The Committee on Foreign Investment in the United States (CFIUS), which is led by the US Department of the Treasury and made up of US national security and economic agencies—including Defense, State, Justice, Commerce, Energy and Homeland Security—conducts national security reviews of foreign direct investment (FDI) into the United States.
The Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) significantly overhauled the CFIUS process, including by adding new types of transactions subject to CFIUS review and, for the first time ever, mandating notification to CFIUS in certain cases. New regulations fully implementing FIRRMA's reforms took effect on February 13, 2020, and the CFIUS landscape has continued to evolve since then, as CFIUS avails itself of its greater authorities and resources.
Filing fees apply to notices submitted to CFIUS, but not declarations, though they apply for notices submitted following CFIUS’s assessment of a declaration
TYPES OF DEALS REVIEWED
Historically, CFIUS has had jurisdiction to review any transaction that could result in "control" of a US business by a foreign person. Control is defined as the power direct or indirect, whether exercised or not, to determine, direct or decide important matters affecting an entity. CFIUS interprets control broadly, and notably control can be present even in minority investments. A "US business" is similarly defined and interpreted broadly.
Covered transactions (those subject to CFIUS's jurisdiction) include deals structured as stock or asset purchases, debt-to-equity conversions, foreign-foreign transactions where the target has US assets, private equity investments (in some cases even where the general partner is US-owned) and joint ventures into which a US business is being contributed.
Despite CFIUS's broad historical jurisdiction, in recent years the shifting national security focus in the US, particularly regarding Chinese investment, exposed gaps between the transactions that CFIUS was able to review and those beyond its reach that nonetheless presented potential national security concerns. FIRRMA sought to close these gaps by expanding CFIUS's jurisdiction and mandating filing in certain cases.
FIRRMA also facilitated more robust efforts for CFIUS to identify and review non-notified transactions of interest, which has led to CFIUS reviewing increasing numbers of deals that were not voluntarily notified—including some that closed years earlier.
With respect to investments, in addition to its traditional authorities regarding control transactions, CFIUS now has expanded jurisdiction to review certain "covered investments" in sensitive US businesses referred to as "TID US businesses" under the regulations. (TID stands for Technologies, critical Infrastructure and personal Data.)
TID US businesses are those that:
- Produce, design, test, manufacture, fabricate or develop one or more critical technologies
- Perform certain actions in relation to identified critical infrastructure assets, referred to as "covered investment critical infrastructure"
- Maintain or collect sensitive personal data of US citizens
Certain transactions involving TID US businesses are also subject to mandatory filing requirements.
A covered investment is a non-controlling transaction that affords the foreign investor any of the following with respect to a TID US business:
- Access to any material nonpublic technical information in its possession
- Board membership or observer rights
- Any involvement, other than through voting of shares, in substantive decision-making regarding sensitive personal data of US citizens, critical technologies or covered investment critical infrastructure
Beyond its traditional investment focus, CFIUS now also has jurisdiction to review the purchase or lease by, or a concession to, a foreign person of real estate in the US that is located within, or will function as part of, certain air or maritime ports, or is located in or within certain proximity ranges of identified military installations and areas. Real estate transactions under CFIUS's jurisdiction are not subject to mandatory filing requirements.
CFIUS also has jurisdiction to review changes in rights that would provide control or, for a TID US business, covered investment rights as well as transactions designed to evade CFIUS review.
Non-US investors need to assess early in the transaction process whether the US business subject to the transaction qualifies as a ‘TID US business’
CFIUS filings are usually submitted jointly by the parties, typically the investing entity and the target, to the notified transaction.
Though the CFIUS regulations now mandate filings for certain transactions, CFIUS review remains predominantly a voluntary process, as most transactions subject to CFIUS's jurisdiction do not meet the mandatory filing criteria. Even for transactions under CFIUS's voluntary authorities, CFIUS may request parties notify a transaction of interest and has the authority to initiate reviews directly. CFIUS is pursuing non-notified transactions more aggressively, so the risk of CFIUS reaching out on a non-notified transaction has generally increased compared with past years.
