CFIUS: Proposed FIRRMA Regulations Define CFIUS's Expanded Jurisdiction and Mandatory Filing Requirements

On September 17, the US Department of the Treasury issued comprehensive proposed regulations to implement the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA). This alert describes key aspects of the proposed regulations. Overall, the proposed regulations reflect a concerted effort by the Committee on Foreign Investment in the United States (CFIUS) to limit the expansion of its jurisdiction and mandatory filing requirements only to those transactions most likely to raise national security concerns. Importantly, under the proposed regulations CFIUS review would remain mostly a voluntary process. However, despite authorization in FIRRMA, the proposed regulations appear to exempt few foreign investors from the expanded jurisdiction, and would not exercise CFIUS's discretion to waive mandatory filing requirements for certain investors with substantial foreign government ownership. Public comments on the proposed regulations must be submitted by October 17. Final regulations will go into effect by February 2020.

As we previously reported in July and August 2018, FIRRMA provided the general contours for CFIUS reform – including expanded jurisdiction over certain non-controlling investments and real estate transactions; limitation of such expanded jurisdiction to certain categories of foreign investors; and mandatory filing requirements for certain transactions involving foreign government interest or critical technologies – but largely deferred to CFIUS itself to define the precise extent of such reforms.

The proposed regulations were issued in two parts (investment-related regulations found here and real estate-specific regulations found here) and provide this definition, often in the form of highly specific bright-line criteria. These bright lines reflect efforts by CFIUS to limit the expansion of its jurisdiction and mandatory filing requirements only to those transactions most likely to raise national security concerns. But they also reflect reluctance to create exemptions that might enable potentially higher-threat investors to avoid CFIUS's jurisdiction. While these bright lines may provide clarity, they would also, in many instances, require a highly detailed assessment of the target to determine whether a transaction falls within CFIUS's jurisdiction and whether a mandatory filing is required. Parties to transactions that potentially fall within CFIUS's jurisdiction – especially foreign investors with substantial government ownership and therefore could be subject to mandatory filing requirements – will need to allot adequate time and resources for this detailed assessment in their deal timelines.

Expanded Jurisdiction

Prior to FIRRMA, CFIUS's jurisdiction was limited to transactions that could result in foreign control of any US business. As a result, the jurisdictional analysis was largely legal in nature: did the investor's ownership structure make it a "foreign person"; could the investor's governance rights result in "control"; and did the target company or assets constitute a "US business"? There was little, if any, need to consider the substantive national security vulnerabilities of the target to complete the jurisdictional analysis.

FIRRMA retains CFIUS's jurisdiction over such transactions (referred to as "covered control transactions" in the proposed regulations) but gives CFIUS two new bases for jurisdiction: (1) certain non-controlling investments in certain US businesses involved with critical technology, critical infrastructure, or sensitive personal data (referred to in the proposed regulations as "TID US businesses" for technology, infrastructure, and data), and (2) certain real estate transactions. The proposed regulations provide detailed criteria of a US business's operations or the real estate assets, as applicable, that would cause a transaction to fall within these new bases for jurisdiction. As a result, under the proposed framework, once the final FIRRMA regulations go into effect, the jurisdictional analysis for non-controlling transactions will require a substantive assessment of the target business against these detailed criteria. Historically, the substantive assessment would typically be considered in assessing whether to file and potential risks relating to such a decision where jurisdiction was clear or presumed.

The criteria for subjecting transactions to CFIUS's expanded jurisdiction reflect the types of US businesses or real estate assets that have presented heightened national security vulnerabilities in CFIUS's caseload over the past years as well as the US government's growing concern with maintaining the integrity and reliability of the defense industrial base. We summarize these criteria below.

