FOCI Is a Beneficial Ownership Problem, Not a Screening Problem

Compliance teams at U.S. telecom carriers have built vendor risk programs around a familiar model: screen against sanctions lists, check the BIS Entity List, monitor exclusions. These tools work for what they were designed to catch. But the Foreign Ownership, Control, or Influence (FOCI) compliance standard-especially as the FCC is now enforcing it-doesn’t live in those databases. A vendor can be clean on every sanctions list and every export control register, and still represent a compliance violation if it is majority-owned by a Chinese state enterprise or military-affiliated entity. The tools that protect you from sanctions evasion and proliferation don’t detect beneficial ownership. That regulatory gap has become the compliance gap.

PADFAA (Protecting Americans’ Data from Foreign Adversaries Act), signed April 24, 2024, and the FCC’s Secure and Trusted Communications Networks Act address complementary but distinct compliance requirements. PADFAA is an FTC-enforced data broker law governing data protection from foreign adversaries, while the FCC’s telecom supply chain rules (Secure Networks Act) govern telecommunications equipment and supply chain security. They are separate regimes that address different aspects of foreign adversary risk. They don’t ask whether a vendor is sanctioned. They ask who owns it and what access they have. For telecom carriers operating critical infrastructure, that rethinking of vendor risk isn’t optional anymore-it’s the new regulatory baseline.

What FOCI Actually Means-and Why It’s Not a Sanctions Problem

FOCI refers to any condition that gives a foreign person the power to direct or influence the conduct of a U.S. company’s business. In the telecom context, that power typically flows from majority ownership or control of critical intellectual property. The FCC’s concern isn’t theoretical-it’s about ensuring that foreign governments or their proxies cannot gain leverage over U.S. communications infrastructure.

Here’s where the regulatory mechanics diverge from existing programs. Sanctions screening targets entities the U.S. government has formally designated as threats due to proliferation, terrorism financing, or sanctions evasion. The OFAC Entity List and BIS designations are based on declared policies and past misconduct. Beneficial ownership screening answers a fundamentally different question: Who actually owns this company, and does that ownership create a conflict of interest with U.S. national security?

A vendor majority-owned by a Chinese state enterprise is not necessarily on any sanctions list. It’s simply not controlled by U.S. interests-which is exactly what FOCI prohibits. The FCC has been explicit: companies must go beyond list-based screening. The standard is now ownership transparency across multiple layers of corporate structure, verified against primary-source corporate registry data, not vendor attestations. That’s the evidentiary standard the regulator is setting.

Why Legacy Vendor Risk Programs Hit a Ceiling

The screening programs most telecom carriers have deployed are built on a matching architecture: compare entity names and identifiers against government databases. This model works for sanctions detection because it’s designed for it. But beneficial ownership is a graph problem, not a matching problem. It’s a network of relationships and intermediate owners that must be traced across multiple corporate layers and jurisdictions.

Sanctions screening treats entities as atomic points: a company either is or isn’t designated. Beneficial ownership requires understanding that a Chinese state enterprise may be the ultimate beneficial owner while a separate holding company appears in regulatory filings. Your vendor questionnaire captures what the vendor chooses to disclose about its own structure. It’s not an investigation into actual control mechanisms. More importantly, beneficial ownership changes. Ownership can shift through recapitalization, restructuring, or indirect acquisition by parents you hadn’t identified before. Sanctions screening catches static designations. The FCC expects carriers to maintain current knowledge of their vendors’ ownership. That’s not a one-time compliance check from three years ago-it’s a persistent baseline that needs to be monitored and updated as vendors’ ownership evolves.

What FOCI Compliance Looks Like When Enforced at Scale

The FCC’s supply chain security orders now require carriers to produce evidence of ownership verification if asked. Here’s a realistic scenario. A carrier contracts with a technology vendor for network management and cybersecurity services. The vendor is a U.S. LLC, founded domestically by engineers in California, and has never appeared on any sanctions list. But two years ago, the parent company was acquired by a holding company registered in Hong Kong, which is itself majority-owned by a Chinese state research institute with documented military-civil fusion connections. The acquisition structured the relationship through multiple intermediate entities to obscure the actual beneficial owner.

Your sanctions screening catches none of this because none of the entities hit a government list. Your vendor questionnaire doesn’t capture it because the vendor may not have disclosed the full chain. But to the FCC, the regulatory question is simple: Can a Chinese state entity direct or influence this vendor’s conduct? The answer is yes. That’s a FOCI violation.

Enforcement in the telecom sector is accelerating. Carriers that can document their ownership analysis with primary-source corporate registry data will defend their compliance posture. Carriers still relying on vendor attestations and sanctions lists cannot.

Building a Defensible FOCI Compliance Program

The path forward requires decoupling beneficial ownership diligence from sanctions screening. They’re distinct problems requiring different data models, tools, and evidentiary standards. A defensible FOCI program needs three capabilities that your current vendor program likely doesn’t have.

First is access to primary-source corporate registry data from jurisdictions where your vendors operate-not vendor questionnaires or inferred ownership. That means actual shareholder registries, corporate formation documents, and board records from China, Hong Kong, Singapore, and other jurisdictions where your vendors’ ultimate owners may reside. Beneficial ownership in these markets is often obscured, and you need that primary data to verify actual control structures.

Second is a network mapping capability that can trace ownership through multiple corporate layers. A vendor isn’t typically owned directly by a government entity. It’s owned by a holding company, which is owned by another entity, which has a relationship to a state enterprise. Understanding where the ultimate beneficiary sits requires building that chain and verifying each link. That’s not a questionnaire problem-it’s a graph problem.

Third is continuous monitoring integrated into your vendor management lifecycle. Ownership changes through recapitalization, restructuring, and indirect acquisition. The FCC expects carriers to maintain current knowledge. That’s not a one-time due diligence exercise. It’s a persistent baseline that needs to be monitored and updated as your vendors’ ownership evolves.

Sayari has built a beneficial ownership platform designed for this standard, integrating corporate registry data from 250+ jurisdictions and mapping ownership networks across jurisdictional boundaries. The platform enables carriers to identify actual beneficial owners-not just screen against lists. Rather than replacing your vendor screening program, a beneficial ownership capability sits alongside it, answering the distinct question of who controls your vendors. Explore how Sayari helps telecom carriers demonstrate FOCI compliance with defensible beneficial ownership data.