For Controlled Goods Program (CGP) registrants, statutory reporting obligations are critical - and can be triggered by something as minor as a corporate name change.
Those looking to acquire a CGP registrant through a corporate merger or acquisition need to understand these obligations, in advance, as the timelines for reporting changes under the controlled goods regulations are short and there is no “grace period” to get up to speed on the CGP obligations.
This bulletin provides an overview of some of the more critical reporting obligations, and a short update on previously reported Contract Security Program changes.
CGP Compliance Obligations
CGP registrants have several key compliance obligations, including:
- Internal security assessments: Conducting internal security assessments of individuals who will examine, transfer, and possess controlled goods and providing the CGP with a list of such individuals every six months.
- Security plan: Establishing and implementing a security plan for each facility in which controlled goods are examined, possessed, or transferred.
- Record-keeping: Maintaining records containing information about any controlled goods received, transferred, or disposed of.
- Security Breaches: Reporting any actual or potential security breaches to the CGP within three days.
- Corporate Changes: Notifying the CGP of changes to its application for registration.
Registrant Notifications Obligations - Not Just for Mergers and Acquisitions
Perhaps the most challenging obligation relates to the requirement to notify the CGP of any change in the registrant’s application. The application for registration is an ‘evergreen’ document. Registrants have an ongoing obligation to update their information. Any change in the applicant’s information provided in the application (individuals or businesses) must be provided to the CGP within 10 business days of becoming aware of the change.
Some of the more common notice obligations include:
- New employees: New employees who will have access to controlled goods must first undergo security screening. Note that employees handling controlled goods must be employed by the entity that holds the CGP registration, not a different corporation in the same corporate family.
- New Designated Officials (DO): Any new DO must meet the eligibility requirements and be security assessed prior to assuming that role. Likewise, if a transaction results in an increase in the number of employees, a registrant may need to add additional DOs to keep the recommended ratio of one DO per 150 employees.
- New facilities: New facilities, if they will hold controlled goods, must be security assessed and approved by the CGP before any goods are transferred to or held at the facility.
- New corporate numbers: Even if nothing else changes, a new corporate number is considered a change reportable to the CGP.
- New entities: If a registrant undergoes a corporate restructuring that results in a new entity, the new entity requires its own CGP registration. Registrations are not transferable.
- Change of control: The name and address of any person that will own 20% or more of the outstanding voting shares or interests of the business must be provided by the later of 32 business days before the date of an acquisition or one business day after the day on which the registrant becomes aware of an acquisition. A CGP security screening and registration may also be required.
Investment Canada Act Reviews
Issues related to controlled goods are rarely top-of-mind in an M&A scenario – but they should be. Because of the serious consequence of a violation of the CGP regime, both buy and sell sides should be prepared to satisfy Canadian federal requirements in relation to controlled goods. For foreign investment in which national security issues will be a factor, the Guidelines issued under the Investment Canada Act incorporate by reference considerations related to controlled goods via Section 35 of the Defence Production Act. Accounting for these issues at the start of a deal, rather than as an after-thought, can permit deal closing without troublesome uncertainty.
Additional Update on the Contract Security Program (CSP)
Since our initial bulletin Upcoming Changes to the Federal Contract Security Program May Be Problematic For Industry (and the Government), PSPC has implemented changes to the CSP and has modified the Manual to reflect these changes. For example, the Manual now reflects the requirement that a registered company’s CSO and ACSO ensure that an employee being screened is participating in an awarded and active contract with security requirements. Likewise, Section A of the personnel screening, consent and authorization form (Form 330/23) has been updated to provide a “justification for security screening requirement.” PSPC has also clarified that when an employee is working on multiple contracts, the CSO or ACSO should reference the contract that the employee will primarily be working on the screening form. As noted in our earlier bulletin, questions remain on this new approach, including how the shift towards ‘contract-by-contract’ clearances may impact individuals who are cleared for a particular contract that has an earlier end date than other contracts that the individual is also working on.