Covered Investments

CFIUS's jurisdiction to review certain non-controlling, yet non-passive investments (called "covered investments" in the proposed regulations) is based on both the nature of the investment, and the nature of the target US business. FIRRMA supplied the first half of the test: the nature of the investment must afford a foreign person (other than a foreign person that meets a detailed list of criteria, referred to as an "excepted investor") one or more of the following:

a) access to any material non-public technical information in the possession of the TID US business;

b) membership or observer rights on the board of directors (or equivalent) of the TID US business or the right to nominate an individual to a position thereto; or

c) any involvement, other than through voting of shares, in substantive decision-making of the TID US business regarding critical technology, critical infrastructure, or sensitive personal data.

The proposed regulations now supply the second half of the test by defining with more particularity what is required to be a "TID US business." The three categories of TID US businesses are as follows:

1. Critical Technology

The proposed regulations maintain without change or additions the definition of "critical technology" in FIRRMA, which includes: defense articles and defense services included on the United States Munitions List; certain items included on the Commerce Control List; certain nuclear-related facilities, equipment, parts and components, materials, software, and technology; select agents and toxins; and a new category of "emerging and foundational technologies" that will be controlled for export pursuant to section 1758 of the Export Control Reform Act of 2018 (ECRA). As of the date of this alert, no "emerging or foundational technologies" have been controlled under ECRA. A US business that produces, designs, tests, manufactures, fabricates, or develops one or more "critical technologies" would be considered a "TID US business."

2. Critical Infrastructure

FIRRMA instructs CFIUS to limit its jurisdiction over covered investments in "critical infrastructure" to a subset of critical infrastructure (referred to in the proposed regulations as "covered investment critical infrastructure") that is likely to be of particular importance to US national security. The proposed regulations define this subset with precise bright lines – but with many such lines – in a detailed appendix that identifies 28 types of infrastructure. These include:

• telecoms: certain internet protocol networks, telecommunications and information services, internet exchange points, submarine cable systems and related facilities (including certain data centers);
• power: certain systems for the generation, transmission, distribution, or storage of electric energy comprising the bulk-power system, industrial control systems utilized therefor, and certain electric storage resources physically connected to the bulk-power system;
• oil and gas: certain refineries, crude oil storage facilities, liquid natural gas (LNG) import or export terminals, natural gas underground storage facilities or LNG peak-shaving facilities, interstate oil and natural gas pipelines, and industrial control systems therefor;
• water: certain public water systems and treatment works, and industrial control systems therefor;
• finance: certain systemically important financial market utilities, securities and options exchanges, and core processing services providers; and
• defense industrial base: fiber optic cables that directly serve certain military installations; facilities that provide electric power generation, transmission, distribution, or storage directly to or located on certain military installations and industrial control systems therefor; public water systems or treatment works directly serving certain military installations and industrial control systems therefor; interstate oil pipelines that directly serve the strategic petroleum reserve; rail lines and associated connector lines designated as part of the Department of Defense's (DOD) Strategic Rail Corridor Network; satellites or satellite systems providing services directly to DOD and its components; facilities in the United States that manufacture certain specialty metals, covered materials, chemical weapons antidotes, and carbon, alloy, and armor steel plate; and – other than commercially available off-the-shelf items – certain industrial resources manufactured or operated for a Major Defense Acquisition Program, Major System, or "DX" priority-rated contract or order, or funded by the Title III program, Industrial Base Fund, Rapid Innovation Fund, Manufacturing Technology Program, Defense Logistics Agency (DLA) Warstopper Program, or a DLA Surge and Sustainment contract.

The appendix also assigns one or more of five specified functions (own, operate, supply, service, or manufacture) to each of the 28 types of infrastructure. A US business that performs at least one of the functions assigned to the corresponding type of covered investment critical infrastructure would be considered a "TID US business."

3. Sensitive Personal Data

FIRRMA contains no definitions or delineating principles with respect to "sensitive personal data," other than that it refers to data that may be exploited in a manner that threatens national security.

To address this, the proposed regulations create two classes of sensitive personal data. First, any amount of "genetic information" as defined pursuant to 45 C.F.R. § 160.103 – regardless of the amount of such data, or the population on whom it is collected – would constitute "sensitive personal data." This includes, among others, information from genetic tests, information about the manifestation of disease or disorders, and requests for genetic services.

