CFIUS Issues Final Regulations on National Security Review of Foreign Investments in the United States under FIRRMA: Broader Reach, Mandatory Filings, and Limited Exceptions
On Jan. 13, 2020, the Committee on Foreign Investment in the United States (CFIUS) released two long-awaited sets of final regulations that implement nearly all of the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) and go into effect on Feb. 13, 2020. As reported in our GT Alert of Aug. 14, 2018, the adoption of FIRRMA in 2018 had broad bipartisan support and updated the statutory authority for national security review of foreign investments in the United States.
The President of the United States has legal authority to block or unwind any foreign investment in the United States that is deemed to pose an unmitigated national security risk. FIRRMA and the CFIUS regulations provide the process by which investors and targets of investment jointly notify CFIUS (whether voluntarily or under new mandatory declaration provisions). If CFIUS determines that no unmitigated national security issues exist, it may issue a “safe harbor” letter related to the proposed investment, hence eliminating any concerns by the investor and target that a deal might be blocked or unwound.
The FIRRMA Implementing Regulations
The two sets of FIRRMA Implementing Regulations issued are:
- Provisions Pertaining to Certain Investments in the United States by Foreign Persons (that update the CFIUS regulations for covered transactions at 31 C.F.R. Part 800), and
- Provisions Pertaining to Certain Transactions by Foreign Persons Involving Real Estate in the United States (at 31 C.F.R. Part 802).
In general, the FIRRMA Implementing Regulations expand CFIUS’s reach by broadening its jurisdiction over certain minority investments and real estate transactions, and establishing requirements for mandatory declarations. The regulations also specify and clarify the U.S. business activities CFIUS is most concerned about from a national security perspective, including those in the data collection and healthcare realm that have only recently gained attention as national security risk areas. Some of the most significant changes of the FIRRMA Implementing Regulations include:
- Minority investments in-scope for CFIUS. The universe of transactions that fall under CFIUS jurisdiction will expand to capture certain minority investments that afford a foreign investor access to technical information, board or observer rights, or substantive decision-making authority, which may trigger mandatory or voluntary notice provisions.
- Mandatory declarations for “TID U.S. Businesses.” The FIRRMA Implementing Regulations establish the concept of “TID U.S. Businesses,” a subset of U.S. businesses that deal in critical Technologies, critical Infrastructure, or sensitive personal Data (TID). The regulations create mandatory declaration requirements and jurisdictional coverage that reflect the heighted national security risk associated with TID businesses.
- Mandatory declarations for certain investments in U.S. businesses that deal in “critical technologies.” This updated mandatory declaration requirement is set to replace the current “Critical Technologies Pilot Program” and is similar to it in most respects.
- Mandatory declarations for foreign government investment. For the first time, CFIUS will require declarations for investments of more than 25% in a “TID U.S. Business” by a foreign person who is 49% or more owned by a foreign government.
- Real estate investments in-scope for CFIUS. Transactions that are not considered “covered transactions” may still be subject to CFIUS jurisdiction if they qualify as “covered real estate investments.” The real estate provisions focus on purchases, leases, and concessions by foreign persons of U.S. real estate that is located near sensitive U.S. sites, including airports, maritime ports, and military bases.
- Exceptions for investors from key U.S. military allies. The FIRRMA Implementing Regulations establish exceptions for certain “excepted investors” from three countries: Canada, Australia, and the U.K. However, not all investors from these countries will qualify as excepted investors.
Below, we provide details on these provisions and how they may impact cross-border investment in the future.
Mandatory Filing for Foreign Government-Controlled Transactions
Prior to FIRRMA, CFIUS was a wholly voluntary process. One of FIRRMA’s most significant changes makes CFIUS filings mandatory in certain situations, and imposes monetary penalties (up to the value of the investment) for the failure to file (in addition to the risk of having a transaction investigated or unwound post-closing). Specifically, the FIRRMA Implementing Regulations mandate the submission of a declaration to CFIUS in the case of a foreign government acquisition, including acquisitions of a “substantial interest” in a TID U.S. Business by a foreign person in which a foreign government has a “substantial interest.” The relevant “substantial interest” thresholds are 25% (for foreign person ownership in the TID business) and 49% (for foreign government ownership of the foreign person).
Mandatory Filing for Covered Investments in Critical Technologies (and the fate of the Critical Technologies Pilot Program)
FIRRMA Implementing Regulations also mandate the submission of a declaration to CFIUS for transactions involving certain investments related to critical technologies. Specifically, certain investments – controlling and noncontrolling – involving a TID U.S. Business that produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies utilized in connection with 27 specifically enumerated industries (as identified by NAICS Code).
For now, the provisions relating the mandatory declarations for critical technologies largely mirror CFIUS’s existing Critical Technologies Pilot Program, which was established in Fall 2018 and requires parties to certain transactions involving “pilot program U.S. businesses” to file mandatory declarations. The Pilot Program was a temporary program in response to FIRRMA and, by its terms, is set to expire this year. Much of the current Pilot Program has been published as part of the FIRRMA Implementing Regulations, and the Pilot Program is set to expire on Feb. 12, 2020.
