Skip to main content
October 7, 2019

CFIUS Proposed Rules Firm up Plans for New Scrutiny of Foreign Investment


On September 24, 2019, the Department of the Treasury, as Chair of the Committee on Foreign Investment in the United States (CFIUS), published two proposed rules implementing the Foreign Investment Risk Review Modernization Act (FIRRMA).1 The proposed rules addressed here would implement FIRRMA's expansion of CFIUS's jurisdiction with respect to foreign investments in US businesses involved with critical infrastructure or maintaining certain categories of sensitive personal information. In a separate advisory, we address the new proposed rules providing CFIUS with enhanced jurisdiction to review foreign investments in certain real estate transactions.2

The proposed rules are open for public comment through October 24, 2019. That provides only a short window of time to comment on what are two lengthy, detailed, and critically important proposals that will affect a wide range of foreign investment transactions in the United States for likely years to come.

Background: What Did FIRMMA and the Pilot Program Do?

FIRRMA, which was enacted in 2018, provides extensive new authority to CFIUS to review foreign investments in US businesses and recommend action by the President, under Section 721 of the Defense Authorization Act (Section 721), to block or otherwise interfere with such investments.3 Through interim regulations published in October 2018, some of the FIRRMA reforms were implemented almost immediately, including through a "Pilot Program" making it mandatory to inform CFIUS in advance of certain investments in US businesses involved in the production of "critical technologies."4 But that left many of the FIRRMA provisions unaddressed, and the new proposed rules, with some exceptions, aim to fully implement the statute.

Among other things, FIRRMA did the following:

  • It expanded CFIUS's jurisdiction from only transactions resulting in foreign "control" over a US business to "other investments" that do not result in such control but give a foreign person an equity interest in and certain rights regarding US businesses dealing with "critical technologies," "critical infrastructure" or "sensitive personal data" of US citizens.
  • It required CFIUS to specify criteria to limit the application of Section 721 with respect to "other investments" made by certain categories of foreign persons.
  • It made pre-closing submissions to CFIUS mandatory for some foreign investments, whereas previously filings with CFIUS had been made almost exclusively on a voluntary basis.
  • It authorized filing fees for submitting notices to CFIUS.
  • It lengthened the period for CFIUS's review of notices from 30 to 45 days, leaving in place the 45-day period for investigations deemed necessary following the review of a notice.
  • It added specific authority for CFIUS to scrutinize non-control transactions involving foreign investments in real estate.

The Pilot Program rules, as described in detail in our prior advisory,5 went into effect in November 2018 and require mandatory "declarations" to be submitted to CFIUS at least 45 days prior to an investment resulting either in control by or special rights for a foreign investor in a US business involved in the production of "critical technologies." Those rules are scheduled to sunset when the new proposed rules become effective in final form.

What are the key aspects of the new proposed FIRRMA non-real estate rules?

Covered Investments

As noted, FIRRMA added to Section 721's "covered transactions" any "other investment" (i.e., a noncontrolling investment) by a foreign person in a US business that (i) owns, operates, manufactures, supplies, or services "critical infrastructure"; (ii) produces, designs, tests, manufactures, fabricates, or develops one or more "critical technologies"; or (iii) maintains or collects sensitive personal data of US citizens that may be exploited in a manner that threatens national security. Under the proposed rules, these types of transactions are termed "covered investments," and the US businesses that are the subjects of "covered investments" are termed "TID US Businesses" ("TID" being an acronym for "Technology, Infrastructure, and Data").

Covered Investments in Critical Technologies. Generally, the proposed rules do not develop CFIUS' rules around covered investments in "critical technologies" beyond the interim rules establishing the Pilot Program. As stated in the preamble to the proposed rules, CFIUS is continuing to evaluate the Pilot Program rules and the comments it received when it published those rules. Further, Treasury is now specifically soliciting additional comments on the retention of the mandatory declaration requirement for transactions that are "Pilot Program covered transactions" under those rules.

