afterthought.
What triggers the workflow in a deal
The workflow should run whenever the deal has one of nine intake triggers.
First, a foreign person is buying, funding, controlling, or gaining rights in the target. That includes direct buyers, parent companies, limited partners with unusual rights, board observers, information rights, side letters, veto rights, and financing sources. The trigger is not only nationality. It is the combination of foreign-person status, control, rights, sector, technology, infrastructure, data, real estate, and proximity.
Second, a United States person is investing outward into a foreign company, joint venture, fund, development project, or portfolio company with covered technology. The outbound screen is especially important when semiconductors, microelectronics, quantum information technologies, artificial intelligence, or advanced computing language appears in the investment memo.
Third, any party, owner, customer, supplier, bank, vessel, logistics provider, distributor, reseller, or agent has a sanctions signal. A screen hit is not a finding, but it is a workstream trigger. The buyer must ask for identifiers, ownership support, list sources, list date, program restrictions, country exposure, payment paths, and blocked-property handling.
Fourth, the target’s products, software, source code, technology, research, cloud environment, customers, end users, or workforce raise export-control questions. Controlled technology can be exported by shipment, download, access, release to a foreign national, or foreign direct product fact pattern. The workflow does not classify the item. It asks for classification support and routes the issue.
Fifth, the target is AML-regulated or sits near money movement. Banks, money services businesses, payment companies, fintech platforms, casinos, broker-dealers, crypto businesses, funds, real estate intermediaries, and money-moving affiliates require a different evidence stack. The buyer needs AML program documents, customer due diligence, source-of-funds evidence, regulator correspondence, and status-sensitive FinCEN rule treatment.
Sixth, the target holds sensitive data or government-related data. The workflow should ask for data categories, record counts, system maps, vendor access, offshore support, administrative roles, investor information rights, and country-of-concern access. A privacy data map is not enough. The question is whether a national-security access path exists.
Seventh, the deal includes capital, assets, receivables, real estate, inventory, crypto, aircraft, vessels, or other property with suspicious source-of-funds or government posture. Forfeiture is triggered by value path and predicate facts. The buyer must trace how money entered, how property was acquired, what public releases or court filings say, and whether any freeze, block, seizure, complaint, order, or return exists.
Eighth, someone has reported misconduct internally or externally. A hotline report, internal audit finding, former employee letter, vendor complaint, bank inquiry, government contact, or whistleblower allegation can change the timing surface. The buyer should preserve the date, recipient, allegation category, investigation status, remediation, privilege boundary, and counsel owner.
Ninth, the seller cannot answer basic identity questions. Missing ownership, missing source of funds, missing export classification, missing data inventory, missing sanctions identifiers, missing customer geography, missing vendor access rights, missing government correspondence, or missing internal complaint history is itself a trigger. A gap is not a conclusion, but it belongs in the memo.
The workflow does not wait for certainty. It starts when the fact pattern is plausible enough that the buyer needs a source document.
Stage 1: intake and red-flag triage
Intake is where the buyer wins or loses time. The first week should not be spent reading only financial statements. It should collect the identifiers that every later screen needs.
Start with the deal profile. Who is buying? Who is selling? Who owns the buyer? Who owns the seller? Who finances the deal? What rights will transfer? What board, observer, veto, consent, information, or access rights will exist after closing? What countries are involved in ownership, management, development, manufacturing, support, customers, vendors, data hosting, and payment routes?
Then build the target profile. What does the target sell? Is it software, hardware, data, research, financial services, health care, defense, energy, logistics, real estate, communications, infrastructure, manufacturing, payments, or professional services? Does it serve government customers? Does it handle controlled technology? Does it collect sensitive data? Does it move money? Does it use agents, resellers, distributors, or offshore support? Does it operate in or near countries of concern or sanctioned jurisdictions?
Then request core identifiers. Legal names, trade names, prior names, addresses, countries, tax IDs, registration numbers, beneficial owners, director and officer names, account numbers where appropriate, customer and vendor legal names, bank names, product names, export classification support, data categories, and system names. A sanctions screen or export-list screen without identifiers is a weak screen.
Then run a red-flag triage. The triage should produce three outputs: a no-current-signal list, a possible-signal list, and a missing-evidence list. A no-current-signal list should not say “clear.” It should say “no current signal from supplied data.” A possible-signal list should route to the regime. A missing-evidence list should state what document or field is needed next.
The first triage should be written in plain English. Example:
| Intake fact | Screen | Immediate request |
|---|---|---|
| Foreign buyer with board rights in data-rich target | CFIUS; DOJ Data Security Program | Ownership chart, governance rights, data inventory, foreign-access map |
| United States fund follow-on into quantum supplier abroad | Outbound investment; export controls | Technology description, country nexus, end users, license history |
| Distributor with sanctions signal | OFAC; BSA/AML; forfeiture | Current list screen, identifiers, ownership support, payment history |
| Financial-services target with hotline report | BSA/AML; whistleblower routing | AML program files, internal report date, investigation status |
| Target cannot produce data counts | DOJ Data Security Program | Data inventory, bulk-threshold count, vendor access roles |
The purpose of stage 1 is not to solve the issue. It is to prevent the issue from disappearing.
