Introduction

The Committee on Foreign Investment in the United States (CFIUS) is now following new rules on mandatory filings for certain foreign investments in critical technology companies.

As a refresher, CFIUS is the US government's interagency mechanism for screening foreign investments into the United States for national security risks. On behalf of CFIUS, the US Department of the Treasury's Office of Investment Security initially issued proposed regulations on 20 May 2020. After considering public comments, the treasury made minor revisions to the proposed regulations and published a final rule on 15 September 2020, which took effect on 15 October 2020.

The final rule abandons the US Census Bureau's system of North American Industry Classification System (NAICS) codes, which CFIUS previously used to determine whether a CFIUS declaration (ie, short-form filing) was required for certain transactions that fell within CFIUS's jurisdiction. Transaction parties found the NAICS-based rule to be difficult to use in ascertaining whether a CFIUS filing was required. Instead, in delineating which transactions require the filing of a declaration, the final rule zeroes in on whether an export authorisation would be required to transfer the US business's critical technology to either the relevant foreign investor or parties holding significant interests in the foreign investor.

In updating its mandatory filing rules in this way, CFIUS has further aligned them with longstanding US export control regimes and requirements. This final rule requires US companies that are being acquired by a foreign person or receiving investment from one to consider the intricacies of US export control regulations, including knowing the export jurisdiction and classification of its technology, in order to determine whether a CFIUS declaration is mandatory.

Background and origins of mandatory filing

This final rule completes the implementation of a key provision of the Foreign Investment Risk Review Modernisation Act (FIRRMA), a 2018 law passed as part of the John S McCain National Defence Authorisation Act for Fiscal Year 2019, which represented a sweeping overhaul of the jurisdiction and processes of CFIUS. In FIRRMA, Congress directed CFIUS to issue regulations specifying the types of transaction for which a declaration is mandatory. However, FIRRMA limited the scope of the transactions to those involving either investment by a foreign government or investment in US critical technology companies. On 10 November 2018 CFIUS launched an interim effort called the 'Critical Technology Pilot Programme', in which it first exercised this authority to mandate filings in certain types of technology deal. In the pilot programme, CFIUS utilised the NAICS code-based approach, exercising its newly expanded jurisdiction under FIRRMA to cover both control transactions and non-controlling investments involving US businesses that produce, design, test, manufacture, fabricate or develop critical technologies in connection with any of the 27 specified industries (identified by NAICS codes). Then, on 13 February 2020, CFIUS temporarily carried forward that NAICS-based approach as part of a long-awaited final rule that essentially rewrote the primary CFIUS regulation and implemented the bulk of FIRRMA's other provisions.

Effective date of final rule

The previous provision governing critical technology mandatory declarations, based on NAICS codes, will continue to apply to transactions for which specified actions occurred between 13 February 2020 and 15 October 2020. The modifications to the provision, per the final rule, apply from 15 October 2020.

Regulatory authorisations test for mandatory filings

The final rule replaces the NAICS code-based filing requirement with a requirement that a declaration be filed if US regulatory authorisation would be required for the export, re-export, in-country transfer or retransfer of the critical technology (produced, designed, tested, manufactured, fabricated or developed by the US business) to either the foreign investor or a foreign person holding a significant ownership or control stake in a foreign investor. More specifically, if the US business involved in the transaction would require US regulatory authorisation to re-export, transfer (in-country) or retransfer its critical technologies to the following persons, a mandatory filing must be submitted to CFIUS:

  • a person which could directly control a US business involved with critical technologies, critical infrastructure or sensitive personal data (a so-called 'TID US business') as a result of the covered transaction;
  • a person which is directly acquiring an interest that is a 'covered investment' (ie, a non-controlling, non-passive investment) in a TID US business;
  • a person which has a direct investment in a TID US business, where the rights of such person with respect to the TID US business are changing and that change could result in a covered control transaction or a covered investment;
  • a person which is a party to any transaction, transfer, agreement or arrangement, the structure of which is designed or intended to evade or circumvent CFIUS review with respect to the TID US business; or
  • a person which individually holds (or is part of a group of foreign persons that, in the aggregate, hold) a qualifying voting interest in a person described in the previous four bullets.

