On 17 September 2019 the Treasury Department, on behalf of the full Committee on Foreign Investment in the United States (CFIUS), released the long-awaited comprehensive draft regulations to implement the Foreign Investment Risk Review Modernisation Act (FIRRMA). The regulations will significantly expand CFIUS's jurisdiction to cover a wider range of transactions, likely resulting in a dramatic spike in CFIUS reviews in 2020 and beyond.
Enacted in August 2018, the FIRRMA represented the most sweeping overhaul of CFIUS's operations and jurisdiction in its 44-year history. The draft regulations are divided into two parts:
Public comments can be submitted until 19 October 2019. The regulations will take effect before 13 February 2020, after all timely comments have been considered and CFIUS officials have made revisions to the draft rules, as appropriate.
The 319 pages of proposed CFIUS regulations will introduce substantial new levels of complexity and nuance, with definitions that contain many moving parts. Figuring out whether a given transaction might fall within the scope of CFIUS's new jurisdiction will, in most cases, require more extensive regulatory analysis for foreign investors and US target companies. However, smooth navigation of the CFIUS process will also require counsel who have more than just familiarity with the new rules. The opaque CFIUS process is often called a 'black box', and a deep understanding of its member agencies' national security sensitivities will be needed to anticipate their potential concerns pertaining to technology, infrastructure, data, real estate and other areas. Effective counsel must have a solid grasp of CFIUS's typical thought processes and risk analysis.
At the same time, the draft rules are not as aggressive in expanding CFIUS's jurisdiction as some had expected, and they faithfully adhere to the FIRRMA's legislative contours. To the relief of many stakeholders, CFIUS elected not to make major substantive changes to core definitions such as 'foreign person', 'foreign entity', 'control' and 'US business', which have been bedrock concepts of CFIUS for many years. This will preserve some consistency and stability in the process, especially with regard to CFIUS's legacy jurisdiction over control transactions (eg, M&A), which will remain intact under the new rules.
New transaction types to be covered by CFIUS
The proposed regulations will expand CFIUS's jurisdiction to cover the following types of transaction:
- non-passive minority-position investments involving critical technologies;
- non-passive minority-position investments involving critical infrastructure;
- non-passive minority-position investments involving the sensitive personal data of US citizens; and
- purchases or leases of US real estate near sensitive facilities.
The FIRRMA grouped the first three types together, so CFIUS created the concept of US companies that are involved with critical technologies, critical infrastructure or the sensitive personal data of US citizens (TID US businesses). These transactions will typically be venture capital and other private equity investments through which a foreign person could obtain certain types of governance or information rights with the TID US business, including:
- board membership or observer status (or the right to nominate someone to the board);
- access to the company's material non-public technical information; or
- involvement in the company's substantive decision making pertaining to critical technology, critical infrastructure or sensitive personal data (other than through shareholder voting).
Investments in US companies with critical technologies
Under the draft regulations, CFIUS will have jurisdiction over these minority-position investments in US companies that design, test, manufacture, fabricate or develop critical technologies. The scope of this new jurisdiction will depend on whether (and to what extent) the Commerce Department imposes export controls on any emerging or foundational technologies that are essential to US national security under the Export Control Reform Act, which was enacted in 2018 alongside the FIRRMA. If the department does, these technologies will automatically meet the definition of 'critical technologies', and that would subject certain investments involving them to CFIUS's jurisdiction. Until then, the scope of critical technologies that may trigger CFIUS's jurisdiction will be limited to those technologies that are regulated under legacy dual-use export controls and other existing regulatory schemes (eg, the International Traffic in Arms Regulations).
CFIUS's new, permanent jurisdiction over critical technology transactions under the draft regulations will likely supplant the CFIUS critical technologies pilot programme, which launched in November 2018 and remains in effect for the time being. The scope of the new permanent jurisdiction will be broader than CFIUS's temporary jurisdiction under the pilot programme – the pilot programme applied only to 27 specific industries, whereas the permanent jurisdiction will not be limited by industry.
Investments in US companies with critical infrastructure
Under the draft regulations, CFIUS's newfound jurisdiction over deals involving critical infrastructure will focus on 28 specific types of system and asset within various infrastructure subsectors, such as telecoms, utilities, energy, transport and manufacturing. Certain investments in US companies that own, operate, manufacture, supply or service one of those enumerated systems or assets will be subject to this expanded jurisdiction. However, the scope of this new jurisdiction over critical infrastructure is narrower than it could have been because it reflects only a subset of the 16 infrastructure sectors that the Department of Homeland Security considers critical.
Investments in US companies with sensitive personal data
The expansion of CFIUS's jurisdiction to cover deals involving the sensitive personal data of US citizens was one of the most novel parts of the FIRRMA and is arguably the most significant aspect of CFIUS's newfound purview. Under the draft regulations, this new jurisdiction focuses on 11 specific categories of personal data, including:
- financial;
- geolocation;
- health;
- biometric;
- security clearance data; and
- electronic communications such as emails, text messages and chatting.