Stage 2: regime routing and source-document requests
After intake, the workflow routes each possible signal to a source-document request list. The request list should be regime-specific and evidence-based.
For CFIUS, request ownership and control documents: capitalization table, shareholder agreements, voting agreements, side letters, board and observer rights, veto rights, consent rights, information rights, limited partner rights, buyer and parent ownership, foreign-government ownership, target sector, technology, infrastructure, data, real estate, and proximity facts. The output is a jurisdiction and mandatory-filing screen for counsel.
For outbound investment, request investment documents, foreign-person ownership, country nexus, covered-technology descriptions, technical thresholds, board or governance rights, convertible instruments, joint-venture terms, follow-on commitments, portfolio-company foreign expansion plans, and prior Treasury notifications. The output is a prohibited or notifiable question for counsel.
For OFAC, request legal names, aliases, addresses, dates of birth for individuals where appropriate, ownership charts, parent and subsidiary charts, customer and supplier lists, bank chains, currency routes, countries, vessels, logistics providers, agents, licenses, blocked-property records, and voluntary self-disclosure history. The output is a sanctions ownership and transaction screen, not a finding.
For export controls, request product lists, technology descriptions, software and source-code access, Export Control Classification Numbers, commodity jurisdiction records, Commodity Classification Automated Tracking System numbers, license history, end-use and end-user records, Entity List and Denied Persons screens, foreign-national employee access, deemed-export controls, technology-control plans, and prior voluntary self-disclosures. The output is a request list for export counsel.
For BSA/AML and FinCEN issues, request AML program policies, risk assessments, customer due diligence, beneficial-owner evidence, suspicious activity report process descriptions where lawfully shareable, Currency Transaction Report posture, regulator correspondence, consent orders, lookbacks, independent reviews, source-of-funds records, sanctions escalation logs, and status-specific BOI access posture. The output is an evidence reliability table.
For the DOJ Data Security Program, request a data inventory, data categories, United States person counts, government-related data indicators, bulk-threshold calculations, vendor lists, offshore support roles, admin-access exports, developer access, processor and subprocessor contracts, investor information rights, country-of-concern access paths, data brokerage contracts, security controls, audit records, and reporting records. The output is a data-flow and foreign-access map.
For forfeiture, request source-of-funds records, wire history, subscription documents, lender files, asset acquisition records, title records, invoices, customer and vendor payment history, public enforcement releases, court filings, seizure notices, restraint orders, forfeiture complaints, forfeiture orders, settlements, blocked-property records, and repatriation or victim-return records. The output is a procedural posture map.
For whistleblower and bounty issues, request non-privileged facts about internal reports, hotline reports, audit findings, government contacts, subpoenas, agency notices, investigation status, remediation status, legal holds, retaliation allegations, and disclosure history. The output is a program-routing and timing map for counsel.
The request list should not ask for legal conclusions. It should ask for facts and source documents. “Provide all documents sufficient to show ownership and governance rights” is a diligence request. “Confirm no CFIUS filing is required” is a legal conclusion unless counsel owns it.
Stage 3: public screening and list screening
Public screening is useful when it is kept in its lane. It can identify leads. It cannot produce legal findings.
The buyer can screen names against public lists such as OFAC lists and the Consolidated Screening List. It can search official agency pages for enforcement releases. It can review Treasury, Commerce, DOJ, FinCEN, SEC, CFTC, and court records. It can compare a target’s stated facts to public rule status. It can build timelines from public releases. It can run synthetic or redacted data through a teaching script. It can document that a source was accessed on a date.
The buyer should also record what public screening cannot do. A no-hit sanctions screen does not prove a party is safe. A fuzzy match does not prove the party is sanctioned. A Consolidated Screening List hit is a lead, not a finding. A public BOI search is not available because BOI is not a public bulk dataset. Export classification is not automated. A keyword hit for quantum or artificial intelligence does not prove the outbound investment rule applies. A synthetic data-threshold checker does not prove the target has a covered data transaction. A public DOJ release does not update docket posture unless the docket or later official release is checked.
The screening log should have these fields:
| Field | Why it matters |
|---|---|
| Source searched | Identifies whether the source is official, public, current, or synthetic |
| Access date | Preserves status-sensitive timing |
| Search terms and identifiers | Lets another reviewer reproduce the screen |
| Result | Hit, no hit, unclear, or source unavailable |
| Source limitation | Explains false positives, false negatives, access limits, and update cadence |
| Follow-up owner | Assigns the next step to diligence, counsel, management, or specialist |
| Memo posture | Lead, no current signal from supplied data, unresolved, counsel-owned, or closed |
This is where many diligence files fail. They keep the screenshot and lose the method. A buyer should be able to tell a later reviewer exactly what was searched, when, with what identifiers, and what the result can and cannot mean.
Stage 4: evidence gaps and counsel escalation
An evidence gap is not a nuisance. It is a risk fact.
If the seller cannot produce a complete beneficial-ownership chart, the buyer cannot complete the ownership screen. If the target cannot produce export classifications, the buyer cannot treat export risk as resolved. If data counts are missing, the buyer cannot determine whether bulk thresholds are even plausible. If a customer or distributor list is redacted without a counsel process, sanctions and export screening may be incomplete. If source-of-funds records are absent, forfeiture and AML risk remain unresolved. If an internal hotline report exists but the date and subject are withheld, whistleblower timing cannot be assessed.