Covered Investments in Critical infrastructure. The Pilot Program rules did not address FIRRMA's provisions regarding non-controlling foreign investments in a US business that "owns, operates, manufactures, supplies, or services critical infrastructure." The proposed rules do so by creating a matrix for determining if a US business is a TID US business for purposes of "critical infrastructure" covered investments. Specifically, the proposed rules include two tables that, respectively: (1) list numerous types of critical infrastructure (e.g., certain internet protocol networks, certain interstate oil pipelines, certain financial market utilities that have been designated as systemically important by the federal Financial Stability Oversight Council, any facility manufacturing certain metals, chemicals, or non-commercially available "off-the-shelf" industrial resources) and (2) list types of functions related to such infrastructure (e.g., owning, operating, manufacturing such infrastructure). A US business that performs any one of the specified functions in table 2 with respect to a type of infrastructure listed in table 1 is a TID US business for purposes of critical infrastructure covered investments.6 Both tables are highly detailed and Treasury will consider comments on whether any item listed in either table should be modified, removed, or whether additional items should be added.

Covered Investments in a U.S. Business That Maintains or Collects Sensitive Data for Certain Purposes. The third type of TID US business—a US business that maintains or collects "sensitive personal data" of US citizens that "may be exploited in a manner that threatens national security"—also was not addressed in the Pilot Program rules. The proposed rules define "sensitive personal data" as "identifiable data" of certain specified types, if the US business that maintains or collect such data (i) targets or tailors its products or services to a US executive branch agency or military department with intelligence, national security, or homeland security responsibilities, or to personnel and contractors thereof; (ii) has maintained or collected such data on greater than one million individuals at any point during the preceding 12 months; or (iii) has a demonstrated business objective to maintain or collect such data on greater than one million individuals and such data is an integrated part of the US business's primary products or services. However, if the US business maintains or collects genetic information (as defined under the Health Insurance Portability and Affordability Act (HIPAA)), none of these three limitations apply; such a US business is a TID U.S. business regardless of those three qualifications.

The categories of data that may be "sensitive personal data" are very broad, including financial information, health-related data, non-public electronic communications, geolocation data, biometric information, and data typically held by government contractors.7 The three limiting qualifications listed above will be key for CFIUS in distinguishing a TID US business from the millions of US businesses that maintain or collect such data without posing any risk to national security. Public comments on those three limiting qualifications will help Treasury to prevent unintended overbreadth in the definition of TID US businesses and in CFIUS's jurisdiction.

Excepted Investors and Excepted Foreign States. One of the most welcome aspects of the proposed rules, at least for some foreign investors, may be Treasury's proposed implementation of FIRRMA's requirement that CFIUS specify criteria to limit its jurisdiction over "covered investments" to certain categories of foreign persons. The proposed rules would implement this requirement by creating categories of "excepted investors" and "excepted foreign states." Functionally, this would serve to operate as a kind of "global entry" gate that will permit certain foreign investors from designated states to enjoy something akin to a "visa waiver" for their non-controlling investments in the United States.

The category of "excepted foreign states" will be dynamic. A country will be determined to be an "excepted foreign state" only if (i) it is listed as an "eligible foreign state" in a list that will be published separately from the CFIUS rules on the Treasury Department's website. And such a listing will not guarantee that a particular country is an "excepted foreign state"—CFIUS will select from that list only those eligible foreign states those that have established and are effectively using a "robust process" to assess foreign investments for national security risks and to facilitate coordination with the United States on matters relating to investment security. CFIUS's decision to select and designate a particular country as an "excepted foreign state" will be published in the Federal Register and the list of all "excepted foreign states" will be posted on the Treasury Department website.

"Excepted investors" under the proposed rules are foreign persons that have a substantial connection to one or more excepted foreign states (such as, among other requirements, being incorporated in, and having board members who are nationals of an excepted foreign state) and that have not violated (and whose parents or subsidiaries have not violated) certain US laws, regulations, orders, directives, or licenses and have not violated any duties in relation to CFIUS. If a foreign person who is an "excepted investor" at the time of a transaction engages in any such violation within three years after the completion of the transaction, CFIUS will have jurisdiction to take action regarding the investment within that three-year period.

Investment Fund Transactions

FIRRMA created certain exceptions from CFIUS's jurisdiction over non-controlling foreign investments made through investment funds. The proposed rules clarify those exceptions through provisions similar to the investment fund provisions in the Pilot Program rules. Specifically, under the proposed rules, an indirect investment by a foreign person in an unaffiliated TID US business through an investment fund, where that investment affords the foreign person (or a designee of the foreign person) membership as a limited partner or equivalent on an advisory board or committee of the fund, and certain restrictions on the authority of the foreign person exist, a limited partner's membership on the investment fund's advisory board or committee does not in and of itself render the foreign person's indirect investment in an unaffiliated TID US business a covered investment.