Second, sensitive personal data includes "identifiable data," which is defined as data that can be used to distinguish or trace an individual's identity – but only if the following category and collection requirements are satisfied:

• Categories: the identifiable data falls within one of 10 identified categories: (a) data that could be used to determine an individual's financial distress or hardship; (b) data in a consumer report (with certain exceptions); (c) data included in health or other types of insurance applications; (d) data relating to the physical, mental, or psychological health of an individual; (e) non-public electronic communications (email, text, chat, etc.) between users of the US business's products or services if facilitating third-party user communications is a primary purpose of such products or services; (f) geolocation data; (g) biometric enrollment data; (h) data used to generate a state or federal government ID card; (i) data concerning US government personnel security clearance status, or (h) data contained in the application for a personnel security clearance or for employment in a position of public trust.
• Collection: the US business that maintains or collects the identifiable data (a) targets or tailors products or services to US executive branch agencies or military departments with intelligence, national security, or homeland security responsibilities, or to personnel and contractors thereof; (b) had such data on greater than one million individuals at any point over the preceding 12 months; or (c) has a demonstrated business objective to maintain or collect such data on greater than one million individuals and such data is an integrated part of the US business's products or services.

Any US business that maintains or collects either class of "sensitive personal data," with limited exceptions (e.g., such data on the employees of the US business or available in the public domain), would be considered a "TID US business."

Covered Real Estate Transactions

FIRRMA also gave CFIUS jurisdiction to review the purchase or lease by, or concession to, a "non-excepted" foreign person of certain real estate (a) involving air or maritime ports or (b) that is in close proximity to, or that provides the foreign person the ability to collect intelligence on or surveil national security activities at, US military installations or other sensitive US government facilities or property.

The proposed regulations would implement this new basis for jurisdiction through the concept of a "covered real estate transaction." Specifically, unless any of the seven exceptions listed below applies, CFIUS would have the authority to review any purchase or lease by, or concession to, a foreign person of "covered real estate," either directly or indirectly, that affords the foreign person at least three of the following four "property rights":

• physically access the real estate;
• exclude others from physical access to the real estate;
• improve or develop the real estate; or
• attach fixed or immovable structures or objects to the real estate.

"Purchase" includes less than full ownership of the covered real estate. A "lease" includes a sub-lease. "Concessions" only pertain to the development or operation of infrastructure for an "airport" or "maritime port" (each as further defined below), though CFIUS is considering additional applications in the final regulations.

There are five types of "covered real estate":

1. real estate that is, is located within, or will function as part of, an "airport" or "maritime port";

• "airports" are limited to (i) any "large hub airport" as defined in 49 U.S.C. § 40102, (ii) any airport with annual aggregate all-cargo landed weight greater than 1.24 billion pounds, and (iii) any "joint use airport" as defined in 49 U.S.C. § 47175.
• "maritime ports" are limited to (i) strategic seaports within the National Port Readiness Network, and (ii) the top 25 tonnage, container, or dry bulk ports according to the most recent annual report submitted to Congress by the US Department of Transportation pursuant to 49 U.S.C. 6314.

2. real estate that is within "close proximity" (defined as one mile) of any military installation listed on part 1 (132 such sites) or part 2 (32 such sites) of Appendix A to the proposed real estate regulations;

3. real estate that is within the "extended range" (defined as up to 100 miles generally, but no more than 12 nautical miles seaward of any US coastline) of any military installation listed on part 2 of Appendix A. These 32 military installations generally cover expansive territory, and contain sensitive training ranges or launch sites susceptible to physical or electronic surveillance. These sites include, for example, Naval Weapons Systems Training Facility Boardman, Oregon, which was relevant to a Presidential divestment order in 2012 on the basis of a CFIUS review in the Ralls transaction;

4. real estate located within the 24 counties or other geographic areas listed on part 3 of Appendix A, which are associated with missile fields; and

5. real estate located within the 23 offshore military operating areas listed on part 4 of Appendix A, but only up to 12 nautical miles seaward of the coastline.