The evidence gap log should be separate from the issue list. An issue list says what may be wrong. A gap log says what the buyer cannot verify. The gap log should include the requested document, the reason it matters, the seller’s response, any substitute evidence, privilege or confidentiality constraints, the owner of the next step, and the decision deadline.
Counsel escalation should happen before the memo reaches a legal conclusion. Escalation is mandatory when any of these facts appear:
| Trigger | Counsel lane |
|---|---|
| Foreign control, non-controlling rights, sensitive data, critical technology, real estate proximity | CFIUS counsel |
| United States investment into covered foreign technology facts | Outbound investment counsel |
| Sanctions hit, blocked property, high-risk country payment, 50 Percent Rule uncertainty | Sanctions counsel |
| Controlled technology, Entity List party, deemed export, missing ECCN, foreign-national access | Export-control counsel |
| AML-regulated target, SAR/CTR posture, source-of-funds gap, customer due diligence failure | AML counsel |
| Sensitive data with foreign access, country-of-concern path, data brokerage, bulk threshold issue | Data-security and privacy counsel |
| Tainted capital, seizure, forfeiture complaint, blocked asset, proceeds trace | Forfeiture or white-collar counsel |
| Internal report, agency contact, retaliation issue, award-program signal, voluntary self-disclosure question | White-collar, employment, and specialist counsel |
Counsel escalation should be recorded, but the advice should remain counsel-controlled. The diligence memo can state that counsel review is pending, complete, or privileged. It should not reproduce privileged advice unless counsel authorizes the format.
What the government can do
The remedy map is the heart of the workflow. Each regime changes deal risk differently.
CFIUS can clear a transaction, request a full notice after a declaration, impose mitigation, monitor compliance, penalize violations, review non-notified transactions, recommend a presidential block, or force divestiture. The buyer’s response may be a condition precedent, covenant, filing allocation, mitigation budget, outside date, reverse termination fee, or walk-away right.
Treasury outbound can treat a transaction as prohibited or notifiable, require notification, impose IEEPA-backed penalties, and seek unwind or divestment where authorized. The buyer’s response may be an investment committee hold, country and technology memo, covenant not to proceed, or counsel clearance.
OFAC can block property, impose civil penalties, issue licenses, deny licenses, publish enforcement releases, and refer criminal matters. The buyer’s response may be blocking or excluding property, freezing payments, requiring licenses, preserving records, remediating compliance, or escalating voluntary self-disclosure.
BIS and export-control authorities can impose license requirements, deny licenses, issue denial orders, charge civil or criminal violations, and impose compliance obligations. The buyer’s response may be export classification cleanup, technology-control plan, license condition, workforce access restriction, customer remediation, or post-close lookback.
FinCEN and banking regulators can impose civil money penalties, consent orders, program obligations, lookbacks, monitors, growth restrictions, or criminal referrals. The buyer’s response may be AML program remediation, independent review, source-of-funds diligence, customer-risk cleanup, or special indemnity.
DOJ’s Data Security Program can prohibit certain transactions, restrict others subject to security requirements, impose recordkeeping, audit, reporting, license, advisory-opinion, and IEEPA-backed penalty consequences. The buyer’s response may be data segregation, vendor replacement, access restriction, security-control implementation, data-count remediation, or condition precedent.
Forfeiture authorities can freeze, block, seize, restrain, file a complaint, seek criminal forfeiture, obtain orders, pursue substitute assets, and return or repatriate property. The buyer’s response may be excluded asset, escrow, holdback, title condition, source-of-funds trace, special indemnity, or walk-away.
Whistleblower and bounty programs can turn internal information into a government channel and create timing issues around disclosure, reporting, legal holds, retaliation, and cooperation. The buyer’s response may be counsel-led preservation, employment counsel review, disclosure analysis, and risk-memo escalation.
The remedy map turns abstract law into deal mechanics:
| Government remedy | Deal response |
|---|---|
| Filing or notification requirement | Condition precedent, timing covenant, filing allocation |
| Mitigation or security requirements | Remediation budget, operations covenant, monitoring plan |
| Blocked or prohibited transaction | Excluded asset, payment stop, license question, walk-away |
| Civil or criminal penalty exposure | Special indemnity, escrow, holdback, price adjustment, disclosure analysis |
| Denial order or license restriction | Customer and product remediation, export control plan |
| Seizure or forfeiture | Asset carve-out, source-of-funds trace, escrow, counsel memo |
| Whistleblower timing | Legal hold, employment review, disclosure posture, board escalation |
| Unresolved evidence gap | Closing condition, supplemental request, no-reliance warning, walk-away |
The buyer should not memorize every remedy. It should keep the remedy map in front of the deal team so a CFIUS issue is not treated like an OFAC issue, and a forfeiture complaint is not treated like a routine compliance finding.
What a buyer should ask for
The buyer’s request list should be staged. Asking for everything at once can bury the important items. Asking too little creates false comfort.
