October 28, 2019

How the Latest CFIUS Regulations Will Impact U.S. and Non-U.S. Companies and Investors

I. Overview

The U.S. Treasury Department recently signaled that it is close to finalizing new regulations that will apply to investments by non-U.S. investors in U.S. companies, assets, and real estate subject to review under the Committee on Foreign Investment in the United States (CFIUS) process. The new regulations—which will become final by February 13, 2020—address most of the remaining steps needed to implement the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) amendments to existing CFIUS laws and regulations.

Once final, the regulations will potentially apply to virtually any investment (even minority investments) by a non-U.S. person in any entity that is engaged in interstate commerce in the United States. Where such investments raise national security concerns, CFIUS will not only be able to exercise its current authority to block or unwind them but will also be authorized to impose substantial civil penalties of up to the total value of the investment on both the foreign investor and the target of the transaction when mandatory notices are not timely filed.

Given the breadth of the FIRRMA amendments and the potential penalties involved, companies doing business in the United States and potential investors should carefully examine planned sales, funding rounds, IPOs, and other investment transactions to identify and appropriately mitigate any potential CFIUS risks. While such risks are particularly great for transactions involving foreign government–owned or controlled investors, the scope of the FIRRMA regulations will also impact many purely private cross-border transactions. Waiting to address these issues until an agreement is signed or a closing is imminent could spell disaster.

II. Key Features of the Latest Regulations

The latest proposed regulations implement portions of the FIRRMA statute that was signed into law on August 13, 2018, as part of the John S. McCain National Defense Authorization Act for Fiscal Year 2019. As discussed previously, FIRRMA is a response to growing concerns over the trade and industrial policies of certain foreign countries (especially China) and is aimed at increasing CFIUS’s existing authority to review and potentially block or unwind investments in U.S. businesses and critical U.S. technology, infrastructure, personal data, and real estate that may implicate U.S. national security concerns. Among the key features of the latest regulations are the following:

A. Potentially Expanded Jurisdiction over Foreign Investments in Non-U.S. Companies that Do Business in the United States

As noted above, the latest regulations would grant CFIUS authority to review not only foreign investments in U.S. companies but also any other non-U.S. company that is engaged in interstate commerce in the United States. This provision, if implemented as currently drafted, would significantly expand the jurisdiction of CFIUS to review transactions—such as mergers between companies outside the United States—where one of the parties merely made sales to or did other business in the United States. Not surprisingly therefore, the wording of this provision is perhaps the single most controversial aspect of the latest proposed rules, with many commenters raising objections or seeking clarification from the CFIUS committee. Companies and investors should carefully monitor this issue as the February 13, 2020 deadline for implementation of the rules draws closer.

B. Greater Clarity on When CFIUS Can Review Foreign Investment in Certain Technology, Infrastructure, and Data-related Industries.

The latest regulations define certain business activities in the United States that will be subject to CFIUS jurisdiction when a foreign investor would gain the ability to access material nonpublic technical information at the target U.S. business, would gain membership or observer rights on the target’s board, or would have involvement in the substantive decision making of the target business. These covered business activities include activities related to “critical technology,” “critical infrastructure,” and “sensitive personal data.”

  • Critical Technology includes:
    • Defense articles or defense services listed on the U.S. Munitions List (regulated by the International Traffic in Arms Regulations (ITAR));
    • Certain controlled items listed on the Commerce Control List (regulated by the Export Administration Regulations (EAR)), including categories of goods, software, and technology controlled for reasons related to national security, chemical and biological weapons proliferation, nuclear proliferation, missile technology, regional stability, or surreptitious listening;
    • Certain nuclear equipment, parts, components, materials, software, technology, facilities regulated by EAR or other U.S. export control laws; and
    • “Emerging and foundational technologies” regulated by the Export Control Reform Act of 2018 (a category that has yet to be defined).
  • Critical Infrastructure includes 28 specific types of infrastructure, ranging from traditional types of infrastructure such as defense-related facilities, utilities, energy infrastructure like pipelines, and power generation facilities to “financial” infrastructure such as securities exchanges and financial service providers.
  • Sensitive Personal Data includes:
    • “Genetic information” as defined by Department of Health and Human Services Regulations at 45 C.F.R. § 160.103 (including information from genetic tests or about the manifestation of disease or disorders, and requests for genetic services); and
    • “Identifiable data” held by a U.S. business that (i) targets or tailors products or services to U.S. executive branch agencies or military departments with national security, military, or intelligence responsibilities; (ii) had “identifiable data” on greater than 1 million individuals during a 12-month period; or (iii) had a demonstrated business objective to maintain or collect such “identifiable data” on more than 1 million individuals and such data are an integral part of the business’s products or services. Categories of covered “identifiable data” include financial, health, insurance, personal communications, geolocation, biometric, and various government security– or government ID–related data.