In an effort to streamline what could otherwise be a countless number of "covered real estate transactions," which would be unworkable for both industry and CFIUS, the proposed regulations include seven important exceptions:

1. The proposed regulations provide a blanket exemption from "covered real estate transactions" for certain categories of foreign persons known as "excepted real estate investors" (see next section, below).

2. The proposed regulations carve out any transaction involving covered real estate that is a covered transaction subject to CFIUS's investment-related jurisdiction. Any transaction involving a US business must be analyzed under CFIUS's "covered control transaction" or "covered investment" jurisdiction, described above, and would not be considered a "covered real estate transaction" even if it includes covered real estate. In other words, "covered real estate transactions" only apply to transactions involving real estate that does not constitute a US business.

3. The proposed regulations carve out any covered real estate that is within an "urbanized area" or "urban cluster," each as identified in the most recent US Census, unless the real estate either (i) is, is located within, or will function as part of, an airport or maritime port, or (ii) is within close proximity (i.e., one mile) of the military installations listed on part 1 or part 2 of Appendix A.

4. The proposed regulations carve out all single housing units, including fixtures and adjacent land that is incidental to the use of the real estate as a single housing unit.

5. The proposed regulations carve out leases and concessions involving covered real estate at airports or maritime ports that may be used only as a retail trade, accommodation, or food service sector establishment, as described within the North American Industry Classification System (NAICS) Sectors 44-45 and 72. Presumably, this is meant to exclude, for example, leases by vendors within an airport food court.

6. The proposed regulations carve out commercial office space within a multi-tenant commercial office building, but only if the foreign person and its affiliates (i) do not, in the aggregate, exceed 10 percent of the total square footage and (ii) do not represent more than 10 percent of the total number of tenants.

7. The proposed regulations carve out certain lands owned by certain Alaska Native entities or held in trust by the United States for American Indians, Indian tribes, Alaska Natives, and Alaska Native entities.

In short, the proposed real estate regulations are extremely detailed and could require a time- and fact-intensive assessment to determine whether a transactions falls within this new basis for CFIUS jurisdiction. We note, however, that "covered real estate transactions" are subject to voluntary review – they are not subject to the two categories of mandatory filing requirements described below.

Very Narrow Exemption from Expanded Jurisdiction

Excepted Investors

FIRRMA instructs CFIUS to limit the application of the two new bases for jurisdiction (covered investments and covered real estate transactions) to certain categories of foreign persons. FIRRMA did not provide specific criteria for such limitation, other than that a foreign person's connections to a foreign country or foreign government and whether the connections may affect US national security should be considered.

Rather than limiting the two new bases for jurisdiction to certain categories of foreign persons, the proposed regulations instead would apply the new bases for jurisdiction to all foreign persons unless a foreign person is specifically exempted. When considered together with the very narrow criteria to qualify for exemption, this re-framing of FIRRMA's instruction indicates reluctance of CFIUS member agencies to create exemptions that might enable potentially higher-threat investors to avoid CFIUS's expanded jurisdiction.

The exact extent of the proposed regulations' exemption currently is not known, because CFIUS has not yet published one or more lists of "excepted foreign states" on which the exemption is based (the lists of exempted foreign states may be different for covered investments and covered real estate transactions). The Assistant Secretary of the Treasury for Investment Security has confirmed that this list will be published by the time the regulations take effect and will not be a null set.

The proposed regulations provide no criteria for how CFIUS will select countries for the list(s), other than that: two-thirds of voting CFIUS member agencies must agree¹; and, to remain on the list(s), a country, within two years, must have established and be effectively utilizing (or, with respect to real estate, made significant progress towards) a robust process to (a) analyze national security risks in foreign investment and (b) coordinate with the United States on matters relating to investment security. The specific factors that CFIUS will consider as to whether a listed country has developed such a "robust process" have not yet been made available. The proposed regulations indicate that the initial list(s) will be small, given that "excepted foreign states" is a new concept with potentially significant implications for US national security. The proposed regulations also indicate that such list(s) will be updated from time to time.

