Editor's Note: Any views expressed in this publication are strictly those of the authors and should not be attributed in any way to White & Case LLP. White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities. This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
Fundamental change has been unfolding at the Committee on Foreign Investment in the United States, the inter-agency governmental committee that reviews certain foreign investments for national security concerns.
A shifting national security landscape, and growing recognition that CFIUS's previous authorities were insufficient to address the new landscape, culminated in the Foreign Investment Risk Review Modernization Act of 2018. Full implementation of FIRRMA has not yet occurred, and proposed implementing regulations continue to be revised. But it is already clear that CFIUS has been transformed from a committee of limited jurisdiction with a primarily voluntary process and limited interaction with other nations' investment security regimes, to a committee of expanded jurisdiction with certain mandatory filing requirements and a growing global network of inter-governmental cooperation on investment security matters.
This fundamental change will affect many new transaction parties and will require careful consideration of CFIUS's jurisdiction in cross-border deals, potentially affecting deal timing, costs, and certainty.
CFIUS was established in 1975 as a committee of six US government agencies, chaired by a representative of the Secretary of the Treasury, with the responsibility for monitoring the impact of foreign investment in the U.S. and coordinating investment policy. In 1988, Congress gave the president the ability to review and block certain foreign investments that posed a threat to national security, and the president then delegated the review function to CFIUS. The 1988 legislation established the core characteristics of a CFIUS review:
- The standard of review focused exclusively on national security.
- The scope of review focused narrowly on those foreign investments that were—at the time—the most likely to raise national security concerns. Specifically, CFIUS could only review mergers, acquisitions, and takeovers that could result in foreign "control" of a "U.S. business."
- The process was primarily voluntary, and did not put either a screen or a bar on investment from any country, or in any sector of the U.S. economy.
These core characteristics allowed the U.S. to maintain its longstanding open investment posture. The last major reforms to CFIUS prior to FIRRMA, in 2007, focused on process and accountability; they did not materially change the standard or scope of CFIUS reviews or expand its jurisdiction beyond transactions that could result in "control" of a "U.S. business."
Shifting National Security Landscape
During the past several years, U.S. lawmakers and other government officials increasingly have expressed concerns about the ability of some foreign investors, particularly (but not exclusively) Chinese investors, to exploit CFIUS's limited jurisdiction by structuring transactions just below the threshold of "control" or by acquiring assets (including real estate) that would not constitute a "U.S. business."
Such transactions exposed a gap in CFIUS's authorities: These transactions did not fall within the scope of CFIUS review, but nonetheless presented similar national security threats and vulnerabilities. For example, a purchase of real estate that is not a "U.S. business" but that is in close proximity to a sensitive U.S. military facility could provide the foreign buyer an opportunity to surveil sensitive activities at that facility; minority investments (particularly through venture capital and private equity-type structures) might be non-"controlling" but nonetheless provide a foreign investor with access to sensitive information of the target U.S. business.
At the same time, an increase in foreign government-directed investment, globalization of supply chains, emerging commercial technologies with military applications, and technology-enabled collection of, or access to, massive amounts of sensitive personal data were increasing the number and types of U.S. companies considered to have national security vulnerabilities. These trends made CFIUS reviews more complex, and led to more intensive and lengthy reviews and less certainty for transaction parties.
By early 2017, a bipartisan consensus emerged that new legislation was needed to fill these gaps and modernize the CFIUS process by expanding CFIUS's jurisdiction, requiring mandatory filings for certain transactions, and providing CFIUS with more funding and resources. After false starts, competing proposals, and various iterations, FIRRMA became law in Aug. 2018.
FIRRMA’s Effect on CFIUS
FIRRMA enacts important jurisdictional and process changes to CFIUS.
FIRRMA retained CFIUS's ability to review any merger, acquisition, or takeover that could result in foreign control of a U.S. business (referred to as "covered control transactions"), but also expanded CFIUS's jurisdiction in an effort to close the identified gaps. In particular, FIRRMA gave CFIUS two new bases for jurisdiction:
- Certain non-controlling, but non-passive investments in certain US businesses involved with critical technology, critical infrastructure, or sensitive personal data (referred to as "TID US businesses" for technology, infrastructure, and data; and such investments referred to as "covered investments")
- Certain real estate transactions in sensitive areas (referred to as "covered real estate transactions")
Notably, FIRRMA also gives CFIUS the authority to exempt certain types of foreign investors from this expanded jurisdiction. FIRRMA also explicitly gives CFIUS the authority to review changes in rights of a foreign investor in a US business that could result in a "covered control transaction" or a "covered investment," and any other transaction designed or intended to evade or circumvent CFIUS's jurisdiction.
While FIRRMA provided these general contours of CFIUS's expanded jurisdiction, it left most of the detail to be worked out by CFIUS itself through implementing regulations. As a result, FIRRMA gave CFIUS authority to define the scope of its own expanded jurisdiction through the choices that CFIUS will make as to how broadly—or narrowly—to construe concepts such as "sensitive personal data," "critical infrastructure," sensitive geographic areas and the types of foreign investors entitled to exemptions.