Stage one requests are universal:
| Universal request | Purpose |
|---|---|
| Legal entity chart and ownership chart | Identifies foreign persons, beneficial owners, affiliates, and control rights |
| Customer, supplier, distributor, agent, bank, and vendor lists | Supports sanctions, export, AML, and data-access screening |
| Product, technology, software, and service descriptions | Supports export, outbound, CFIUS, and data-security routing |
| Data inventory and system-access map | Supports DOJ Data Security Program, CFIUS data sensitivity, and privacy routing |
| Source-of-funds and capital history | Supports AML, sanctions, forfeiture, and beneficial-ownership analysis |
| Compliance policies, audits, and regulator correspondence | Supports program maturity and enforcement posture |
| Internal reports and investigation log, non-privileged | Supports whistleblower timing and evidence preservation |
| Government contracts, grants, and certifications | Supports FCA and procurement-fraud routing |
Stage two requests are triggered by the first response. If foreign ownership appears, request side letters, governance rights, information rights, and foreign-government ownership. If data appears, request category counts, vendor access, offshore support, subprocessor lists, and administrator roles. If technology appears, request Export Control Classification Numbers, classification support, license history, and foreign-national access. If money movement appears, request AML program records, suspicious activity process descriptions where lawfully shareable, source-of-funds support, and customer-risk ratings.
Stage three requests are counsel-driven. They include legal opinions, filing analyses, voluntary self-disclosure memoranda, privileged internal investigations, settlement posture, subpoenas, and agency communications. The diligence team should not demand those through ordinary commercial channels without counsel. It should record that counsel-to-counsel handling is needed.
The request list should also ask for dates. Many national-security issues are timing-sensitive. When did the target learn the fact? When was the internal report made? When was the list screen run? When was the export classification last reviewed? When did the data count change? When did the customer become sanctioned? When was the vendor given access? When was the capital contribution received? When did counsel begin the investigation? Dates convert stories into risk memos.
What belongs in the risk memo
The risk memo is the work product that makes the workflow useful. It should not be a list of anxieties. It should be a decision document.
Every issue entry should have twelve fields:
| Field | Required content |
|---|---|
| Issue title | Short description tied to the deal fact |
| Screen | CFIUS, outbound, OFAC, export, AML/BOI, data security, forfeiture, whistleblower, or multiple |
| Source facts | Documents, interviews, public sources, screens, dates, and identifiers |
| Current posture | Lead, no current signal, unresolved, counsel-owned, allegation, finding, order, or closed |
| Governing authority | Statute, regulation, agency page, official guidance, court record, or source-status row |
| Remedy set | Mitigation, notice, penalty, license, block, unwind, denial, forfeiture, bounty timing, or other |
| Evidence received | Documents and data in hand |
| Evidence missing | Gaps and unresolved source requests |
| Counsel owner | Which specialist owns legal interpretation |
| Deal consequence | Price, condition precedent, covenant, representation, indemnity, escrow, holdback, carve-out, walk-away |
| Timing | Signing, closing, post-close, 120-day, 90-day, annual report, quarterly refresh, or other |
| Recommendation | Diligence next step, not legal conclusion |
The memo should use posture labels consistently. A list hit is a lead. A complaint is an allegation. A settlement may resolve allegations without admission unless the source says otherwise. A final order is a finding or disposition to the extent the order says it is. A no-hit is “no current signal from supplied data,” not a clean bill of health. A missing document is unresolved, not cleared.
The memo should also separate three audiences. The investment committee needs materiality, timing, price, and whether the deal can proceed. Counsel needs facts, source documents, statutes, unresolved issues, and deadlines. The post-close team needs remediation tasks, owners, systems, controls, and dates. One memo can serve all three if it is structured.
The memo should not bury counsel escalation in prose. Put it in a field. A decision-maker should be able to see immediately that sanctions counsel, export counsel, CFIUS counsel, AML counsel, data-security counsel, white-collar counsel, or employment counsel is needed.
Deal-structure response
Once the risk memo exists, the deal team has to decide what to do with it. National-security diligence matters because the response can change the transaction.
A condition precedent works when a required event must happen before closing. Examples include CFIUS clearance, a required notification, a license, a remediation milestone, delivery of missing ownership documents, or completion of a counsel review. A condition precedent is not a substitute for understanding the issue. It is a way to prevent closing before the issue is resolved.
A representation and warranty works when the seller can make a factual statement about compliance, ownership, absence of notices, absence of blocked property, accuracy of data inventories, completeness of customer lists, or absence of undisclosed government contacts. The representation should be tied to the risk. A generic compliance representation may not protect a buyer from a known sanctions or data-security issue.
A covenant works when behavior must change before or after closing. Examples include maintaining sanctions controls, restricting data access, preserving records, not transferring blocked property, not onboarding certain customers, implementing a technology-control plan, conducting a post-close lookback, or updating ownership evidence.
A special indemnity works when a specific identified risk needs a specific risk allocation. It should name the issue, losses, period, cap, basket, survival, defense control, cooperation, and exclusions. It should not be treated as magic. Some national-security risks cannot be fixed by indemnity if the asset cannot be transferred, the transaction is prohibited, or the buyer could inherit enforcement exposure.
An escrow or holdback works when money should be held to support a claim, remediation obligation, or unresolved exposure. It does not cure a legal prohibition. It can support a known risk but should not be used to avoid a required counsel decision.