Once the set of "excepted foreign states" is known, the process to determine whether a particular foreign person is an "excepted investor" is complex and ultimately highly restrictive. To be an "excepted investor," the foreign person must fall into one of three categories:

1. A foreign national who is exclusively a national of one or more excepted foreign states.

2. A foreign government of an excepted foreign state.

3. A foreign entity that meets each of the following five criteria with respect to itself and each of its parents:

i. Organized under the laws of an excepted foreign state or in the United States.

ii. Principal place of business in an excepted foreign state or the United States.

iii. Each member and observer to its board of directors is either a US national or a foreign national who is exclusively a national of one or more excepted foreign states.

iv. Any foreign person that individually, or as part of a group of foreign persons, holds five percent or more of voting interest, economic interest, profit interest, or asset interest upon dissolution or that could otherwise control such entity must be (a) a foreign national who is exclusively a national of one or more excepted foreign states, (b) a foreign government of an excepted foreign state, or (c) a foreign entity organized under the laws of an excepted foreign state and that has its principal place of business in an excepted foreign state or the United States.

v. The "minimum excepted ownership" of such entity – defined as a majority of its voting, profit, and asset–upon-dissolution interest for an entity publicly traded on an exchange in an excepted foreign state or the United States; and at least 90 percent of its voting, profit, and asset–upon-dissolution interest for any other entity – must be held, individually or in the aggregate, by persons each of whom either is not a foreign person or qualifies as (a), (b), or (c) in criterion (iv) above.

Even if a foreign person meets all of the above criteria, it is still not an "excepted investor" if (a) it is listed on the Commerce Department, Bureau of Industry & Security's Unverified List or Entity List, or (b) in the five years prior to the completion of its transaction, either the foreign person or any of its parents or subsidiaries engaged in any of eight types of bad acts, including: material misstatements in a CFIUS filing, material breach of a CFIUS mitigation agreement, violations of US sanctions laws, debarment from the Directorate of Defense Trade Controls, violations of US export control laws, and felony crimes. Further, if the foreign person no longer satisfies the criteria in (1), (2), and (3)(i)-(iii), above, at any time during the three-year period after the completion of the transaction, it is no longer an "excepted investor" from the completion date onward, and its transaction would become subject to a potential CFIUS-initiated agency notice during this three-year period.

Investment Funds – No Exemptions from CFIUS's Expanded Jurisdiction

One of the most confusing aspects of FIRRMA is its "clarification" for certain investment fund investments. As we have previously reported, this "clarification" creates a number of ambiguities. The "clarification" first purports to create a carve-out for certain indirect investments by a foreign limited partner in a TID US business through such limited partner's membership on the fund's advisory board or other committee, from what would otherwise be a "covered investment." But the "clarification" then appears to broaden the criteria that such limited partner must satisfy for its investment not to be considered a "covered investment."

Two FAQs in the context of the CFIUS Pilot Program revealed that CFIUS is interpreting this "clarification" to mean only one thing: that a foreign limited partner's membership on an advisory board or committee of a fund does not, in and of itself, render the foreign person's indirect investment in a TID US business to be a covered control transaction or a covered investment if it would not otherwise be. Whether such indirect investment would otherwise be such a covered transaction would still need to be assessed based on the respective criteria for covered control transactions and covered investments.

Therefore, we caution investors in investment funds from relying on this investment fund "clarification" as any sort of "exemption" from CFIUS's expanded jurisdiction (but see below regarding exemption from mandatory filing requirements). A limited partner's investment through an investment fund must still be assessed against (i) CFIUS's broad definition of "control" (which remains unchanged) and (ii) in the context of the investment fund's investment in a TID US business, the nature of the rights, access, and involvement at the level of the TID US business that the limited partner is afforded (either through its membership on the fund's advisory board or committee, or otherwise).