The draft implementing regulations released by CFIUS in Sept. 2019 (found here: Proposed FIRRMA Regulations Part 800 and here: Proposed FIRRMA Regulations Part 802) define these new concepts with a high degree of specificity in an effort to retain CFIUS's core characteristic of only reviewing those transactions most likely to raise national security concerns. But the result is a complex matrix of definition-based requirements that appear, in the aggregate, to construe CFIUS's expanded jurisdiction broadly and any exemptions from such expanded jurisdiction extremely narrowly.
For example, in the proposed regulations:
- "Sensitive personal data" includes any amount of genetic information as well as 10 broad categories of identifiable data collected on certain populations or numbers of individuals.
- "Covered investment critical infrastructure" is set forth in a highly detailed appendix, and includes 28 types of such infrastructure across the telecommunications, power, oil and gas, water, and financial sectors, as well as a significant number of businesses servicing the defense industrial base.
- "Covered real estate transactions" are defined with reference to a detailed appendix setting forth 164 military installations, 23 offshore military operating areas and range complexes, and 24 counties associated with missile fields, in addition to a large set of airports and maritime ports (though with notable exceptions for real estate in certain urban areas and single housing units).
- The requirements to be an exempted foreign investor are strict, and tied to an as-yet-unreleased list of "excepted foreign states," which CFIUS has indicated will be a small list.
In short, while CFIUS appears to be attempting to preserve its core characteristic of only having jurisdiction to review those transactions most likely to pose national security concerns, given the recent shifts in the national security landscape as it relates to foreign investment, that set of transactions has significantly expanded.
FIRRMA also made two key process changes: mandatory filing requirements and the creation of short-form filings called "declarations."
For the first time in CFIUS's history, certain categories of transactions have, or could have, a mandatory filing requirement. Although CFIUS has long had the authority to initiate reviews and has in various cases encouraged parties to file non-notified transactions of interest, historically CFIUS did not require filings for any particular categories of transactions. Now, FIRRMA:
- Requires CFIUS to mandate filings prior to closing any "covered control transaction" or "covered investment" that results in the acquisition of a substantial interest (25 percent voting interest, per the proposed regulations) in any TID US business by a foreign person in which a foreign government has a substantial interest (49 percent voting interest, per the proposed regulations). The proposed regulations would require any such filing to be made at least 30 days prior to closing.
- Authorizes (but does not require) CFIUS to mandate filings for "covered control transactions" or "covered investment" in those TID U.S. businesses involving critical technologies.
CFIUS tested its new authority to mandate filings for critical technology transactions in a pilot program initiated in Nov. 2018—essentially a "trial run" of this new authority under FIRRMA. The pilot program, which remains active until CFIUS's final implementing regulations take effect in Feb. 2020, provides an initial view into how CFIUS plans to exercise its enhanced powers under FIRRMA.
Under the pilot program, CFIUS mandated filings of "covered control transactions" and "covered investment" in TID U.S. businesses involved with critical technologies in relation to 27 enumerated "pilot program industries" (such as semiconductor manufacturing and R&D in biotechnology) and required that such filings be submitted at least 45 days before the transaction closes.
The pilot program also tests FIRRMA's second key process change: declarations. Prior to FIRRMA, a CFIUS filing required a "notice," which is a lengthy document containing extensive information about the transaction generally, the foreign acquirer, and the target U.S. business. CFIUS undertakes a "review" of the notice (originally 30 days, but extended to 45 days under FIRRMA), followed by a 45-day "investigation" if additional time is needed.
At the end of the review and investigation period, CFIUS either concludes action on the notice, concludes action with mitigation, or—if no mitigation adequately resolves any national security concerns that CFIUS might identify with the transaction—recommends that the president block or unwind the transaction.
A declaration, by contrast, is about five pages in length and must be assessed by CFIUS within 30 days. At the end of the 30 days, CFIUS may take any of four actions: conclude action (i.e., clear the transaction) on the basis of the declaration, inform the parties that CFIUS is unable to conclude action, but not request or self-initiate a notice (an outcome now commonly referred to as the "shrug"), request that the parties file a notice, or self-initiate a notice. Parties have the option under the pilot program to submit their mandatory filing as either a declaration or a notice. Failure to submit a mandatory filing could be penalized up to the value of the transaction.
The pace of declarations under the pilot program appears to be around 10 per month, which is a far smaller number than most CFIUS observers had been expecting. It is not clear whether the relatively slow pace of declarations indicates that the pilot program was narrowly tailored to only 27 "pilot program industries," that parties have restructured their deals to avoid qualifying for the pilot program's mandatory filing requirement, that there has been significant noncompliance (despite potentially harsh penalties), or that more parties have opted to file full notices instead of declarations (though there has not been a substantial uptick in the number of CFIUS notices so far in 2019). The relatively slow pace of declarations is likely the result of some combination of these factors.