An excluded asset works when the risky asset can be carved out. That may help for tainted property, blocked property, contaminated receivables, high-risk data sets, certain contracts, or certain operations. It may not help if the risk sits in the target’s core business, compliance history, or post-close ownership structure.
A walk-away right is the cleanest response when the issue is material, unresolved, and not economically or legally containable. National-security diligence should be allowed to produce that answer.
The transaction response should be written beside the remedy map. If the government remedy could be forced divestiture, a general indemnity may be weak. If the remedy could be blocked property, an escrow does not make the property transferable. If the remedy could be an export denial order, a price discount does not preserve the customer base. If the remedy could be a whistleblower-driven investigation, the buyer needs legal-hold and disclosure posture, not just a schedule exception.
Post-close remediation and voluntary self-disclosure support
Post-close is where weak diligence becomes expensive. A buyer that inherits a sanctions violation, export violation, AML failure, data-security issue, tainted property, or internal report may need to move quickly.
The workflow should create a post-close remediation plan before closing. The plan should identify the issue, the owner, the first 30-day task, the 90-day task, the 180-day task, the counsel owner, the document owner, the system owner, and the status-reporting cadence. It should also state what cannot be done without counsel.
Post-close tasks may include re-screening parties with updated identifiers, freezing or blocking payments, removing or segregating data access, suspending high-risk customers or distributors, conducting an export classification review, implementing a technology-control plan, updating AML risk assessment, completing source-of-funds review, preserving records, conducting internal investigation, preparing voluntary self-disclosure analysis, training employees, and reporting to the board or audit committee.
Voluntary self-disclosure is counsel-owned. The diligence team can support it by preserving facts, timelines, source documents, and remediation records. It cannot decide whether to disclose, where to disclose, when to disclose, or what to say. OFAC, BIS, DOJ National Security Division, FinCEN, and other agencies have different policies, standards, and incentives. D1’s job is to make sure the facts are organized before counsel evaluates them.
The workflow should also connect to the quarterly update system. Some obligations change. RRE is vacated and on appeal. IA AML is delayed. BOI scope changed. FinCEN’s whistleblower regulations were proposed. Outbound investment status can change. DOJ Data Security guidance can change. CFIUS annual reports can change the data tables. OFAC and BIS lists change constantly. A living diligence stack needs a refresh calendar.
How to run the workflow against a deal calendar
The workflow only works if it is tied to the deal calendar. A perfect memo delivered after signing is mostly a post-mortem. The diligence lead should convert the workflow into dated checkpoints.
At kickoff, the diligence team should identify the decision dates: indication of interest, exclusivity, management presentation, preliminary investment committee, confirmatory diligence, purchase agreement draft, signing, regulatory outside date, financing deadlines, closing, and first post-close board or audit committee meeting. National-security diligence should be mapped to those dates before the first request list goes out.
The first checkpoint is the 48-hour intake read. Within two business days of receiving the teaser, confidential information memorandum, management deck, or initial data-room access, the diligence lead should write a one-page national-security profile. It should answer five questions: who owns the parties, what the target sells, where the money moves, what data or technology exists, and what public or internal warnings are already visible. If the team cannot answer those five questions, the first request list is not ready.
The second checkpoint is the preliminary investment committee screen. Before a buyer spends serious diligence money, the memo should say whether any national-security screen could become a gating issue. That does not require a legal conclusion. It requires a routing conclusion. The memo can say “CFIUS counsel should evaluate mandatory declaration,” “export-control counsel should review classification evidence,” “sanctions counsel should review beneficial ownership,” “data-security counsel should review foreign-access path,” or “source-of-funds evidence is insufficient.” That is enough to keep the investment committee from treating the issue as a normal commercial risk.
The third checkpoint is the purchase-agreement issue list. Before the first serious purchase-agreement markup, the diligence lead should identify which risks need conditions precedent, covenants, representations, special indemnities, escrows, holdbacks, asset exclusions, disclosure schedules, closing certificates, or walk-away rights. Counsel will draft the language. Diligence supplies the facts and the risk posture.
The fourth checkpoint is the signing readiness check. Signing should not happen while material national-security questions are still described in vague terms. “Export issue under review” is not a signing-ready statement. “Target has not provided Export Control Classification Number support for three product families that account for 28 percent of revenue; export counsel review pending; purchase agreement includes condition precedent to deliver classification support and no-new-export-violation certificate before closing” is closer to a signing-ready statement.
The fifth checkpoint is the closing bringdown. Because sanctions lists, export lists, ownership, and data access can change, a clean diligence memo at signing is not enough. Before closing, the buyer should refresh key screens, verify that conditions precedent are satisfied, confirm that no new government contact occurred, update internal-report status, confirm legal holds where needed, and confirm that any required remediation or segregation has occurred. If the target added a new distributor, vendor, owner, bank, or data-access path after signing, the screen should be updated.
The sixth checkpoint is the first 30 days after close. This is where post-close remediation begins. The buyer should re-run agreed screens with full identifiers, freeze high-risk changes until counsel clears them, integrate policies, preserve records, assign control owners, update the data inventory, validate technology-control plans, review customer and vendor onboarding, and decide whether any counsel-owned voluntary self-disclosure analysis is needed. Waiting six months can lose evidence and credibility.