Filing Options

In accordance with FIRRMA, the proposed rules set the stage for three different forms of non-governmental triggers for CFIUS's review of a proposed foreign investment: (1) mandatory declarations, (2) voluntary declarations, and (3) voluntary notices.

Mandatory Declarations. The proposed rules leave intact the Pilot Program mandate to file a declaration with CFIUS regarding non-controlling, but not completely passive, equity foreign investments in a US business that produces, designs, tests, manufactures, fabricates, or develops one or more "critical technologies" for use in certain industries. As stated in the proposed rules' preamble, CFIUS is considering whether to continue that mandate when it publishes the final FIRRMA rules, and will consider comments on that issue in making a decision to that effect.

As to other types of investments, the proposed rules would implement FIRRMA in mandating that a filing be made with CFIUS with respect to investments (whether controlling or not) that result in the acquisition of a "substantial interest" in a TID US business by a foreign person in which a foreign government has a "substantial interest." A "substantial interest" in a US business means a voting interest of at least 25%. A "substantial interest" of a foreign government in a foreign person (the investor) means a voting interest of 49% or more.

Voluntary Declarations. For investments where no filing is mandatory, voluntary declarations may be a welcome alternative to filing a voluntary notice in many cases. While preparing a full notice can be a fairly time-consuming and burdensome process, preparing a declaration is relatively simple. The declaration form is posted online as a fillable PDF document that is easy to navigate and requires minimal prose. Further, CFIUS is required to review declarations within 30 days (compared to the 45-day review now applicable for notices). Thus, where a transaction is fairly straightforward and does not seem to present a serious national security risk, filing a declaration may be an attractive option. The risk is that if CFIUS determines it cannot conclude its review during the 30-day declaration review period, it can, among other options, request the parties to file a notice, which will mean 30 days will have been added to what might have been a more streamlined review of a notice in the first place, or not reach any conclusion by the end of its 30-day review, giving the parties no conclusive answer as to whether the President might exercise his authority under Section 721 to interfere with the transaction.

Voluntary Notices. Voluntary notices continue to be an option for the parties to all covered transactions (whether those resulting in foreign control or non-controlling "covered investments). As noted above, in some cases where filing at least a declaration is mandatory, it may make sense to file a full notice instead (which satisfies the filing mandate), in anticipation that CFIUS, after reviewing a declaration, may request a full notice or provide no conclusive response regarding the transaction. Thus, decisions regarding when and what to file with CFIUS remain complex.


Although Treasury is postponing imposing filing fees as authorized by FIRRMA, the proposed rules would implement the onerous penalty regime prescribed by FIRRMA. Under the proposed rules, parties may be penalized for any material misstatement or omission from a CFIUS filing—regardless of intent or gross negligence. Such penalties are capped at $250,000 per violation, but other penalties for noncompliance with CFIUS rules can be as high as twice the value of the transaction at issue.


Treasury appears to have put significant thought into the proposed rules, including by providing explanations and examples to help potential investors and sellers understand the scope of the FIRRMA rules. The areas in which Treasury indicates it is still considering options are ones in which comments from the public may be most influential. But in whatever way the proposed rules may raise concerns for potential investors or targets, the comment period ending October 24, 2019 will be the best opportunity for quite some time to attempt to influence the final rules or mitigate the most concerning aspects of the proposed rules.

© Arnold & Porter Kaye Scholer LLP 2019 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.

  1. 84 Fed. Reg. 50,174 (Sept. 24, 2019).

  2. CFIUS Releases New Real Estate Transaction Rules. Those real estate-related rules, while not applicable to transactions resulting in control by a foreign person over a US business, provide insight into concerns that CFIUS may have with respect to such control transactions where part of the US assets being acquired is real estate.

  3. See New Law Expands and Reforms CFIUS Jurisdiction and US Export Controls, Arnold & Porter (Aug. 13, 2018).

  4. See New Mandatory Submissions to CFIUS: Interim Regulations Under FIRRMA Take Effect November 10, 2018 Arnold & Porter (Oct. 16, 2018).

  5.  Id.

  6. Appendix A to part 800

  7. Excepted from the definition of "sensitive personal information" is data maintained by a US business on its own employees (unless the date pertains to employees of US government contractors who hold personnel security clearances) and data that is a matter of public record.