Notably, although CFIUS established the declaration process to enable potentially faster adjudication of mandatory filings, CFIUS has cleared relatively few transactions under the pilot program on the basis of declarations. While official statistics are not available, CFIUS appears most often to give the "shrug."
Globalization of Foreign Investment Review
With expanded jurisdiction and certain mandatory filing requirements, CFIUS is transforming from an obscure committee of isolated impact to a regulatory process that must be considered at the outset of most cross-border investments into the U.S., especially those involving technology, infrastructure, and personal data.
This more robust CFIUS process is just one manifestation of the evolving foreign investment climate. The shifted national security landscape has played out in other US regulatory contexts and in other countries as well.
In the U.S., the government is ramping up review of all foreign activity through the export control regime and through the Foreign Agent Registration Act. The U.S. Department of Commerce's Bureau of Industry and Security, which administers one of two primary export control regimes in the U.S., is in the process of developing new export controls on certain "foundational" and "emerging" technologies, which will be captured within CFIUS's definition of critical technologies.
These new controls are meant to restrict the export of certain technologies, including artificial intelligence, quantum computers and certain biotechnologies, that are not yet controlled or are deemed to be insufficiently protected under existing export control regulations. With respect to FARA, in the last three years federal prosecutors have brought more FARA prosecutions than ever before, coinciding with major staffing changes at the Department of Justice and more aggressive interpretation of the statute in advisory opinions.
Outside the United States, a number of other countries are beginning to implement or strengthen their own foreign investment review processes. The European Union has established a framework for foreign investment review rules and a mechanism for cooperation and information-sharing among member states, while countries such as Germany, the U.K., Canada, France, Australia and Japan are increasing the strength of their current programs.
Meanwhile, FIRRMA instructs CFIUS to establish a formal process to share information with foreign allied governments and coordinate and cooperate on investment security issues; the recently proposed implementing regulations would, over time, require a country to have its own robust foreign investment review process to remain on CFIUS's list of "excepted foreign states" (which, as mentioned above, determines which foreign investors might be exempt from CFIUS's expanded jurisdiction). This demonstrates a concerted U.S. government initiative to assist and incentivize allied countries to strengthen their own foreign investment review systems to help protect U.S. national security interests beyond U.S. borders, and underscores the increasing globalization of CFIUS's outreach efforts.
Preparing for the New CFIUS Regime
CFIUS remains exclusively focused on national security. Its process remains largely voluntary, despite soon having mandatory filing requirements for certain transactions involving substantial foreign government ownership and currently having mandatory filing requirements for certain critical technology transactions under the pilot program. And the bright lines and detailed appendices in CFIUS's proposed implementing regulations exhibit a concerted effort by CFIUS to limit the expansion of its jurisdiction to those transactions most likely to raise national security concerns.
But as a practical matter, the ongoing shift in the national security landscape has thrust CFIUS considerations to the forefront of cross-border transaction strategy. The determination of whether CFIUS will have jurisdiction over a transaction, and whether a filing is mandatory, will more often require an in-depth assessment of the target U.S. business's operations against the detailed criteria and appendices in the CFIUS regulations. While the CFIUS process remains largely voluntary, CFIUS's increased budget and staffing is enabling it to more aggressively pursue non-notified transactions. Where CFIUS does identify national security concerns in a transaction, in recent years CFIUS has shown less willingness to enter into complex mitigation, especially with transaction parties that it deems untrustworthy.
Given the rising significance of the CFIUS process, CFIUS risk can impact the selection of bidders in competitive acquisitions, and the allocation of CFIUS risk (for example, which party bears the costs of CFIUS mitigation, or when a party may terminate a purchase agreement if CFIUS requires burdensome mitigation) often must be carefully negotiated in transaction agreements. Additionally, the timing of the CFIUS process often dictates the timeline for completing transactions.
Companies should carefully assess potential CFIUS risks at the outset of any cross-border transaction involving a target U.S. business, and particularly those transactions in which the potential foreign investor is connected, directly or indirectly, with countries deemed to be strategic competitors of the U.S. (e.g., China and Russia) and/or where the target involves a US business developing leading-edge technologies, critical infrastructure (including 5G network infrastructure, utilities, and the defense industrial base), or access to large amounts of personal data.
Parties should involve CFIUS counsel as early as possible to most effectively develop their transaction structure and CFIUS strategy. CFIUS counsel can help evaluate a contemplated cross-border transaction for potential CFIUS risks, help determine whether a CFIUS filing is mandatory or warranted, and develop a strategy to best protect their clients' interests. While not every foreign investment transaction touching the U.S.—or even most of them—needs to be notified to CFIUS, companies should carefully consider these issues at the front end of transactions to avoid surprises.
In closing, FIRRMA reaffirmed that it is still the policy of the U.S. to welcome foreign investment and maintain an open investment posture. But FIRRMA also makes clear that any such investment must be entirely consistent with the protection of national security. To help ensure such consistency, CFIUS's jurisdiction and process have become broader—in some cases, mandatory—and will be more regularly updated over time as the national security landscape continues to shift.
For more information please speak to your local media contact.