The seventh checkpoint is the 90-day and 180-day remediation review. Some issues cannot be fixed in the first month. AML lookbacks, export classification cleanup, data-access redesign, contract remediation, ownership evidence, customer exits, vendor replacements, and control implementation need management attention. The workflow should make these tasks visible to the buyer’s operating team, not just the deal lawyers.
The eighth checkpoint is quarterly maintenance. This series has a quarterly update system because the law and guidance move. A buyer can borrow the same cadence for portfolio monitoring. For portfolio companies with national-security exposure, quarterly refresh should include sanctions list updates, export-list changes, ownership changes, high-risk customer changes, data-access changes, new internal complaints, new government contact, new country-of-concern exposure, and any status-sensitive regulatory changes.
This calendar discipline changes the buyer’s posture. Instead of discovering a problem in the last draft of the purchase agreement, the buyer can decide early whether the issue is a diligence request, a counsel memo, a price adjustment, a condition, a covenant, a special indemnity, a remediation plan, or a walk-away.
Quality controls for the diligence file
A national-security diligence file should be reviewable by someone who did not work on the deal. That is the test. If a later reviewer cannot understand what was searched, what was found, what was missing, who owned the legal call, and why the deal response was chosen, the file is not good enough.
The first quality control is source traceability. Every date, dollar amount, statutory citation, deadline, enforcement outcome, and rule status should trace to a source. The internal source log is the discipline for the article series. A deal file needs the same habit. The source may be a target document, government page, agency release, court filing, counsel memo, screen output, board minutes, data export, or interview note. The source should be named, dated, and stored.
The second quality control is status separation. Do not mix a legal requirement, proposed rule, vacated rule, delayed rule, agency guidance, public allegation, settlement, court order, internal complaint, and management assertion into one paragraph. Each has a different reliability level. For example, RRE is not currently a live filing obligation while the vacatur stands. IA AML is delayed to 2028. BOI is not public bulk data. FinCEN’s AML whistleblower implementing rule was proposed as of the April 1, 2026 notice. A file that treats those as settled live obligations is not current.
The third quality control is identifier quality. Names are not enough. Sanctions and export-list screening depend on legal names, aliases, addresses, dates of birth where appropriate, countries, registration numbers, vessel identifiers, parent and subsidiary relationships, and ownership percentages. A no-hit screen run on incomplete identifiers is weak. The memo should say so.
The fourth quality control is ownership math. OFAC’s 50 Percent Rule, CFIUS foreign-person analysis, outbound covered-foreign-person analysis, beneficial ownership, and source-of-funds review all depend on ownership and control facts. The file should show direct ownership, indirect ownership, aggregation, voting rights, veto rights, board rights, information rights, side letters, and nominee risks. If the ownership chart is based on management representation only, the memo should say that.
The fifth quality control is access mapping. Export controls and data-security rules often turn on access. Who can access controlled technology? Who can administer the database? Who can download source code? Who can query sensitive data? Who can change permissions? Who receives reports? Who has information rights? Access should be mapped by role, person category, geography, system, and contract. A vendor list without access rights is not an access map.
The sixth quality control is allegation discipline. A public enforcement release may describe allegations, charges, settlements, pleas, admissions, findings, orders, or returns. The memo should not upgrade an allegation to a finding. It should not downgrade an order to a rumor. It should use the source’s posture.
The seventh quality control is counsel boundary. The diligence file should show where counsel was engaged and which questions remain counsel-owned. It should not quote privileged advice casually or put legal conclusions into an accountant’s voice. A clean boundary protects both the buyer and the practitioner.
The eighth quality control is reproducibility. If the lab, screen, or public search cannot be reproduced, the output is weak. Save inputs, search terms, access dates, list versions where available, source URLs, code versions, and limitations. The goal is not to make every diligence file into a software project. The goal is to avoid undocumented screenshots and stale comfort.
The ninth quality control is decision linkage. Every material issue should link to a deal decision. If the issue did not affect price, terms, timing, remediation, or counsel review, the memo should say why. If it did, the memo should identify the response. That is how diligence becomes useful to the business without becoming legal advice.
When to escalate to counsel
Escalation is not a failure of the diligence team. It is the workflow doing its job.
Escalate to CFIUS counsel when a foreign person acquires control, non-controlling rights, board or observer rights, information rights, veto rights, sensitive data access, critical technology exposure, critical infrastructure exposure, real estate proximity, foreign-government ownership, or unusual limited partner rights.
Escalate to outbound investment counsel when a United States person invests in or supports a foreign company, joint venture, fund, or project with covered technology or country-of-concern facts, especially semiconductors, microelectronics, quantum information technologies, artificial intelligence, or advanced computing.
Escalate to sanctions counsel when a party, owner, vessel, bank, country, transaction, goods flow, service flow, payment, or property interest has an OFAC signal, a 50 Percent Rule issue, a blocked-property question, a license question, or a high-risk country path.
Escalate to export-control counsel when products, software, source code, technology, research, end users, end uses, foreign-national employees, cloud access, Entity List parties, Denied Persons, Foreign Direct Product Rule issues, or missing Export Control Classification Numbers appear.