CFIUS has indicated that it will make one significant change to the critical technologies mandatory declaration requirements prior to Feb. 13, 2020: it will eliminate the use of NAICS codes and move to qualifying criteria based on certain export licensing requirements. While the exact mechanics of such requirements remain to be seen, the new program, much like the Pilot Program, will require U.S. businesses considering foreign investment to have a clear understanding of the export controls regimes applicable to their products and services. In the meantime, parties should continue to review NAICS codes as part of their mandatory filing analysis.
The FIRRMA Implementing Regulations also carve out from the mandatory declaration requirement certain types of encryption software (eligible for export pursuant to license exception ENC) which would ordinarily be considered “critical technologies” and were previously covered under the Pilot Program. Further, the regulations establish requirements for the transition from the Critical Technologies Pilot Program to the mandatory declaration provisions in the new regulations. Companies considering transactions with a target closing date in February or March 2020 should review both the Pilot Program and new regulations closely to determine which program and filing deadline applies to their transaction.
Expanded CFIUS Jurisdiction
Historically, CFIUS reviewed transactions for national security concerns that could arise from a U.S. business becoming controlled by a foreign person (in the form of a controlling investment or acquisition). FIRRMA continues to apply to foreign control transactions and expands CFIUS’s jurisdiction in several key ways, notably, by including certain minority investments, known as “covered investments,” within the expanded scope.
CFIUS Jurisdiction Over Minority “Covered Investments”
“Covered investments” include those that give the foreign investor certain defined rights in a “TID U.S. Business”
- Investor Rights: For an investment to be a “covered investment,” it must afford the foreign person any of the following:
- access to “material non-public technical information”;
- membership or observer status on the board of directors; or
- involvement in certain substantive decision-making.
- TID U.S. Business: The FIRRMA Implementing Regulations establish the concept of “TID U.S. Businesses,” which are businesses with a nexus to “Critical Technologies,” “Critical Infrastructure,” or “Sensitive Personal Data of U.S. citizens.” Specifically, TID U.S. Businesses include any business that:
- Critical Technologies—“Produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies,” a term defined through cross-reference to various export controls regimes.
- Critical Infrastructure—Owns, operates, manufactures, supplies, or services specified types of “critical infrastructure.” Critical infrastructure includes a range of energy, communication, and transportation infrastructure, and the applicability of these regulations to a particular business’s activity requires close evaluation of Appendix A of the FIRRMA Implementing Regulations, which often cross-references other federal regulatory programs.
- Sensitive Personal Data—Maintains or collects “sensitive personal data,” a term defined by both the sensitivity/scope of the data as well as the type. The U.S. business must either tailor its operations to U.S. national security agencies, or meet a one million individual threshold as to the number of individuals it collects data on. Further, the data must be traceable back to a specific person and fall within one of the enumerated categories, including financial and consumer reports, healthcare information, insurance applications, private communications, geolocation, and biometrics, among others.
Individual genetic test results are treated differently than other forms of sensitive data and are not subject to the one-million-person threshold requirement. In response to concerns from the biotechnology community, the FIRRMA Implementing Regulations clarify that genetic data must be identifiable (carving out anonymized data) and exempt data derived from databases maintained by the U.S. government and routinely provided to private parties for research purposes.
Option for Voluntary Short-Form Declaration
Notably, and despite the expanded scope, apart from the mandatory declaration categories summarized in this alert the CFIUS process will remain largely voluntary. In addition, the FIRRMA Implementing Regulations allow for parties considering a covered transaction to file a declaration instead of a full joint notice. Since declarations are much shorter than full notices and require only a 30-day lead time, this provision has the potential to benefit parties with relatively low risk but covered transactions by reducing administrative burden and review times associated with filing a full notice. It is possible that upon review of a short-form voluntary declaration, CFIUS could request that the parties submit a full long-form notice, so the decision to file a short-form declaration will require some analysis and strategy by the parties. To make a sound business decision as to whether the short form declaration will be advantageous, the parties should consider the industry of the target and the nationality of investors, among other factors.
CFIUS Jurisdiction Over Real Estate Investments
The FIRRMA Implementing Regulations include a new part (31 C.F.R. Part 802) that applies specifically to certain investments in “covered real estate transactions.” These provisions respond to a growing pre-FIRRMA concern that transactions involving only the purchase or lease of land (without any actual U.S. business associated with it) could fly under CFIUS’s radar despite national security threats. The regulations cover several different forms of real estate investments, including not only purchases but also leases and concessions that give the potential foreign investor certain types of property rights (including the right to physically access; exclude others; to improve or develop the property; and/or affix structures or objects to it).
The “covered real estate” to which this rule applies includes identified high risk sites such as airports and maritime ports, and those in:
- “close proximity” (one mile),
- “extended range” (1-100 miles),
- counties with relevant military installations, and/or
- “offshore ranges” (12 nautical miles off U.S. coastline)
of enumerated sensitive U.S. Government sites, depending on the sensitivity of the site.
