CFIUS Finalizes Rules Implementing Its Expanded Jurisdiction to Review Foreign Investment in US Businesses
Effective February 13, 2020, the Committee on Foreign Investment in the United States (CFIUS) will exercise its broader mandate under the Foreign Investment Risk Review Modernization Act (FIRRMA), which was enacted in 2018, to examine certain foreign investment transactions. The recently released final FIRRMA implementing regulations, to be officially published on January 17, 2020, are largely consistent with the proposed rules issued last September by the Department of the Treasury, which chairs CFIUS. The final rules terminate the "Pilot Program" that began under FIRRMA in fall 2018. The elements of the terminated Pilot Program, for the most part, are incorporated into the new rules for transactions that close after February 13, 2020.1
Below, we provide an overview of the new CFIUS landscape, highlighting those areas where the final rules differ from those proposed last fall. In a separate advisory, we address the new final rules providing CFIUS with enhanced jurisdiction to review foreign investments in certain real estate transactions.2
Background: What Did FIRMMA and the Pilot Program Do?
FIRRMA granted CFIUS extensive new authority to review foreign investments in US businesses for purposes of potentially recommending action by the president, under Section 721 of the Defense Production Act (Section 721), to block or otherwise interfere with such investments.3 Through interim regulations published in October 2018, some of the FIRRMA reforms were implemented almost immediately, including through a Pilot Program making it mandatory to inform CFIUS in advance of certain investments in US Businesses involved in the production of "critical technologies."4 But that left many of the FIRRMA provisions unaddressed, and the final rules, with some narrow exceptions, will fully implement the statute.
Among other things, FIRRMA:
- Expanded CFIUS's jurisdiction from only transactions resulting in foreign "control" over a US business to "other investments" that do not result in such control but give a foreign person an equity interest in and certain rights regarding US businesses dealing with "critical technologies," "critical infrastructure" or "sensitive personal data" of US citizens.
- Required CFIUS to specify criteria to limit the application of Section 721 with respect to "other investments" made by certain categories of foreign persons.
- Made pre-closing submissions to CFIUS mandatory for some foreign investments, whereas, previously, filings with CFIUS had been made almost exclusively on a voluntary basis.
- Authorized filing fees for submitting notices to CFIUS.
- Lengthened the period for CFIUS's review of notices from 30 to 45 days, leaving in place the 45-day period for investigations deemed necessary following the review of a notice.
- Added specific authority for CFIUS to scrutinize noncontrol transactions involving foreign investments in real estate.
The Pilot Program rules, as described in detail in our prior Advisory,5 went into effect in November 2018 and require mandatory "declarations" to be submitted to CFIUS at least 45 days prior to an investment resulting either in control by or special rights for a foreign investor in a US business involved in the production of "critical technologies." Those rules will sunset when the new final rules become effective on February 13, but the provisions of the Pilot Program will largely live on within the new rules, which maintain the same mandatory filing requirements for the same category of US businesses (for now).
What Are the Key Aspects of the Final FIRMMA Non-Real Estate Rules and How Do They Differ From the Rules Proposed in September?
As noted, FIRRMA added to Section 721's "covered transactions" any "other investment" (i.e., a noncontrolling investment) by a foreign person in a US business that (i) owns, operates, manufactures, supplies, or services "critical infrastructure"; (ii) produces, designs, tests, manufactures, fabricates, or develops one or more "critical technologies; or (iii) maintains or collects sensitive personal data of US citizens that may be exploited in a manner that threatens national security. Under the final rules, these types of transactions are termed "covered investments," and the US businesses that are the subjects of "covered investments" are termed "TID US Businesses" (TID being an acronym for "Technology, Infrastructure, and Data").
Covered Investments in Critical Technologies. Generally, the final rules incorporate the CFIUS Pilot Program rules for covered investments in "critical technologies" and sunset the Pilot Program for transactions that occur after the final rules are effective. In short, CFIUS can now review any investment that affords a foreign investor certain rights in a US business that produces, designs, tests, manufactures, fabricates, or develops one or more "critical technologies." The category of "critical technologies" includes any technology controlled under the International Traffic in Arms Regulations (ITAR), many technologies controlled under the Export Administration Regulations (EAR), including new controls on emerging and foundational technologies when such controls are established, and other technologies controlled under other US laws (such as those related to nuclear facilities and toxins). In addition, consistent with the Pilot Program, investments in TID US Businesses working with critical technologies in certain industries require a filing with CFIUS, as discussed below. Investments in other "critical technology" US businesses are subject only to the standard voluntary review regime that governs most CFIUS covered transactions.