Escalate to AML counsel when the target is AML-regulated, moves money, lacks source-of-funds evidence, has customer due diligence gaps, has suspicious activity process concerns, received regulator inquiries, or relies on BOI assumptions.
Escalate to data-security and privacy counsel when the target has sensitive personal data, government-related data, bulk thresholds, country-of-concern access, data brokerage, vendor access, employment access, investment access, or offshore administrator paths.
Escalate to forfeiture or white-collar counsel when assets, capital, receivables, real estate, crypto, vessels, aircraft, or funds may be proceeds, involved property, facilitating property, blocked property, seized property, restrained property, or property named in a complaint or order.
Escalate to employment and white-collar counsel when an internal report, whistleblower allegation, retaliation claim, agency contact, subpoena, legal hold, voluntary self-disclosure question, award-program signal, or timing issue appears.
The memo should say when escalation occurred and what remains unresolved. It should not summarize privileged advice unless counsel approves.
Practitioner Skill Built By This Article
The skill this article builds is integrated national-security diligence management.
After reading it, a practitioner should be able to recognize when one deal fact belongs to more than one screen. Foreign ownership can be a CFIUS issue, a data-access issue, and an OFAC ownership issue. Controlled technology can be an export issue, a CFIUS issue, and an outbound investment issue. Tainted capital can be an AML issue, a sanctions issue, and a forfeiture issue. An internal report can be a whistleblower issue, a voluntary self-disclosure issue, and an evidence-preservation issue.
The practitioner verifies the issue against the Authority Ladder. Start with the source-status table and regime-trigger matrix. Then use the regime-specific primary sources and official agency materials in A1 through C3. Use public screening as a lead generator. Use ACFE material for the fraud-control and CFE-practice layer, not as legal authority. Use law-firm alerts only to find the primary source.
The practitioner can produce the full stage-gated workflow, a source-document request list, a public-screening log, an evidence gap log, a counsel-escalation table, a risk memo, and a post-close remediation tracker. The practitioner cannot make legal conclusions about filings, licenses, sanctions matches, export classification, CFIUS jurisdiction, privacy restrictions, forfeiture defenses, whistleblower eligibility, or voluntary self-disclosure.
The issue escalates when any screen produces a possible signal, when a required source document is missing, when an internal report exists, when a government contact exists, when a deal term assumes a legal conclusion, or when the decision deadline is before signing or closing.
Practitioner artifact: Full stage-gated workflow
This is the reusable D1 artifact. It is a workflow, not a legal checklist.
| Gate | Work | Output | Stop / escalate condition |
|---|---|---|---|
| 1 Intake | Capture buyer, seller, owners, rights, sector, geography, data, technology, money movement, government touchpoints | Deal profile | Missing core identifiers or foreign ownership/control signal |
| 2 Red-flag triage | Compare intake facts to regime-trigger matrix | Initial screen map | Any CFIUS, outbound, OFAC, export, AML, data, forfeiture, or whistleblower signal |
| 3 Source-document requests | Send regime-specific evidence requests | Request list and owner map | Seller cannot provide ownership, source-of-funds, technology, data, customer, or report evidence |
| 4 Public screening | Run lead-only list, agency, public-source, and status checks | Screening log with access dates and limitations | Hit, unclear result, stale list, unavailable source, or no identifiers |
| 5 Evidence gap log | Separate issues from missing evidence | Gap log | Gap affects signing, closing, valuation, legality, transferability, or disclosure |
| 6 Counsel escalation | Route by screen and preserve privilege boundary | Counsel escalation table | Any legal interpretation needed |
| 7 Risk memo | Write issue, source facts, posture, authority, remedy, gap, counsel owner, deal response | Investment committee and counsel memo | Memo contains unsupported conclusion or unresolved material issue |
| 8 Deal response | Translate memo into CP, covenant, rep, special indemnity, escrow, carve-out, remediation, or walk-away | Deal-terms issue list | Legal prohibition, blocked property, missing filing, or uncontained exposure |
| 9 Closing controls | Confirm no-new-red-flag, updated screens, delivered records, and counsel signoffs | Closing certificate support | New hit, expired screen, missing CP, unresolved counsel item |
| 10 Post-close remediation | Execute lookback, re-screening, controls, legal holds, VSD support, training, and monitoring | Remediation tracker | Voluntary self-disclosure, government contact, legal hold, or unresolved exposure |
| 11 Quarterly refresh | Update source-status table, status notes, watch items, lists, and guidance | Refresh log | Changed rule, court order, list update, annual report, enforcement guidance |
Every gate should have an owner, a date, and a source path. If the file cannot show who did what and when, the workflow is incomplete.
Applied DD Lab: Replicate the Screen
The D1 Applied DD Lab uses synthetic deal-intake flags to build a lead-only integrated triage output. It does not clear a deal and does not decide any legal question.
Dataset: data/synthetic/d1_deal_intake_flags.csv in the companion repo. The rows are synthetic. They do not contain client data, target names, private records, or allegations.
Code: src/ns_diligence/risk_workflow.py.
