News & Insights

Client Alert

February 14, 2020

CFIUS Finalizes Rules Reforming Foreign Investment Reviews


Focus on Technology, Infrastructure, Data and Real Estate

On February 13, 2020, two Final Rules issued by the Committee on Foreign Investment in the United States’ (“CFIUS”) implementing most of the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”) became effective. CFIUS, an interagency committee, reviews foreign investments in U.S. businesses and real estate and determines whether transactions should be unwound, blocked, or restricted due to national security concerns. FIRRMA is the first major expansion to CFIUS’ powers in a decade.

One Rule expands CFIUS’ jurisdiction to review certain non-controlling foreign investments in U.S. businesses involving critical technology, critical infrastructure, and sensitive personal data (“TID businesses”) (“U.S. Business Rule”). The other Rule expands CFIUS’ jurisdiction to review certain foreign investments in U.S. real estate (“Real Estate Rule”).

The Rules create narrow exceptions for certain Australian, Canadian, and UK investors. They indicate that CFIUS anticipates future rulemakings to create CFIUS filing fees and to increase CFIUS enforcement.

Treasury Secretary Steven Mnuchin said, “These regulations strengthen our national security and modernize the investment review process [by] providing clarity and certainty regarding the types of transactions that are covered.”

These Rules could impact foreign investment – including indirectly via U.S. investors – in the U.S. energy, infrastructure, telecom/IT, financial services, technology, healthcare and pharmaceuticals, and real estate sectors. They apply to M&A, private equity and venture capital, and minority investments, and also could implicate joint ventures and joint development agreements.

Parties should consider the Rules when identifying deal partners, structuring transactions, raising capital and forming funds, and determining whether CFIUS filings are required or advisable.

Foreign Investment in U.S. Critical Technology, Critical Infrastructure, Sensitive Personal Data

CFIUS Voluntary Filing Jurisdiction

Before FIRRMA, CFIUS only had jurisdiction over investments that confer control over a U.S. business to a foreign person. The U.S. Business Rule expands the definition of “covered transactions” to include “covered investments,” which are non-controlling foreign investments in U.S. businesses involved in critical technology, critical infrastructure, or sensitive personal data (“SPD”) if the transaction affords the foreign investor one or more of the following rights: access to certain material non-public technical information; membership, observer, or nomination rights on the TID business’ board or similar governing body; or involvement in substantive decision-making related to the critical technology, critical infrastructure, or SPD, beyond voting shares.

TID Businesses – Critical Technology

Under the U.S. Business Rule, non-controlling foreign investment in U.S. businesses that produce, design, test, manufacture, fabricate, or develop critical technology will be subject to CFIUS voluntary filing jurisdiction if a foreign person also acquires information access, board nomination, or decision-making rights as a result of the investment. Importantly, the U.S. business does not need to undertake this activity in or primarily for use in one of the 27 key industries that triggers a mandatory filing under the critical technology pilot program (the “Pilot Program,” which has been in effect since November 2018).[1]

The U.S. Business Rule updates CFIUS’ definition of “critical technologies” to conform to FIRRMA and the Pilot Program. In particular, the definition now includes “emerging and foundational technologies,” which the Commerce Department is responsible for defining. In November 2018, it published an Advanced Notice of Proposed Rulemaking identifying broad proposed categories of emerging technologies (e.g., biotechnology, data analytics, artificial intelligence, additive manufacturing, microprocessors, semiconductors), but the full list of technology to be controlled for export and foreign investment purposes remains forthcoming.

TID Businesses – Critical Infrastructure

The U.S. Business Rule authorizes CFIUS to review covered investments in U.S. businesses involved in a sensitive subset of critical infrastructure, defined as “covered investment critical infrastructure.” In particular, a covered investment will be subject to CFIUS voluntary filing jurisdiction if the investment is in a U.S. business that owns, operates, manufactures, supplies, or services (each a critical infrastructure “function”) specific types of critical infrastructure within the following categories, which are listed in greater detail at U.S. Business Rule Appendix A:

  • Telecom and information services, fiber optic cable that directly serves a military installation, IP networks with access to other IP networks via settlement-free peering, or internet exchange points supporting public peering;
  • Certain submarine cables and co-located data centers or facilities;
  • Satellites or satellite systems providing services directly to DOD or a component thereof;
  • Certain defense industrial base industrial resources that are not commercial-off-the-shelf;
  • S. facilities manufacturing certain “specialty metal,” “covered material,” or carbon, alloy, and armor steel plate;
  • Certain electric energy systems, or facilities providing electric power to or located near military installations;
  • Petroleum and crude facilities above certain barrel-per-day (“bpd”) capacities, certain LNG terminals or storage facilities, or interstate petroleum and LNG pipelines above certain bpd capacities; and
  • Systemically-important financial market utilities, securities exchanges, or certain technology service providers;
  • DOD Strategic Rail Corridor Network rail lines; certain air and maritime ports and related marine terminals; and
  • Public water systems serving a certain population size or military installation.