Limited Mandatory Filing Requirements

A key takeaway from both FIRRMA and the proposed regulations is that CFIUS remains primarily a voluntary process. Unless a transaction falls within either of the two specific categories below, the parties may decide for themselves whether to submit the transaction for CFIUS review. Though, importantly, CFIUS retains the right to initiate reviews of, or encourage parties to voluntarily submit for review, non-notified transactions.

Critical Technology – Pilot Program Remains in Effect

Covered control transactions and covered investments in certain US businesses involved with critical technologies in or for 27 specific "pilot program industries" (known as "pilot program covered transactions") already are subject to CFIUS's jurisdiction, as well as a mandatory filing requirement, pursuant to a Pilot Program that went into effect in November 2018 (see here for a summary). The proposed regulations do not alter this Pilot Program, and thus the Pilot Program will remain in effect while CFIUS decides whether to continue it in some form beyond its expiration at the effective date of the new regulations. FIRRMA authorized, but did not require, CFIUS to mandate filings for transactions involving critical technology, and CFIUS is considering whether to do so as part of the final regulations.

The Pilot Program's interim rules require that a short-form declaration, or a full notice in lieu of a declaration, be filed at least 45 days prior to the completion date of the pilot program covered transaction. Failure to do so may incur civil penalties up to the value of the transaction.

Substantial Foreign Government Interest in TID US Businesses

The proposed regulations would implement FIRRMA's second, non-discretionary category of mandatory filing requirements: transactions involving substantial foreign government interest in a TID US business. Specifically, a short-form declaration, or a full notice in lieu of a declaration, must be submitted at least 30 days prior to the completion date of any covered control transaction or covered investment that results in:

• a "substantial interest" (defined as a voting interest, direct or indirect, of 25 percent or more) in a TID US business
• by a foreign person in which a foreign government has a "substantial interest" (defined as a voting interest, direct or indirect, of 49 percent or more).
  • For purposes of determining the percentage of voting interest held indirectly by one entity in another entity, any voting interest of a parent will be deemed to be 100 percent in its subsidiary. Thus, for the substantial-interest analysis, the proposed regulations do not recognize dilution throughout the ownership chain that would otherwise result from parent ownership interests less than 100 percent.
  • A foreign government will be considered to have a "substantial interest" in a limited partnership if it either (i) holds 49 percent or more of the voting interest in the general partner, or (ii) is a limited partner and holds 49 percent or more of the voting interest of the limited partners.

Failure to make such a mandatory filing may incur civil penalties not to exceed $250,000 per violation or the value of the transaction, whichever is greater, with the amount of the penalty based on the nature of the violation.

While the filing must be made at least 30 days before the expected completion date (which as discussed below is defined more strictly), the proposed regulations would permit the parties to close their transaction prior to the expiration of the 30 days if they have been informed in writing by CFIUS either that (a) CFIUS has concluded all action, or (b) in the case of a declaration, CFIUS is not able to complete action on the basis of the declaration (but CFIUS does not request or self-initiate a full notice).

Notably, while FIRRMA gave CFIUS discretion to waive this mandatory filing requirement with respect to any foreign person that CFIUS determines to have demonstrated that (a) the investments of that foreign person are not directed by a foreign government and (b) the foreign person has a history of cooperation with CFIUS, the proposed regulations contain no such waiver provisions. No explanation was provided for CFIUS's decision to forego any possibility of waivers.