CFIUS has also established several categories of “excepted real estate transactions,” including transactions relating to 1) single housing units; 2) most real estate in “urbanized areas” as defined by the Census Bureau; 3) most commercial office real estate; and 4) leases or concessions by foreign air carriers. Given the technical nature of these regulations and the number of exceptions, a detailed, fact-specific analysis of the property in question and the surrounding geographic area should be made when considering a transaction. To assist parties with this analysis, CFIUS has announced it will establish a publicly-available online tool, which has yet to be released.
“Greenfield” foreign operations, when a foreign parent company creates a subsidiary in the United States and builds it from the ground up, remain outside of CFIUS scope. However, it is possible that the acquisition of real estate for those greenfield operations could itself be subject to CFIUS review.
CFIUS notifications (whether long-form notices or short-form declarations) for covered real estate transactions are voluntary – the FIRRMA Implementing Regulations contain no mandatory declaration requirement for real estate investments.
Principal Place of Business Defined and Treatment of Investment Funds
Under the FIRRMA Implementing Regulations, CFIUS has defined an entity’s “principal place of business” as “the primary location where an entity’s management directs, controls, or coordinates the entity’s activities, or, in the case of an investment fund, where the fund’s activities and investments are primarily directed, controlled, or coordinated by or on behalf of the general partner, managing member, or equivalent.” Notably, however, the regulations go on to state that if an entity’s reported principal place of business is something other than the United States in the entity’s most recent U.S. government filing, the location given in the filing will govern for CFIUS purposes. This definition is included as an interim rule and the Treasury Department is seeking comments from interested parties on the definition of “principal place of business.”
In addition, the FIRRMA Implementing Regulations exempt certain investments by foreign persons through investment funds from the mandatory declaration requirements if the fund is managed exclusively by a general partner, managing member, or equivalent who is not a foreign person and the foreign person does not have the right to control the investment fund or any access/involvement rights associated with covered investments.
Excepted Foreign States and Investors
The FIRRMA Implementing Regulations establish a new framework in which certain “excepted investors” from “excepted foreign states” may be exempt from filings for minority, noncontrolling investments. Notably, investors from “excepted foreign states” must satisfy a number of additional criteria to qualify as “excepted investors.” The term “excepted investor” includes nationals and governments of excepted foreign states, as well as entities organized in excepted foreign states that meet a number of criteria listed in the regulations, including clear compliance and CFIUS records and certain thresholds regarding nationality of their governance boards and shareholders. Excepted investors are not exempt from the filing requirements for investments in which they gain control of a U.S. business.
CFIUS has designated an initial list of “excepted foreign states” which includes Australia, Canada, and the United Kingdom. In identifying these three countries, CFIUS highlighted their strong military alliances and practice of sharing intelligence with the United States. The three countries will be considered “excepted foreign states” for a period of two years, during which time CFIUS will evaluate their process for reviewing national security risks and determine whether each foreign state has “established and is effectively utilizing a robust process to analyze foreign investments for national security risks and to facilitate coordination with the United States on matters relating to investment security.” In the future, CFIUS will be able to make similar determinations with respect to additional foreign states.
Potential Upside of CFIUS Regulations
While the regulations certainly create additional regulatory compliance requirements for many types of investments and industries, the new regulations also have the potential to benefit investors. The new regulations provide more certainty as to the exact types of investments CFIUS is interested in and, in certain cases, allow for shorter review periods when compared to the prior CFIUS regime. In public statements describing these regulatory changes, CFIUS has emphasized the U.S. government’s support of foreign investment and highlighted the fact that since the changes to the regulations last year, there has been an increase in the number of transactions cleared during the initial 45-day review period.
Considerations for Non-U.S. Investors and Potential Targets
Non-U.S. investors may benefit from:
- Reviewing shareholder information to determine whether any shareholders are controlled by a non-U.S. government, and if so, what percentage of ownership and other indicia of control such shareholders have;
- When investing through investment funds, reviewing the management structure and investor rights and understand whether the fund is exempt from certain CFIUS requirements;
- For investment funds organized outside of the United States but operating within the United States, reviewing prior filings with the U.S. government to understand how, if at all, the new definition of “principal place of business” affects the business; and
- For investors from Australia, Canada, and the United Kingdom, reviewing the company’s compliance history and nationalities of the members of the board of directors and shareholders to determine whether the company may qualify as an “excepted investor.”
U.S. businesses who may be the target of non-U.S. investment may benefit from:
- Conducting an export control classification analysis of company technology;
- Reviewing data collection and retention policies to understand the type and amount of data collected, given the widespread collection of customer data by companies through websites and mobile phone applications; and
- Considering what types of access or other rights (such as observer or board seats) might be granted to potential non-U.S. investors (even in cases of minority investments).
In general, all parties to potential cross-border transactions should:
- Evaluate whether a transaction triggers any CFIUS mandatory declaration requirement, and, if not, consider conducting a risk-based analysis to determine whether a voluntary filing is a good option;
- Remember that CFIUS plans to issue filing fee requirements at a later date, which should be considered when planning deal budgets; and
- Allow for sufficient time pre-signing to conduct CFIUS analysis and add appropriate terms to deal documents, as well as prepare, file, and manage the CFIUS process if applicable.