Importantly, U.S. Business Rule Appendix A Column 1 lists the type of critical infrastructure, and Column 2 lists the relevant function that will trigger CFIUS jurisdiction. In other words, only a covered investment in a U.S. business that performs one of the functions in Column 2 with respect to the corresponding type of critical infrastructure listed in Column 1 will trigger the expanded CFIUS jurisdiction. In the Appendix A example below, a covered investment in a U.S. business that owns or operates a 24-inch interstate natural gas pipeline will be subject to CFIUS jurisdiction, whereas a covered investment in a U.S. business that manufactures or services the industrial control system related to that pipeline will be subject to CFIUS jurisdiction.

Column 1: Covered investment critical infrastructure

Column 2: Functions related to covered investment critical infrastructure

(xxiii) Any interstate natural gas pipeline with an outside diameter of 20 or more inches

(xxiii) Own or operate any interstate natural gas pipeline with an outside diameter of 20 or more inches

(xxiv) Any industrial control system utilized by any interstate natural gas pipeline with an outside diameter of 20 or more inches

(xxiv) Manufacture or service any industrial control system utilized by any interstate natural gas pipeline with an outside diameter of 20 or more inches

 

TID Businesses – Sensitive Personal Data

The U.S. Business Rule authorizes CFIUS to review certain covered investments in U.S. businesses that maintain or collect identifiable SPD of U.S. citizens that may be exploited in a manner that threatens national security. To determine whether a U.S. business maintains or collects SPD, CFIUS will consider whether the U.S. business: (1) “targets or tailors” products or services to sensitive populations (e.g., military or U.S. government national security personnel); (2) collects or maintains SPD on at least 1 million individuals; or (3) has a demonstrated business objective to maintain or collect SPD on greater than 1 million individuals and the SPD is an integrated part of the U.S. business’ primary products or services.

CFIUS is interested in many types of identifiable SPD beyond personal identifier information (“PII”), such as:

  • Financial data of the type collected in a consumer report or used to determine an individual’s financial distress or hardship;
  • Health, long-term care, professional liability, mortgage, or life insurance data;
  • Data relating to an individual’s physical, mental, or psychological health;
  • Certain non-public electronic communications, including email, messaging, and chats;
  • Geolocation data (e.g., mobile apps, vehicle GPS, mapping tools, or wearable electronics);
  • Biometric data (e.g., facial, voice, retina/iris, and palm/fingerprint templates);
  • U.S. government personnel security clearance status or application data; and
  • Genetic testing and genetic sequencing data, except for U.S. government research databases.

For example, CFIUS could have jurisdiction over a covered investment in a financial planning app that collects identifiable personal financial data and is tailored to U.S. military or foreign service personnel.

Notably, a U.S. business that collects identifiable genetic testing and genetic sequencing data still is considered a TID business, even if it does not tailor its products to sensitive populations or collect or aim to collect SPD on greater than 1 million individuals.

CFIUS Mandatory Filing Jurisdiction

Substantial Foreign Government Investments

Mandatory filings will be required for certain investments in TID businesses involving foreign government investors. In particular, CFIUS requires a mandatory filing when a foreign person obtains a “substantial interest” in a U.S. business and a foreign government in turn holds a “substantial interest” in the foreign person. Put more simply, if a foreign person’s investment in a TID business gives that foreign person a 25% or greater direct or indirect voting interest in the TID business, and a foreign government, in turn, holds a 49% direct or indirect interest in the foreign person making the investment, a mandatory declaration is required.

The U.S. Business Rule does not aggregate investments by different foreign states (e.g., one ultimate investor from Country A and one ultimate investor from Country B), although it will aggregate investments from different components of the same foreign state (e.g., Country A’s state-owned enterprise and sovereign wealth fund both are ultimate investors). If the foreign government invests indirectly via a foreign person that has a general partner or equivalent (e.g., a foreign private equity fund), CFIUS only will consider the foreign government’s interest in the general partner, not its limited partner interest.

As transaction structures continue to evolve in complexity, it will be important to determine whether a foreign investment in a TID business triggers this mandatory filing requirement, even if the direct acquisition entity does not immediately appear to have state-owned enterprise, sovereign wealth fund, or other foreign government ownership.