Run:
python -m ns_diligence.risk_workflow \
data/synthetic/d1_deal_intake_flags.csv \
data/redacted_outputs/d1_integrated_workflow_sample.csvSample output:
| Deal ID | Synthetic deal type | Risk tier | Triggered screens | Counsel escalations |
|---|---|---|---|---|
| D1-001 | foreign acquisition of data-rich health platform | high | CFIUS inbound; BSA/AML and BOI; DOJ Data Security Program | AML counsel; CFIUS counsel; data-security counsel |
| D1-002 | US fund follow-on investment in quantum supplier | elevated | Outbound investment; Export controls | export-control counsel; outbound investment counsel |
| D1-003 | industrial target with sanctioned distributor | critical | OFAC sanctions; BSA/AML and BOI; Asset forfeiture | AML counsel; forfeiture or white-collar counsel; sanctions counsel |
| D1-004 | financial-services target with internal AML report | high | BSA/AML and BOI; Whistleblower or bounty routing | AML counsel; white-collar and employment counsel |
| D1-005 | ordinary domestic software acquisition | baseline | No current national-security screen from supplied synthetic flags | none from supplied flags |
What the lab can show: how a diligence team can turn intake facts into triggered screens, counsel escalation lanes, immediate source requests, and memo warnings. It also shows why “no current signal from supplied data” is different from “cleared.”
What the lab cannot show: whether a real transaction triggers CFIUS, outbound investment, OFAC, export controls, BSA/AML, BOI, the DOJ Data Security Program, forfeiture, or whistleblower rules. It cannot screen real names, classify technology, calculate ownership, verify data thresholds, decide source of funds, or advise on legal strategy.
When to escalate from the lab result: any elevated, high, or critical row; any baseline row with missing identifiers; any sanctions, data, controlled-technology, foreign-ownership, source-of-funds, or internal-report signal; any result the deal team wants to treat as a legal conclusion.
The lab is intentionally simple. A real D2 capstone will add more public-data modules. D1 teaches the workflow before D2 teaches the screening toolkit.
Terms used in this article
The full glossary lives in the section’s master glossary; the terms you need for this piece:
- Regime-trigger matrix: the deal-feature map that connects facts to the national-security screen that needs review.
- Intake triage: the first diligence pass that records deal facts, screens red flags, identifies missing identifiers, and routes issues.
- Evidence gap log: the list of facts the diligence team cannot verify yet.
- CFIUS: the Committee on Foreign Investment in the United States, the inbound foreign-investment screen.
- OFAC: the Treasury office that administers and enforces economic sanctions.
- EAR: the Export Administration Regulations administered by BIS.
- BOI: beneficial ownership information; confidential and access-limited under the current FinCEN system, not a public bulk dataset.
- Covered data transaction: a DOJ Data Security Program transaction that may be prohibited or restricted when it gives a country of concern or covered person access to covered data.
- VSD: voluntary self-disclosure, a counsel-owned disclosure to a regulator or prosecutor under a program-specific policy.
- Condition precedent: a deal condition that must be satisfied before closing.
- Special indemnity: a negotiated deal protection for a specific identified risk.
- Escrow / holdback: funds held back to support a claim, remediation obligation, or unresolved risk.
- Legal hold: a direction to preserve potentially relevant documents and data when investigation, enforcement, or litigation risk is reasonably anticipated.
Selected sources
- Source Status Table: National-Security Diligence Stack,
source_status_table.md - Master Regime-Trigger Matrix,
regime_trigger_matrix.md - CFIUS source dossier and article, A1 CFIUS inbound capital screen
- Outbound investment source dossier and article, A2 outbound investment reverse CFIUS
- OFAC source dossier and article, B1 OFAC sanctions
- Export-control source dossier and article, B2 BIS/EAR, ITAR, and technology screen
- BSA/AML and FinCEN source dossier and article, B3 BSA/AML perimeter
- DOJ Data Security Program source dossier and article, C1 EO 14117 data-security screen
- Asset seizure and forfeiture source dossier and article, C2 forfeiture enforcement spine
- Whistleblower and bounty source dossier and article, C3 bounty bridge
- ACFE, “Key Findings from Occupational Fraud 2026: A Report to the Nations,” https://www.acfe.com/acfe-insights-blog/blog-detail?s=key-findings-report-to-the-nations-2026
- D1 Applied DD Lab:
lab/national-security-diligence-lab/src/ns_diligence/risk_workflow.py
Status note
Last reviewed: 2026-06-16.
Next scheduled review: 2026-09-16.
Current watch items: CFIUS annual report and non-notified review posture; outbound investment statutory and regulatory updates; OFAC and BIS enforcement guidance; RRE appeal; IA AML 2028 delay; BOI access and domestic-exemption status; DOJ Data Security Program guidance; major forfeiture releases; FinCEN AML whistleblower final rule; DOJ Corporate Whistleblower Awards Pilot Program extension or modification.
By Noah Green CPA CFE, for Sheepdog Prosperity Partners. Educational only; not legal advice. SPP explains diligence issue-spotting, evidence collection, risk triage, and the accountant and certified-fraud-examiner workflow. SPP does not give filing advice, sanctions opinions, export classifications, CFIUS legal opinions, privacy opinions, forfeiture-defense advice, whistleblower advice, or voluntary self-disclosure advice.