Investment Funds – Certain Exemptions from Mandatory Filings

Both the CFIUS Pilot Program and the proposed regulations implement FIRRMA's exemption of certain investment fund transactions from the above categories of mandatory filings. An investment by an investment fund is exempt from the Pilot Program mandatory filing requirement, and would also be exempt from the substantial foreign government interest mandatory filing requirement, if:

1. the fund is managed exclusively by a general partner, a managing member, or equivalent;

2. that general partner, managing member, or equivalent is not a foreign person; and

3. if any foreign person has membership as a limited partner on an advisory board or committee of the fund:

i. the advisory board or committee does not have the ability to approve, disapprove, or otherwise control (a) investment decisions of the investment fund or (b) decisions made by the general partner, managing member, or equivalent related to entities in which the investment fund is invested; and

ii. the foreign person does not otherwise have the ability to control the investment fund.

Somewhat inexplicably, this provision of FIRRMA appears to exempt from mandatory filing requirements those investment fund investments that afford a foreign limited partner any of the rights, access, or involvement that would constitute a "covered investment" (for example, access to material non-public technical information of the US business), so long as the criteria above are met. Further clarity on this point will be needed in the final regulations.

Other Notable Features of the Proposed Regulations

The proposed regulations make other notable choices for the implementation of FIRRMA.

• No filing fees – yet. The proposed regulations do not contain any provisions for filing fees, but they note that filing fees will be the subject of a separate rulemaking. FIRRMA authorizes CFIUS to impose filing fees not to exceed the lesser of one percent of the value of the transaction or $300,000 (adjusted for inflation).
• Strict definition of "completion date." In the context of covered control transactions and covered investment, the proposed regulations newly define the term "completion date" to be the earliest date upon which any ownership interest, including a contingent equity interest, is conveyed, assigned, delivered, or otherwise transfers to a person, or a change in rights that could result in a covered control transaction or covered investment occurs. Significantly greater clarity will be needed from CFIUS to understand the rationale for, and implications of, this new definition. For example, in the context of a transaction that has multiple tranches (which is common in venture capital and other early-stage investing), this new definition appears to make the closing of the first such tranche the "completion date" (including for purposes of the 30-day lead time by which a mandatory filing must be submitted), even if "control" or "non-passive" rights do not attach at the first closing. If this is the approach that CFIUS will take, then this new definition appears to foreclose a practice that developed under the CFIUS Pilot Program, whereby part or all of the equity portion of an investment closed first, but "control" or other non-passive rights (e.g., board seat, access to material non-public technical information) did not attach, until at least 45 days after submission of a declaration to CFIUS. This practice developed as a way for foreign investors to provide urgently needed funding to a US business while still respecting the Pilot Program's 45-day advance filing requirement. Foreclosing this practice could further disadvantage foreign investors vis-à-vis domestic investors in a bid process and limit urgently needed capital infusions for struggling US companies.
• Potential extra-territorial interpretation of "US business." CFIUS's current regulations define "US business" to mean any entity engaged in interstate commerce in the United States, but only to the extent of its activities in interstate commerce. Two examples in the current regulations imply that, in the context of a multinational company with operations both within and outside of the United States, "US business" is understood to be only the operations within the United States.

The proposed regulations would delete the limitation "but only to the extent of its activities in interstate commerce." The Treasury Department's official explanation is that this change was made to conform the definition in the proposed regulations to the definition of "United States business" in FIRRMA, but Treasury has declined to comment thus far on whether such a change would affect the scope of what CFIUS considers to be a "US business." Adding to this uncertainty: the proposed regulations retain one of the examples that implies that – in the context of a multinational company that operates within the United States through a branch or subsidiary – the "US business" is only that branch or subsidiary; but deletes a second example that clarified that CFIUS's concept of "covered transaction" would have been limited only to the businesses in the United States. This uncertainty as to the scope of a "US business" in these circumstances – and thus the scope of the "covered transaction" that CFIUS is empowered to review – also creates uncertainty as to the scope of the "risks posed by" such transaction that CFIUS can legitimately use as the basis for mitigation and/or a block recommendation.

