United States

Most deals are approved, but new rules covering more types of transactions and requiring mandatory filings in certain cases have changed the landscape

17 min read

The Committee on Foreign Investment in the United States (CFIUS), which is led by the US Department of the Treasury and made up of US national security and economic agencies—including Defense, State, Justice, Commerce, Energy and Homeland Security—conducts national security reviews of foreign direct investment (FDI) into the United States. 

The Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) significantly overhauled the CFIUS process, including by adding new types of transactions subject to CFIUS review and, for the first time ever, mandating notification to CFIUS in certain cases. 

Final regulations fully implementing FIRRMA's reforms took effect on February 13, 2020. Since then, CFIUS has made additional changes, including imposing filing fees for CFIUS notices and issuing a new rule that changes the mandatory filing requirements for transactions in which the target US business is involved with critical technologies, such as certain items, technology and services subject to US export controls.



Historically, CFIUS has had jurisdiction to review any transaction that could result in "control" of a US business by a foreign person. Control is defined—and interpreted by CFIUS—broadly as the power, whether exercised or not, to determine, direct or decide important matters affecting an entity. Control can be present even in minority investments.

A "US business" is similarly defined and interpreted broadly. Covered transactions (those subject to CFIUS's jurisdiction) include deals structured as stock or asset purchases, debt-to-equity conversions, foreign-foreign transactions where the target has US assets, private equity investments (in some cases even where the general partner is US-owned) and joint ventures into which a US business is being contributed. 

Despite CFIUS's broad historical jurisdiction, in recent years the shifting national security landscape in the US, particularly regarding Chinese investment, exposed gaps between the transactions that CFIUS was able to review and those beyond its reach that nonetheless presented potential national security concerns. FIRRMA sought to close these gaps by expanding CFIUS's jurisdiction and mandating filing in certain cases.

With respect to investments, in addition to its traditional authorities-of-control transactions, CFIUS now has expanded jurisdiction to review certain "covered investments" in sensitive US businesses referred to as "TID US businesses" under the regulations. (TID stands for Technologies, critical Infrastructure and personal Data.) TID US businesses are those that: 

  • Produce, design, test, manufacture, fabricate or develop one or more critical technologies
  • Perform certain actions in relation to identified critical infrastructure assets, referred to as "covered investment-critical infrastructure"
  • Maintain or collect sensitive personal data of US citizens 

Certain transactions involving TID US businesses are also subject to mandatory filing requirements. 

A covered investment is a non-controlling transaction that affords the foreign investor any of the following with respect to a TID US business: 

  • Access to any material nonpublic technical information in its possession
  • Board membership or observer rights
  • Any involvement, other than through voting of shares, in substantive decision-making regarding sensitive personal data of US citizens, critical technologies or covered investment critical infrastructure

Beyond its traditional investment focus, CFIUS now also has jurisdiction to review the purchase or lease by, or a concession to, a foreign person of real estate in the US that is located within, or will function as part of, certain air or maritime ports; or is located in or within certain proximity ranges of identified military installations and areas. Real estate transactions under CFIUS's jurisdiction are not subject to mandatory filing requirements.

CFIUS also has jurisdiction to review changes in rights that would provide control or, for a TID US business, covered investment rights as well as transactions designed to evade CFIUS review.



CFIUS notices are typically submitted jointly by the parties, typically the investing entity and the target, to the notified transaction 

Though the new regulations mandate filings for certain transactions, CFIUS review remains predominantly a voluntary process, as most transactions subject to CFIUS's jurisdiction do not meet the mandatory filing criteria. Even for transactions under CFIUS's voluntary authorities, CFIUS may request parties notify a transaction of interest and has the authority to initiate reviews directly. Notably, under FIRRMA, CFIUS is pursuing non-notified transactions more aggressively, so the risk of CFIUS reaching out on a non-notified transaction has generally increased compared with past years.