Covered Investments in Critical Infrastructure. The final rules implement FIRRMA's provisions regarding noncontrolling foreign investments in a US business that "owns, operates, manufactures, supplies, or services critical infrastructure."6 The rules do so by creating a matrix for determining if a US business is a TID US Business for purposes of "critical infrastructure" covered investments. Specifically, the rules include two tables that, respectively: (1) list numerous types of critical infrastructure (e.g., certain internet protocol networks, certain interstate oil pipelines, certain financial market utilities that have been designated as systemically important by the federal Financial Stability Oversight Council, any facility manufacturing certain metals, chemicals, or noncommercially available "off-the-shelf" industrial resources) and (2) list types of functions related to such infrastructure (e.g., owning, operating, manufacturing such infrastructure). A US business that performs any one of the specified functions in Table 2 with respect to a type of infrastructure listed in Table 1 is a TID US Business for purposes of critical infrastructure covered investments.7
Covered Investments in a US Business that Maintains or Collects Sensitive Data for Certain Purposes. The third type of TID US Business—a US business that maintains or collects "sensitive personal data" of US citizens that "may be exploited in a manner that threatens national security"—also was not addressed in the Pilot Program rules. The rules define "sensitive personal data" as "identifiable data" of certain specified types, if the US business that maintains or collect such data (i) targets or tailors its products or services to a US executive branch agency or military department with intelligence, national security, or homeland security responsibilities, or to personnel and contractors thereof; (ii) has maintained or collected such data on greater than one million individuals at any point during the preceding 12 months; or (iii) has a demonstrated business objective to maintain or collect such data on greater than one million individuals and such data is an integrated part of the US business's primary products or services.
The final rules slightly narrow the scope of this category of "TID US Business" from the proposed rules, which had been drafted to capture businesses that maintain any "genetic" data regardless of these other criteria. The final rules no longer single out "genetic" data as more sensitive in this way and, in fact, narrow the kind of "genetic data" that is covered to the results of "genetic tests" as that term is defined in the Genetic Information Non-Discrimination Act of 2008 (GINA) and limit the coverage of the rule to identifiable data.
Otherwise, consistent with the proposed rules, the categories of data that may be "sensitive personal data" are very broad, including financial information, health-related data, nonpublic electronic communications, geolocation data, biometric information, and data typically held by government contractors.8 The three limiting qualifications listed above will be key for CFIUS in distinguishing a TID US Business from the millions of US businesses that maintain or collect such data without posing any risk to national security.
Excepted Investors and Excepted Foreign States. Consistent with the proposed rule, Treasury will move forward with the creation of the categories "excepted investors" and "excepted foreign states." Functionally, these categories will serve to operate as a kind of "global entry" gate that will permit certain foreign investors from designated states to enjoy something akin to a "visa waiver" for their noncontrolling investments in the United States.
The specific occupants of the category of "excepted foreign states" will be dynamic. Eventually, a country will be determined to be an "excepted foreign state" only if it is first identified to be an "eligible foreign state" and then determined to have "established and [be] effectively utilizing a robust process to analyze foreign investments for national security risks and to facilitate coordination with the United States on matters relating to investment security." However, this second determination will be required only after February 13, 2022 (two years after the final rule becomes effective), meaning that all foreign states identified as "eligible foreign states" are also automatically "excepted foreign states" for the next two years. In the final rule, CFIUS has announced Australia, Canada and the United Kingdom—three of the United States' closest allies—as the first three "eligible" and "excepted" foreign states. CFIUS can subsequently determine that a foreign state should lose status as an eligible or excepted state, and CFIUS can add additional eligible or excepted states.
"Excepted investors" under the rules are foreign persons that have a substantial connection to one or more of the excepted foreign states (such as, among other requirements, being incorporated in, and having board members who are nationals of an excepted foreign state) and that have not violated (and whose parents or subsidiaries have not violated) certain US laws, regulations, orders, directives, or licenses and have not violated any duties in relation to CFIUS. If a foreign person who is an "excepted investor" at the time of a transaction engages in any such violation within three years after the completion of the transaction, CFIUS will have jurisdiction to take action regarding the investment within that three-year period.
Investment Fund Transactions. FIRRMA created certain exceptions from CFIUS's jurisdiction over noncontrolling foreign investments made through investment funds. The final rules maintain those exceptions through provisions similar to the investment fund provisions in the Pilot Program rules (for funds managed by a US person general partner. Specifically, under the final rules, an indirect investment by a foreign person in an unaffiliated TID US Business through an investment fund, where that investment affords the foreign person (or a designee of the foreign person) membership as a limited partner or equivalent on an advisory board or committee of the fund, and certain restrictions on the authority of the foreign person exist, a limited partner's membership on the investment fund's advisory board or committee does not in and of itself render the foreign person's indirect investment in an unaffiliated TID US Business a covered investment.
In accordance with FIRRMA, the final rules establish three different forms of nongovernmental triggers for CFIUS's review of a proposed foreign investment: (1) mandatory declarations, (2) voluntary declarations and (3) voluntary notices.