Certain investments in US companies that maintain or collect these types of personal data will be subject to CFIUS review if the company:
- targets or tailors its products or services to specific groups of US citizens with national security sensitivity; or
- collects or maintains this data on 1 million or more people (or has a business objective to do so).
Separately, the collection of any genetic information will also put US companies within the scope of CFIUS's jurisdiction, even if they do not target or tailor or collect data on 1 million people.
The draft regulations cast a fairly wide net in scoping CFIUS's newfound jurisdiction over certain real estate transactions (for more details please see "CFIUS 2.0: real estate as a platform for foreign espionage against the government?"). CFIUS will have jurisdiction over the purchase or lease by a foreign person (or concession to a foreign person) of certain US real estate that provides that person at least three of the following property rights:
- physical access to the real estate;
- the exclusion of others from physically accessing the real estate;
- the improvement or development of the real estate; and
- the affixing of structures or objects to the real estate.
For now, this new area of CFIUS jurisdiction will focus on specific US military installations, airports and seaports.
To help investors and other members of the public to identify which sites will be covered, the draft rules enumerate nearly 200 military installations and other sensitive national security facilities, including certain missile fields and offshore military training and testing ranges. The rules would also apply to all major airports (ie, passenger, cargo and joint military-civilian use) and certain maritime ports, including the top 25 tonnage, container and dry bulk ports, as well as seaports designated as strategic. The draft rules exempt single housing units and some commercial office space in multi-unit commercial office buildings, as well as most real estate in urbanised areas or urban clusters.
Aspects of FIRRMA implementation still pending
The draft regulations are silent on whether CFIUS will continue to mandate the filing of short-form declarations for critical technology investments. This was a major aspect of the critical technologies pilot programme, but CFIUS is apparently still considering to what extent this is necessary and appropriate. CFIUS also has yet to decide how to utilise the authority it was granted in the FIRRMA to impose filing fees for CFIUS reviews. Both issues are expected to be decided prior to the draft regulations being finalised ahead of the 13 February 2020 deadline.
As many stakeholders had hoped, CFIUS exercised the FIRRMA's country specification authority in the draft regulations, creating a type of safe list of low-risk foreign investors which will be exempt from CFIUS reviews for minority-position investments and real estate transactions. This concept of excepted investors will be based on the foreign person's connections to a country that meets the criteria to be an excepted foreign state, as well as the foreign person's compliance with certain US laws, regulations and other rules. In turn, the concept of excepted foreign state will be based on CFIUS's determination that the foreign state has in place an effective, robust process for screening foreign investments for national security risks and coordinating with the United States on related matters. The use of the safe list, for CFIUS purposes, will create two de facto tiers of foreign investors: those who are seen as inherently low-risk and everyone else. However, the definition of 'excepted investor' is narrow, reflecting CFIUS's concern over the growing complexity of ownership structures and its desire to prevent the circumvention of its jurisdiction (which was also a primary motivation of the FIRRMA's authors). Thus, it is unclear whether many foreign states will qualify for excepted status, at least initially.
Number of annual CFIUS reviews projected to more than quadruple
CFIUS has shared its estimate regarding how many filings these draft regulations will yield. For context, the most recent statistics on the total number of annual reviews date back to 2017, when CFIUS processed 240 full-length filings (notices). The draft regulations will arguably open the proverbial floodgates, with CFIUS projecting 1,100 filings annually. Specifically, CFIUS estimates that the regulations will result in 350 filings per year (150 notices and 200 declarations) for real estate deals and 750 filings per year (200 notices and 550 declarations) for other investments, which include minority-position investments in critical technology, critical infrastructure and sensitive personal data. If those projections prove to be correct, the new regulations will more than quadruple the number of filings that CFIUS evaluates each year.
Further, the FIRRMA both preserved CFIUS's ability to unilaterally initiate reviews and required it to establish a process to identify so-called 'non-notified' and 'non-declared' transactions, where information is reasonably available. It is unclear whether these unilateral reviews are incorporated into the 1,110-filing estimate, but CFIUS has taken this mandate seriously. It apparently intends to use resources such as Pitchbook to scour available transaction data and identify those non-notified and non-declared transactions that may warrant CFIUS review.
More regular updates to CFIUS regulations?
The last time CFIUS implemented comprehensive regulations was in November 2008. Prior to the enactment of the FIRRMA, those regulations had not been updated in more than a decade. The background section of the new regulations explains that, once these regulations are finalised and put in place, more regular updates may become the norm:
Given the level of specificity provided in certain provisions of the proposed rule, the pace of technological development, the evolving use of data, and the evolving national security landscape more generally, the Department of the Treasury anticipates that it will periodically review, and as necessary, make changes to the regulations, consistent with applicable law.
Foreign investors and US companies which expect to undergo CFIUS review in the future may wish to consider filing comments on the proposed regulations during the 30-day window. Once the new regulations take effect, foreign investors and US target companies should ensure that they understand how the new rules apply to them, conduct advance planning or draft filings and navigate the opaque CFIUS process. Consulting knowledgeable, experienced CFIUS counsel early on will be more important than ever under the new rules.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.