Under the final rule, the term 'US regulatory authorisation' includes the following:

  • a licence or other approval issued by the Department of State's Directorate of Defence Trade Controls under the International Traffic in Arms Regulations (ITAR);
  • a licence from the Department of Commerce's Bureau of Industry and Security (BIS) under the Export Administration Regulations (EARs);
  • a specific or general authorisation from the Department of Energy under the regulations governing assistance to foreign atomic energy activities at 10 Code of Federal Regulations (CFR) Part 810, other than the general authorisation described in 10 CFR Part 810.6(a); or
  • a specific licence from the Nuclear Regulatory Commission under the regulations governing the export or import of nuclear equipment and material at 10 CFR Part 110.

If any of these are applicable to a given transaction described under the rule, a mandatory declaration must be filed, unless one of the licence exceptions described below is available.

Eligibility for licence exceptions

The US regulatory authorisation test will apply without regard to any ITAR licence exemption or EAR licence exception, except where an item is eligible for EAR licence exceptions:

  • technology and software-unrestricted (TSU);
  • encryption commodities, software and technology (ENC); and
  • strategic trade authorisation (STA).

In its summary of the final rule, the US Department of the Treasury's Office clarifies that 'eligibility' for an EAR licence exception refers to having satisfied all requirements imposed by the EARs prior to the release of export-controlled technology (even if no export is to occur). This includes the limitations on all licence exceptions at EAR Section 740.2 and filing a classification request under 15 CFR Parts 740.17(b)(2) and (b)(3) to BIS, including, as applicable, waiting for 30 days to elapse since submission of the classification request to BIS for licence exception ENC. On the other hand, filing semi-annual reports as required by ENC is not required for parties to avail themselves of the exception to the mandatory declaration unless there is a qualifying export under the EARs. Similarly, the record-keeping requirement under licence exception TSU and the requirement to furnish certain commodity classifications to third parties under licence exception STA are not conditions of eligibility for purposes of the CFIUS regulations.

The US Department of the Treasury's Office also notes that "certain end users, such as entities listed in EAR, Part 744, Supplement No. 4 (the Entity List) are subject to license requirements, limitations on availability of license exceptions, and license application review policies that are in addition to those set forth elsewhere in the EAR".

Voting interest for purposes of critical technology mandatory declarations

The final rule makes use of a new term – "voting interest for purposes of critical technology mandatory declarations" – which enumerates those persons in the ownership chain whose activities should be analysed in the context of needing US regulatory authorisation. For entities with activities that "are primarily directed, controlled, or coordinated by or on behalf of a general partner, managing member, or equivalent", a mandatory declaration will be required where a person "holds 25 percent or more of the interest in the general partner, managing member, or equivalent of the entity" (31 CFR Part 800.256(b)). In addition, for indirectly held voting interests, "any interest of a parent will be deemed to be a 100 percent interest in any entity of which it is a parent" (Id at (c)).

The final rule aggregates the individual holdings of foreign persons that are "related, have formal or informal arrangements to act in concert, or are agencies or instrumentalities of, or controlled by, the national or subnational governments of a single foreign state" (Id at (d)).

Investments by foreign governments

The other area of mandatory CFIUS filings, as mentioned, is where a foreign government has a substantial interest in a foreign person that acquires a substantial interest in a TID US business. The final rule tweaks several of the relevant parameters that CFIUS initially set out in its 13 February 2020 comprehensive final rule. For example, it redefines 'substantial interest' where the activities of an entity are primarily directed, controlled or coordinated by or on behalf of a general partner, managing member or equivalent.

What does this final rule mean for US businesses?

Stakeholders involved in covered transactions with TID US businesses and foreign persons will need to determine their product's export control status – as well as whether licence exceptions ENC, STA or TSU apply – in order to assess whether a mandatory CFIUS declaration must be filed. Due to the many nuances of this final rule, TID US businesses and foreign persons which are potentially covered by it should consult experienced CFIUS and export control counsel to determine whether they have such a requirement to file with CFIUS.