Critical Technology Pilot Program

FIRRMA only authorized the Pilot Program until March 5, 2020. For the time being, CFIUS folded the Pilot Program into the U.S. Business Rule. Until CFIUS modifies or removes the Pilot Program, parties will be required to file controlling investments and covered investments in U.S. businesses that design, develop, test, produce, fabricate, or manufacture critical technology in or specifically for use in one of 27 key industries.

However, the U.S. Business Rule does create a few carve-outs from this requirement. First, a U.S. Business will not fall under the Pilot Program if the only critical technology that it designs, develops, tests, produces, fabricates, or manufactures is eligible for export pursuant to License Exception ENC of the Export Administration Regulations (i.e., certain encryption items). Second, foreign investors already subject to an agreement – other than a board resolution – with the Defense Counterintelligence and Security Agency to mitigate their foreign ownership, control, or influence will not trigger the Pilot Program. Third, investment funds managed exclusively by, and ultimately controlled by, U.S. nationals will not trigger the Pilot Program, even if they manage and deploy foreign capital.

Controlling and Non-Controlling Foreign Investment in U.S. Real Estate

If a foreign investment in U.S. real estate results in foreign control over a U.S. business, such investments remain subject to the traditional CFIUS voluntary filing jurisdiction. FIRRMA also authorized CFIUS to expand its jurisdiction to cover certain purchases or leases by, or concessions to, a foreign person of certain private and public U.S. real estate when the transaction does not result in foreign control over a U.S. business. Pursuant to the Real Estate Rule, a foreign investment is a “covered real estate transaction” subject to voluntary filing jurisdiction if the transaction (e.g., investment, acquisition, bankruptcy, debt default) confers specific rights to a foreign person and involves:

  • “Covered Ports”: Real estate within, or that will function within or as part of, certain airports and maritime ports (i.e., major U.S. passenger and cargo airports by volume, strategic commercial seaports, civil-military joint use airports); or
  • Proximity: Real estate within certain distances of U.S. military installations and other U.S. government property that is sensitive for national security reasons. CFIUS’ jurisdiction to review foreign investments potentially involving such sites will depend on the type of site and the proximity of the real estate involved in the transaction to the site.

CFIUS’ jurisdiction under the Real Estate Rule is broad and could extend to real estate located up to 100 miles away from military installations listed in Real Estate Rule Appendix A Part 2, unless a carve-out applies. For example, CFIUS will not exercise jurisdiction over real estate investments in single housing units or certain office space in a multi-unit commercial office building. In addition, CFIUS will not exercise jurisdiction over real estate investments in U.S. Census-designated “urbanized areas” or “urban clusters,” unless the real estate is located within a covered port or within one mile of any military installation identified in Real Estate Rule Appendix A Part 1.

Unlike the U.S. Business Rule, no covered real estate transactions are subject to a mandatory filing requirement. Moreover, even if a foreign investment in U.S. real estate falls within a covered port or meets one of the jurisdictional proximity tests in Appendix A, it only will be subject to CFIUS voluntary filing jurisdiction if a foreign person acquires at least three of the following four property rights:

  • The right to physically access the real estate;
  • The right to exclude others from physical access to the real estate;
  • The right to improve or develop the real estate; and/or
  • The right to attach fixed or immovable structures or objects to the real estate.

Creation of “Excepted Investor” Status for Certain Investors in “Excepted Foreign States”

Under the “excepted investor” provision, certain individual and entity investors from certain countries are excepted from CFIUS jurisdiction over (1) Pilot Program covered transactions, (2) covered investments in TID businesses, and (3) covered real estate transactions. CFIUS identified the UK, Australia, and Canada as the first three excepted states due to their robust intelligence-sharing and defense industrial base integration mechanisms with the United States. For these countries to remain excepted foreign states, CFIUS must determine by February 13, 2022 that they (1) have improved their national security-based foreign investment review processes, and (2) are cooperating bilaterally with the United States regarding foreign investment reviews. CFIUS may add and remove countries going forward, depending on whether they meet these two criteria.

Notably, the excepted investor carve-out is narrow – it does not apply to all persons and entities in an excepted state. A foreign investor in or from an excepted state only will be considered an excepted investor if it meets the following criteria:

  1. A foreign national of one or more excepted states but not also a national of a non-excepted foreign state;
  2. An excepted state foreign government;
  3. A foreign entity that meets each of the following criteria with respect to itself and each of its parents:
    1. Organized under the laws of the United States or an excepted state;
    2. Has a principal place of business in the United States or an excepted state;
    3. 75% or more of its board directors and observers are U.S. nationals or foreign nationals of one or more excepted states but not also a national of a non-excepted foreign state;
    4. Any foreign person (including related groups of foreign persons in aggregate) that holds 10% or more of the foreign entity’s outstanding voting interest or assets in the event of dissolution, or otherwise could exercise control over the foreign entity, also must meet criteria A-C;
    5. At least 80% of the foreign entity’s ownership is held (individually or in aggregate) by investors that meet criteria 1-2 above, are not foreign persons, or are foreign entities organized under the laws of an excepted foreign state that have their principal places of business in excepted foreign states or the United States.