Mandatory filing requirements apply only with respect to controlling investments or covered investments (i.e., "covered transactions") in TID US businesses. Specifically, subject to certain exemptions, mandatory filings are required in the following two circumstances:

  • The acquisition of 25 percent or more of the voting interests in a TID US business by a person in which a single foreign government holds, directly or indirectly, a 49 percent or greater voting interest. All parents in the investor's ownership chain are deemed 100 percent owners, so dilution of ownership interests is not recognized for purposes of this test
  • A foreign investment in a TID US business involved with critical technologies, where one or more "US regulatory authorizations" (for example, export licenses) would be required to export, re-export or retransfer any of the US business's critical technologies to the investor or any person holding a 25 percent or greater, direct or indirect, voting interest in the investor. With a few exceptions, mandatory filing is required even where such critical technologies would be eligible for export to the relevant foreign person under a license exception

The critical technology mandatory filing requirement focusing on the export-control treatment of the target's critical technology with respect to the foreign investor and its substantial owners took effect on October 15, 2020, and replaced the prior standard that considered whether a TID US business's critical technologies were utilized in connection with identified industries. Transactions for which certain actions occurred prior to October 15, 2020 (such as execution of a binding transaction agreement) would be subject to the prior industry standard. 

If a mandatory filing applies, notification by a declaration or notice must be submitted to CFIUS at least 30 days prior to the transaction's completion date. 

The new regulations also introduce a concept of "excepted investors," which are not subject to CFIUS's expanded jurisdiction for covered investments or real estate transactions and are exempt from mandatory filing requirements. Excepted investors and their parents must meet relatively strict nationality-related criteria related to "excepted foreign states," which are currently Australia, Canada, and the US (though this list can change). Excepted investors are not exempt from CFIUS's general jurisdiction, only from CFIUS's expanded authorities under FIRRMA.



CFIUS reviews focus solely on national security concerns. CFIUS conducts a risk-based analysis based on the threat posed by the foreign investor, the vulnerabilities exposed by the target US business and the consequences to US national security of combining that threat and vulnerability. 

Based on its risk assessment, CFIUS determines whether the transaction presents any national security concerns. If CFIUS identifies such concerns, it first determines whether other provisions of US law can sufficiently address them. If no other provisions of US law adequately address the concerns, CFIUS next determines whether any mitigation measures could resolve the concerns. If mitigation is warranted, CFIUS will typically negotiate terms with the parties, which will be a prerequisite to CFIUS clearing the transaction. 

If CFIUS determines that mitigation cannot adequately resolve its concerns, CFIUS will typically request that the parties abandon their transaction (or the foreign buyer divest its interest in the US business if the review happens following closing). 

If the parties will not agree to abandonment or divestment, CFIUS can recommend that the President of the United States block the transaction, as only the President has the authority to prohibit a transaction. Presidential blocks are relatively rare, though they have happened more frequently in recent years. It is still more typical for parties to agree to terms for abandonment or divestment directly with CFIUS. Although the CFIUS process is confidential, presidential blocking orders are public.



There are now two options for how parties can notify a transaction to CFIUS: a declaration, which is a short-form filing reviewed on an expedited basis; or a joint voluntary notice, which is the traditional CFIUS notification mechanism. Both declarations and notices include required information about the investor and its owners, the US business that is the subject of the transaction, and the transaction itself. For both declarations and notices, CFIUS will also typically request additional information via Q&A during the review. 

Following the initial submission, the declaration process typically takes approximately five to six weeks and the notice process typically takes up to three to five months. Following its assessment of a declaration, CFIUS may request the parties file a notice, so in those cases the total process for a transaction notified by declaration will take longer. For complex transactions, deals expected to be more sensitive from a national security standpoint, or in cases where parties want to be assured the certainty of CFIUS clearance, it may be advisable for the parties to start with a notice.

Once accepted by CFIUS, a declaration is assessed in 30 calendar days. At the end of the 30 days, CFIUS may take one of four actions: clear the transaction; inform the parties that CFIUS cannot clear the transaction on the basis of the declaration, but not request a notice (commonly referred to as the "shrug"); request that the parties file a notice for the transaction; or initiate a unilateral review.

Though the shrug outcome does not confer "safe harbor" as a clearance does—after a shrug, CFIUS could potentially request a notice for the transaction in the future—in our experience clients have often found the shrug outcome to be sufficient for closing.

For a notice, the parties initially submit a draft "prefiling" on which CFIUS will provide comments and follow-up questions. After addressing those comments, parties will formally file the notice with CFIUS. CFIUS then has to accept the filing, after which a 45-calendar-day initial review begins. At the end of the review, CFIUS will either clear the transaction or proceed to a 45-calendar-day investigation. About half of cases now proceed to investigation, which is an improvement from recent years.