Mandatory filing requirements apply only with respect to controlling investments or covered investments (i.e., "covered transactions") in TID US businesses. Specifically, subject to certain exemptions, mandatory filings are required in the following two circumstances:
- The acquisition of 25 percent or more of the voting interests in a TID US business by a person in which a single foreign government holds, directly or indirectly, a 49 percent or greater voting interest. All parents in the investor's ownership chain are deemed 100 percent owners, so dilution of ownership interests is not recognized for purposes of this test
- A foreign investment in a TID US business involved with critical technologies, where one or more "US regulatory authorizations" (for example, export licenses) would be required to export, re-export or retransfer any of the US business's critical technologies to the investor or any person holding a 25 percent or greater, direct or indirect, voting interest in the investor. With a few exceptions, mandatory filing is required even where such critical technologies would be eligible for export to the relevant foreign person under a license exception
If a mandatory filing applies, notification by a declaration or notice must be submitted to CFIUS at least 30 days prior to the transaction's completion date.
FIRRMA also introduced the concept of "excepted investors," which are not subject to CFIUS's expanded jurisdiction for covered investments or real estate transactions and are exempt from mandatory filing requirements.
Excepted investors and their parents must meet relatively strict nationality-related criteria related to "excepted foreign states," which are currently Australia, Canada and the United Kingdom (though this list can change). Excepted investors are not exempt from CFIUS's general jurisdiction, only from CFIUS's expanded authorities under FIRRMA.
Most transactions subject to CFIUS jurisdiction do not trigger mandatory filing
SCOPE OF THE REVIEW
CFIUS reviews focus solely on national security concerns. CFIUS conducts a risk-based analysis based on the threat posed by the foreign investor, the vulnerabilities exposed by the target US business and the consequences to US national security of combining that threat and vulnerability.
Based on its risk assessment, CFIUS determines whether the transaction presents any national security concerns. If CFIUS identifies such concerns, it first determines whether other provisions of US law can sufficiently address them. If no other provisions of US law adequately address the concerns, CFIUS next determines whether any mitigation measures could resolve the concerns. If mitigation is warranted, CFIUS will typically negotiate terms with the parties, which will be a prerequisite to CFIUS clearing the transaction.
If CFIUS determines that mitigation cannot adequately resolve its concerns, CFIUS will typically request that the parties abandon their transaction (or the foreign buyer divest its interest in the US business if the review happens following closing).
If the parties will not agree to abandonment or divestment, CFIUS can recommend that the President of the United States block the transaction, as only the President has the authority to prohibit a transaction. Presidential blocks are relatively rare, though they have happened more frequently in recent years. It is still more typical for parties to agree to terms for abandonment or divestment directly with CFIUS. Although the CFIUS process is confidential, presidential blocking orders are public.
The number of CFIUS reviews continues to remain high—with the number of transactions notified to CFIUS increasing substantially in 2020
REVIEW PROCESS AND TIMELINE
There are now two options for how parties can notify a transaction to CFIUS: a declaration, which is a short-form filing reviewed on an expedited basis; or a voluntary notice, which is the traditional CFIUS notification mechanism. Both declarations and notices include required information about the investor and its owners, the US business that is the subject of the transaction, and the transaction itself. For both declarations and notices, CFIUS will also typically request additional information via Q&A during the review.
Following the initial submission, the declaration process typically takes approximately five to six weeks, and the notice process usually takes up to three to five months. Following its assessment of a declaration, CFIUS may request the parties file a notice, so in those cases the total process for a transaction notified by declaration will take longer. For complex transactions, deals expected to be more sensitive from a national security standpoint, or in cases where parties want to be assured the certainty of CFIUS clearance, it may be advisable for the parties to start with a notice.
Once accepted by CFIUS, a declaration is assessed in 30 calendar days. At the end of the 30 days, CFIUS may take one of four actions: clear the transaction; inform the parties that CFIUS cannot clear the transaction on the basis of the declaration, but not request a notice (commonly referred to as the "shrug"); request that the parties file a notice for the transaction; or initiate a unilateral review.
Though the shrug outcome does not confer "safe harbor" as a clearance does—after a shrug, CFIUS could potentially request a notice for the transaction in the future—in our experience clients have often found the shrug outcome to be sufficient for closing.