• Limited applicability of the "incremental acquisition rule". The proposed regulations maintain the essence of the current "incremental acquisition rule": a transaction will not be deemed a "covered transaction" if a foreign person acquires an additional interest in a US business over which the same foreign person (or any of its direct or indirect wholly-owned subsidiaries) previously acquired direct control in a transaction for which CFIUS concluded action on the basis of a full notice. However, the proposed regulations do not extend the "incremental acquisition rule" either to where the initial transaction was submitted only as a declaration or was only a "covered investment."
• Subpoena power for pre-filing information gathering. CFIUS's current regulations state that parties to a transaction that is notified to the Committee must provide any information to enable the Committee to conduct a full review or investigation of such transaction, and that CFIUS may subpoena any such information if necessary. The proposed regulations extend this information-gathering power to declarations, but also extend it to any transaction for which no notice or declaration has been submitted if needed to assess whether the transaction is a covered transaction. The express expansion of parties' obligations to provide pre-filing information to CFIUS, and CFIUS's rights to subpoena such pre-filing information, is one more way that CFIUS is significantly building its internal resources to more quickly and effectively identify transactions of concern that have not been filed for review.
• New information requirements for filings.
  • Declarations: the proposed regulations adopt, for the most part, the information that is currently required to be provided in declarations under the CFIUS Pilot Program, with notable additions including copies of the transaction document(s), lists of government contracts (for covered control transactions and covered investments), and more detailed pre- and post-transaction organizational charts.
  • Notices: for covered control transactions and covered investments, the proposed regulations maintain, for the most part, the information that is currently required to be provided in notices under the current CFIUS regulations, with notable additions including details of any critical technology, critical infrastructure, or sensitive personal data implicated in the transaction, and more detailed pre- and post-transaction organizational charts.
• Potential authority to review additional lending transactions. Finally, we note that the proposed regulations maintain the general rule that CFIUS will accept notices (and now, declarations) concerning a loan or similar financing arrangement that does not, by itself, constitute a covered transaction only when imminent or actual default or some other condition creates a significant possibility that a covered control transaction or covered investment would result. The proposed regulations also maintain the guideline that a financing arrangement, by itself, may constitute a covered transaction if it affords the foreign person the right to appoint members of the board of directors of the US business or other comparable financial or governance rights "characteristic of an equity investment but not of a typical loan." However, a new example in this section of the proposed regulations suggests that any financing arrangement through which a foreign person obtains "control" of a US business would be a covered control transaction (and any financing arrangement through which a foreign person obtains board member/observer rights, access to material non-public technical information, and/or involvement in substantive decision-making of a TID US business would be a covered investment) – even if such rights are typical for a loan. This could potentially expand the set of lending transactions that would constitute covered transactions in themselves – some of which might require a mandatory filing. Further clarity on this from CFIUS is warranted.

In closing, we note two fundamental transformations of CFIUS reflected in these proposed regulations. First, notwithstanding CFIUS's concerted efforts to limit its own expansion, CFIUS has transformed from a committee of limited jurisdiction with ostensibly an exclusively voluntary process, to a committee of expanded jurisdiction with mandatory filing requirements. Thus, while the CFIUS process remains primarily voluntary, it is now – for the first time in its history – a "screen" for certain foreign investments into the United States.

Second, CFIUS's expanded jurisdiction with respect to TID US businesses and real estate, and CFIUS's exemptions from such expanded jurisdiction for certain "excepted investors," are all pegged to bright-line lists reflecting specific and evolving vulnerabilities and threats, respectively. Thus, CFIUS's regulations have necessarily become a living document, that can – and must – be routinely updated as these vulnerabilities and threats continue to evolve. No longer will ten years pass between updates.

In sum, the proposed regulations solidify CFIUS's future as a constantly evolving process – one that is increasingly difficult to avoid, and in any event, impossible to ignore.

As noted above, public comments on the proposed regulations must be submitted by October 17.

Click here to download PDF.

¹ All other decisions of CFIUS are taken by consensus. Thus, it is striking that only two-thirds of the voting members must agree to add (or remove) a country from the list.

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2019 White & Case LLP