An investigation may be extended for one 15-calendar-day period in "extraordinary circumstances." If a transaction is referred to the president, the president has 15 calendar days to decide whether to prohibit the transaction. In some cases, CFIUS will need additional time to complete its process, as when negotiating mitigation measures with the parties. In such circumstances, CFIUS may encourage the parties to withdraw and resubmit the filing, which restarts the initial 45-day review period. Most transactions are cleared in one CFIUS cycle.

Filing fees apply to notices submitted to CFIUS, but not declarations, though they apply for notices submitted following CFIUS's assessment of a declaration. Fees are assessed based on a tiered approach, providing for a proportional cost equal to or less than 0.15 percent of the transaction value. The lowest fee is US$750 for transactions valued between US$500,000 and US$5 million (transactions under US$500,000 are not subject to fees), and the highest-tier fee is US$300,000 for transactions valued at US$750 million or more.



Many of CFIUS's concerns—including those addressed in FIRRMA—relate to Chinese and Chinese-connected investments in the US. Despite the substantial decline in Chinese investment in the US, China continues to be a substantial focus of CFIUS. Beyond new Chinese investments, this includes potential Chinese ties to FDI from other countries, as well as non-notified transactions that were previously closed, sometimes several years prior. Based on our experience, including experience under the CFIUS Pilot Program and more since the new FIRRMA regulations took effect in February 2020, we also note the following other key trends related to CFIUS.

Increased CFIUS authorities change the equation

Now that there are mandatory CFIUS filing requirements—with potential penalties for non-compliance up to the value of the transaction—parties need to consider CFIUS issues much more carefully in connection with potential cross-border transactions. The jurisdictional analysis under FIRRMA has also grown increasingly complex, particularly for non-controlling transactions. Parties are considering these issues and often incorporating CFIUS-related provisions into transaction agreements even where no CFIUS filing is being made to provide themselves with additional protection regarding potential CFIUS compliance obligations. 

Declarations are proving to be a valuable tool

In 2019, declarations were available only for transactions subject to the CFIUS Pilot Program, which mandated filings for transactions meeting-specified criteria of heightened CFIUS sensitivity. The CFIUS Annual Report for 2019 revealed that under the Pilot Program, just over 70 percent of cases notified by declaration were either cleared on the basis of the declaration (approximately 37 percent) or received the "shrug" (approximately 34 percent). CFIUS requesting a notice was actually the least common CFIUS outcome, happening only 28 percent of the time. Now that declarations are a notification option for all covered transactions, in our experience clients have been availing themselves of this option and have often found it to be effective for transactions that do not seem likely to present substantial national security concerns. 

Threats and vulnerabilities are evolving

CFIUS's risk-based analysis has also evolved to include new types of potential "threats" and "vulnerabilities." CFIUS now routinely reviews all transactions for "third-country threats"—channels through which China and other deemed strategic competitors might cause harm through the foreign investor (even if the foreign investor itself is not from such a country). On the vulnerability side, FIRRMA identified key areas of potential substantive sensitivity with its expanded authorities over investments in TID US businesses and its new real estate jurisdiction. This does not, however, mean that critical technologies, critical infrastructure, sensitive personal data, and close proximity are the only areas of concern to CFIUS. The concept of national security remains broad, and CFIUS has shown interest in transactions covering a range of industries. External events can also affect national security sensitivities, such as an increased focus on health and supply chain security issues in light of the COVID-19 pandemic.

CFIUS steps up pursuit of non-notified transactions 

FIRRMA provided additional resources for CFIUS to identify and review non-notified transactions of interest. CFIUS officials have emphasized their focus on this area, and we have seen a substantial increase in CFIUS outreach to parties regarding non-notified transactions, including for transactions that closed years ago. So far, as would be expected, the outreach on past transactions has largely seemed aimed at deals involving Chinese and Russian investors. CFIUS remains largely a voluntary process, but given expanded resources and CFIUS personnel dedicated to finding non-notified transactions, it appears that the risk of not filing a transaction with a nexus to national security has generally increased. 

Emphasis on compliance and enforcement is rising

FIRRMA also provided additional resources for compliance and enforcement, and CFIUS officials have indicated that they will be looking closely at compliance with existing mitigation agreements. CFIUS issued its first penalty in 2018, which was for US$1 million for repeated violations of a mitigation agreement. CFIUS also issued another penalty in 2019 for US$750,000 for violations of an interim CFIUS order. CFIUS officials are currently working on promulgating enforcement guidelines. Parties under existing mitigation agreements, or parties entering into new ones, should focus on compliance to avoid potential CFIUS enforcement action.