Mandatory Declarations. The rules make permanent the mandate that existed under the Pilot Program to file a declaration with CFIUS regarding noncontrolling, but not completely passive, equity foreign investments in a TID US Business that produces, designs, tests, manufactures, fabricates, or develops one or more "critical technologies" for use in certain industries. As stated in the final rules' preamble, CFIUS intends to shift the criteria for mandatory declarations from North American Industry Classification System (NAICS) codes to one based on US export controls.
As to other types of investments, the rules implement FIRRMA in mandating that a filing be made with CFIUS with respect to investments (whether controlling or not) that result in the acquisition of a "substantial interest" in a TID US Business by a foreign person in which a foreign government has a "substantial interest." A "substantial interest" in a US business means a voting interest of at least 25 percent. A "substantial interest" of a foreign government in a foreign person (the investor) means a voting interest of 49 percent or more.
The final rules, in response to comments submitted on the proposed rules, introduce several exceptions to the mandate to file a declaration as described above, including (among others) exceptions where: (i) the investor is an "excepted investor," (ii) the investment is made solely and directly through an entity that, as of the closing date, has a valid facility security clearance and is subject to an agreement to mitigate foreign ownership, control or influence (FOCI) pursuant to the National Industrial Security Program Manual (NISPOM), and (iii) the investor is an investment fund managed and controlled exclusively by US nationals or has specific limitations on the influence of any foreign person over decisions made by the fund.
Voluntary Declarations. For investments where no filing is mandatory, voluntary declarations will now be an option, and may be a helpful alternative to filing a voluntary notice in many cases. While preparing a full notice can be a fairly time-consuming and burdensome process, preparing a declaration is relatively simple. The declaration form is posted online as a fillable PDF document that is easy to navigate and requires minimal prose. Further, CFIUS is required to review declarations within 30 days (compared to the 45-day review now applicable for notices). Thus, where a transaction is fairly straightforward and does not seem to present a serious national security risk, filing a declaration may be an attractive option. The risk is that if CFIUS determines it cannot conclude its review during the 30-day declaration review period, it can choose, among other options, to request the parties to file a notice, which will mean 30 days will have been added to what might have been the review period for a notice in the first place, or not reach any conclusion by the end of its 30-day review, giving the parties no conclusive answer as to whether the president might exercise his authority under Section 721 to interfere with the transaction.
Voluntary Notices. Voluntary notices continue to be an option for the parties to all covered transactions (whether those resulting in foreign control or noncontrolling covered investments). As noted above, in some cases where filing at least a declaration is mandatory, it may make sense to file a full notice instead (which satisfies the filing mandate), in anticipation that CFIUS, after reviewing a declaration, may request a full notice or provide no conclusive response regarding the transaction. Thus, decisions regarding when and what to file with CFIUS remain complex.
Although Treasury is postponing imposing filing fees as authorized by FIRRMA, the final rules do implement the onerous penalty regime prescribed by FIRRMA. Under the rules, parties may be penalized for any material misstatement or omission from a CFIUS filing—regardless of intent or gross negligence. Such penalties are capped at $250,000 per violation, but other penalties for noncompliance with CFIUS rules can be as high as twice the value of the transaction at issue.
The final FIRRMA rules are largely consistent with what Treasury proposed in September 2019 and will result in CFIUS jurisdiction to review many more foreign investment transactions than under the pre-FIRRMA regime. However, the rules are in many places calibrated more narrowly than may have been expected, given FIRRMA's broad mandate, indicating that CFIUS is trying to focus its reviews of noncontrol investments only on those businesses that it reasonably believes demonstrate a potential national security issue. Nevertheless, given the broad scope and risk of having a transaction reviewed and impacted after closing, we anticipate a significant uptick in the number of filings investors will make prophylactically, at least in the midterm, to ensure that transactions are cleared with no issues from CFIUS.
© Arnold & Porter Kaye Scholer LLP 2020 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.
See CFIUS Finalizes FIRRMA Real Estate Transaction Rules, Arnold & Porter (Jan. 17, 2020). Those real estate-related rules, while not applicable to transactions resulting in control by a foreign person over a US business, provide insight into concerns that CFIUS may have with respect to such control transactions where part of the US assets being acquired is real estate.
See New Law Expands and Reforms CFIUS Jurisdiction and US Export Controls, Arnold & Porter (Aug. 13, 2018)
See New Mandatory Submissions to CFIUS: Interim Regulations Under FIRRMA Take Effect November 10, 2018, Arnold & Porter (Oct. 16, 2018)
See CFIUS Finalizes FIRRMA Real Estate Transaction Rules, Arnold & Porter (Jan. 17, 2020).
Excepted from the definition of "sensitive personal information" is data maintained by a US business on its own employees (unless the data pertains to employees of US government contractors who hold personnel security clearances) and data that is a matter of public record.