Any U.S. business that is engaged in any of the above activities is referred to as a “TID U.S. business.” Such TID U.S. businesses and any potential foreign investors in them should carefully consider whether filings with CFIUS are warranted or mandatory as result of the new regulations.

C. Mandatory Declarations for Direct and Indirect Investments by Foreign Governments and State-Owned Entities

In accordance with the aims of the FIRRMA statute to more closely police foreign government–directed investments in strategic U.S. industries, the latest regulations establish a mechanism for mandatory preclosing notifications to CFIUS of any investments whereby a non-U.S. government would gain a 25% or more voting interest in a “TID U.S. business”—either directly or through an investment vehicle or enterprise in which the foreign government holds at least a 50% voting interest. Notifications must be submitted at least 30 days prior to closing of such transactions. Failure to timely notify such covered transactions to CFIUS can result in civil penalties of the greater of $250,000 or the total value of the transaction.

D. Exceptions from Filing Requirements for “Excepted Foreign States” and Certain of Their Investors

The latest rules provide that CFIUS will release a list of certain countries closely allied to the United States whose investors may be exempt from CFIUS filing requirements in certain circumstances. This provision anticipates the creation of a so-called “white list” that will feature countries that have foreign policy and national security interests aligned with those of the United States and that have implemented their own foreign investment review policies that mirror and coordinate with the U.S. CFIUS process.

E. Retention of Mandatory Filing Requirements under the FIRRMA Pilot Program for Companies and Foreign Investors in 27 Industries

The latest regulations propose no changes to the on-going FIRRMA pilot program. That program, which began in October 2018, requires mandatory filings with CFIUS when a foreign investment would give the foreign investor rights over access, control or substantive decision making at a U.S. business with “critical technology” related to one or more of 27 industries. The current pilot program is expected to continue through March 5, 2020 and may be made permanent later next year. As with the other mandatory filing requirements discussed above, CFIUS retains the authority to impose civil penalties for failures to notify transactions subject to the pilot program.

F. Detailed Guidance on Real Estate Transactions Subject to CFIUS Review

While CFIUS has long had authority to review real estate transactions involving foreign investors, the FIRRMA statute and latest regulations more clearly define the scope of this authority and set forth in detail the specific geographic locations and types of real estate investments that are covered by CFIUS jurisdiction.

Covered real estate transactions include any transaction that gives a foreign investor the right (directly or indirectly) to do any three of the following four activities: (i) physically access , (ii) exclude others from, (iii) improve or develop, or (iv) attach fixed structures to covered real estate. In turn, covered real estate includes land and/or buildings that are (i) within or will function as part of a maritime port or airport (as defined by referenced U.S. Department of Transportation regulations); (ii) within any of 57 specific counties, geographic areas, or offshore military operating areas; (iii) within a mile of the boundary of 164 specific military installations; or (iv) within 100 miles of 32 specific military facilities. Exemptions are available for certain residential properties, certain types of office space, and some real estate in urbanized areas.

While this level of detail may provide potential investors with greater certainty as to what real estate investments may be covered, it also will require careful review of all properties involved in a potential investment by a non-U.S. investor. Where such properties are identified, the decision to file with CFIUS will remain voluntary based on the potential national security risks and risk appetite of the parties to the transaction. However, investors in U.S real estate should view the latest detailed guidance as a signal that CFIUS and its member agencies will be increasingly scrutinizing in-bound real estate transactions for national security risks.

G. Increased Enforcement Powers

The latest regulations expand CFIUS’s existing enforcement powers and give the committee the power to subpoena information concerning notified and unnotified transactions in any of the categories discussed above at any stage of a transaction. This step, coupled with increased staffing and resources at the CFIUS committee and its member agencies, signals that in-bound investments in U.S. businesses will be subject to heightened scrutiny and enforcement. In short, the latest regulations continue to raise the stakes for all parties to transactions that are subject to CFIUS jurisdiction.

III. Conclusion

As the above discussion suggests, advance planning is vital to successfully navigating the CFIUS process and complying with the latest FIRRMA regulations. For more information on these topics, please contact your usual Drinker Biddle contact.