It is critical for foreign investors to consider CFIUS issues—including assessing jurisdictional matters, whether mandatory CFIUS filing will apply, and potential substantive risks—as early as possible in cross-border transactions involving foreign investment (direct or indirect) in a US business. Given potentially severe penalties for noncompliance, parties need to know early whether filing will be required—and where it is not, may want to include relevant representations in the purchase agreement to provide additional protection. 

In cases where filing is mandatory or the parties voluntarily notify CFIUS, allocation of CFIUS mitigation risk will be a key issue. Most transactions are cleared without mitigation, but when it is required, mitigation can have a substantial impact on transaction goals and present unexpected costs. The range of mitigation measures that can be imposed by CFIUS is quite broad (based on the risk profile of the deal), and it is important for investors in particular to have as clear an understanding as possible with respect to what mitigation measures would be acceptable to them.



  • The number of CFIUS reviews continues to remain high, and more parties seem to be notifying CFIUS via declarations. So far, declarations have often proved an attractive and useful option for parties, particularly for transactions that are not expected to present substantial national security concerns
  • It is important to analyze potential CFIUS issues early in the deal process—including assessing whether mandatory filing requirements apply—and, where relevant, incorporate CFIUS-related terms into transaction agreements
  • FIRRMA has been fully implemented as of February 2020 (though CFIUS is continuing to make changes), significantly expanding CFIUS's jurisdiction, mandating filings for certain transactions, adding the expedited declaration filing option, and making other changes to the CFIUS process
  • The recent substantial decline in Chinese investment in the US correlated with a notable decrease in transactions being stopped by CFIUS. China, however, remains a key focus of CFIUS—including assessment of Chinese-related risks for transactions involving non-Chinese investors
  • CFIUS has substantially increased its pursuit of non-notified transactions of interest, including for transactions that closed several years ago. CFIUS is also ramping up its compliance and enforcement efforts with respect to mitigation requirements
  • The same legislation that contained FIRRMA also included the Export Control Reform Act of 2018, which requires the Department of Commerce to establish export controls on "emerging and foundational technologies, such as sensitive technologies not currently captured under the export control regime." A few controls of "emerging technologies" have been released, and more are expected to be issued on a regular basis in the near future. These are important developments to monitor as they are directly relevant to CFIUS's mandatory filing requirements and expanded authorities for investments in businesses involved with critical technologies



  • CFIUS continues to approve most notified transactions without mitigation measures
  • Notwithstanding mandatory filing requirements, CFIUS remains predominantly a voluntary process 
  • Declarations—short-form CFIUS filings that are reviewed on an expedited basis—are proving a valuable tool for parties in transactions that do not present national security concerns
  • Where CFIUS has national security concerns, it can impose mitigation conditions that can have significant implications on the foreign investor‘s involvement with the US business. It remains critical for investors to consider mitigation risks at the outset and negotiate protections into the transaction agreement
  • The decrease in Chinese investment in the US has correlated with a decline in transactions being stopped by CFIUS, though China remains a key CFIUS focus even in non-Chinese transactions 



FIRRMA—the most significant CFIUS overhaul in more than a decade—has now been fully implemented. This has resulted in a number of key changes to the CFIUS process, such as mandatory filings for certain transactions, an expansion of CFIUS's jurisdiction, and the introduction of a new expedited filing option. 

Investors need to assess early in a transaction process whether the US business subject to the transaction qualifies as a "TID US business"—one involved with critical technologies, certain critical infrastructure or sensitive personal data of US citizens—as foreign investments in TID US businesses are subject to CFIUS's expanded jurisdictional reach and may trigger mandatory filing requirements. Penalties for not complying with mandatory filing obligations can be up to the value of the transaction. 

Most transactions continue to get cleared by CFIUS without mitigation, but when CFIUS does have concerns, the consequences can be substantial, including unexpected costs and measures that can frustrate deal objectives. Investors must assess potential CFIUS risks and plan transactions carefully to protect themselves. Such assessments should also include determining the advisability of filing via a declaration or notice. The declaration filing option is proving to be a useful tool for many transactions, but parties should account for potential delays if CFIUS requests a notice. 

CFIUS has also started pursuing non-notified transactions of interest more aggressively, while also ramping up compliance and enforcement efforts related to mitigation agreements. If CFIUS officials reach out with questions regarding a non-notified transaction or about mitigation compliance matters, it is advisable to engage CFIUS counsel right away.



This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2020 White & Case LLP