Moreover, even if a foreign investor in or from an excepted state meets all of the foregoing criteria, it will not be considered an excepted investor if any of the following are true with respect to the investor, any of its parents, or any entities of which it is a parent, within five years prior to the transaction’s completion date:

  1. Received notice that it submitted a material misstatement or omission to CFIUS;
  2. Violated a material provision of a CFIUS mitigation agreement, material condition, or order;
  3. Been subject to a presidential blocking, suspension, prohibition, or divestment order;
  4. Received a finding of violation or a penalty notice or entered into a settlement for violating U.S. sanctions;
  5. Received a notice of debarment from the State Department for violating U.S. export controls;
  6. Been a respondent or party to a final Commerce Department order for violating U.S. export controls;
  7. Received a final civil penalty decision from the Energy Department for violating nuclear export controls;
  8. Convicted of a felony or entered into a deferred or non-prosecution agreement with the Justice Department; or
  9. Listed on the Commerce Department’s Unverified List or the Entity List at the time of executing the transaction.

Finally, if certain of the criteria necessary to qualify for excepted investor status are no longer true within three years following the completion date of a transaction, CFIUS will not consider the foreign person to be an excepted investor with respect to that transaction going forward, including if the same foreign person acquires additional interest in the same U.S. Business that would newly trigger CFIUS jurisdiction without the benefit of the excepted investor carve-out.

In addition to the excepted investor carve-out, under the U.S. Business Rule, transactions involving funds managed exclusively by, and ultimately controlled by, U.S. nationals will not trigger the Pilot Program or be considered a covered investment in a TID business, even if the funds manage and deploy foreign capital, as long as the foreign investors in those funds do not acquire information access, board nomination, or decision-making rights over the U.S. business. The U.S. Business Rule also retains the traditional CFIUS voluntary filing jurisdiction carve-out for passive foreign investment of 10 percent or less voting interest in non-TID businesses.

What’s Next?

The Rules identify the following potential future developments:

  • Filing Fees: FIRRMA authorizes CFIUS to assess filing fees not in excess of the lesser of 1% of the value of the transaction or $300,000 (inflation-adjusted), with any such fee schedule taking into account the value of the transaction, the effect of the fee on small business concerns, CFIUS costs, and the effect of the fee on foreign investment. CFIUS stated in the U.S. Business Rule that it will publish a filing fee proposed rule at a later date.
  • Enforcement: CFIUS already has the authority to impose civil monetary penalties for: (1) material misstatements or omissions in filings; (2) false certifications; and (3) violations of material provisions of CFIUS mitigation agreements, conditions, or orders. In 2018, CFIUS imposed its first known penalty of $1 million for noncompliance with a mitigation agreement, signaling that CFIUS may be more willing to flex its enforcement powers. The U.S. Business Rule states that the Treasury Department is considering making additional information available “to assist the public in understanding the Committee’s enforcement priorities,” so more regulations and more enforcement actions may be coming.
  • Disposition of Pilot Program: The U.S. Business Rule states that the Treasury Department anticipates undertaking a separate rulemaking process to develop regulations that would replace the industry-based Pilot Program with a mandatory filing requirement based on export control licensing requirements. Because the statutory expiration date for the Pilot Program is March 5, 2020, CFIUS could publish this new rulemaking soon.
  • Principal Place of Business: CFIUS embedded a proposed rule within both of the Rules. In this proposed rule, CFIUS proposed a definition of “principal place of business” to be used when determining whether an entity or a fund is a U.S. person or a foreign person. CFIUS accepted comments on this proposed definition and will need to revise or finalize its proposed definition in the future.
  • Emerging and Foundational Technologies: The Rules note that the Commerce Department, not CFIUS, is responsible for defining “emerging” and “foundational” technologies. Nevertheless, Pilot Program and TID covered investment jurisdiction hinge in part on these definitions. At some point in the future, the Commerce Department is expected to define and begin controlling these types of technologies, although it remains unclear whether the Commerce Department will do so in large rulemakings or piecemeal

 

[1] U.S. Dep’t of the Treas., Determination and Temporary Provisions Pertaining to a Pilot Program to Review Certain Transactions Involving Foreign Persons and Critical Technologies, 83 Fed. Reg. 51322 (Oct. 11, 2018).