For a notice, the parties initially submit a draft "prefiling" on which CFIUS will provide comments and follow-up questions. After addressing those comments, parties will formally file the notice with CFIUS. CFIUS then has to accept the filing, after which a 45-calendar-day initial review begins. At the end of the review, CFIUS will either clear the transaction or proceed to a 45-calendar-day investigation. About half of cases now proceed to investigation, which reflects significant improvement since FIRRMA was enacted in 2018.
An investigation may be extended for one 15-calendarday period in "extraordinary circumstances." If a transaction is referred to the President, the President has 15 calendar days to decide whether to prohibit the transaction. In some cases, CFIUS will need additional time to complete its process, such as when negotiating mitigation measures with the parties. In such circumstances, CFIUS may allow the parties to withdraw and resubmit the filing, which restarts the initial 45-day review period. Most transactions are cleared in one CFIUS cycle.
Filing fees apply to notices submitted to CFIUS, but not declarations, though they apply for notices submitted following CFIUS's assessment of a declaration. Fees are assessed based on a tiered approach, providing for a proportional cost equal to or less than 0.15 percent of the transaction value. The lowest fee is US$750 for transactions valued between US$500,000 and US$5 million (transactions under US$500,000 are not subject to fees), and the highest-tier fee is US$300,000 for transactions valued at US$750 million or more.
FIRRMA—the most significant CFIUS overhaul in more than a decade—has now been fully implemented. This has resulted in a number of key changes to the CFIUS process, such as mandatory filings for certain transactions, an expansion of CFIUS's jurisdiction, the introduction of a new expedited filing option, and more aggressive pursuit of non-notified transactions.
Non-US investors need to assess early in the transaction process whether the US business subject to the transaction qualifies as a "TID US business"—one involved with critical technologies, certain critical infrastructure or sensitive personal data of US citizens—as foreign investments in TID US businesses are subject to CFIUS's expanded jurisdictional reach and may trigger mandatory filing requirements. Penalties for not complying with mandatory filing obligations can be up to the value of the transaction.
Most transactions continue to be cleared by CFIUS without mitigation, but when CFIUS does have concerns, the consequences can be substantial, including unexpected costs and measures that can frustrate deal objectives. Investors must assess potential CFIUS risks and plan transactions carefully to protect themselves. Such assessments should also include determining the advisability of filing via a declaration or notice. The declaration filing option is proving to be a useful tool for many transactions, but parties should account for potential delays if CFIUS requests a notice.
CFIUS has also been pursuing non-notified transactions of interest more aggressively, while also ramping up compliance and enforcement efforts related to mitigation agreements. This changes the risk equation for not notifying CFIUS voluntarily since it is now more likely that CFIUS may reach out to request a filing, even post-closing. If CFIUS officials reach out with questions regarding a non-notified transaction or about mitigation compliance matters, it is advisable to engage CFIUS counsel right away.
TRENDS IN THE CFIUS PROCESS
Many of CFIUS's concerns—including those addressed in FIRRMA—relate to Chinese and Chinese-connected investments in the US. Despite the substantial decline in Chinese investment in the US in recent years, China continues to be a substantial focus of CFIUS. Beyond new Chinese investments, this includes potential Chinese ties to FDI from other countries, as well as non-notified transactions that were previously closed, sometimes years prior. Based on our experience and information reported by CFIUS, we also note the following other key trends related to CFIUS.
Mandatory filing requirements mean CFIUS must be considered: Most transactions subject to CFIUS jurisdiction do not trigger mandatory filing. Now that there are mandatory CFIUS filing requirements—with potential penalties for non-compliance up to the value of the transaction—parties need to consider CFIUS issues much more carefully in connection with potential cross-border transactions. The jurisdictional analysis under FIRRMA has also grown increasingly complex, particularly for non-controlling transactions.
Parties are considering these issues, frequently addressing them in due diligence, and often incorporating CFIUS-related provisions into transaction agreements, even where no CFIUS filing is being made, to provide themselves with additional protection regarding potential CFIUS compliance obligations.
Aggressive pursuit of non-notifieds changes the risk equation on voluntary filings: Most transactions subject to CFIUS jurisdiction do not trigger mandatory filing, meaning parties can choose whether to voluntarily notify CFIUS. The risk of not voluntarily filing is that CFIUS could learn of the transaction, request a filing, and ultimately require mitigation measures or recommend divestment to address national security concerns. Post-closing, the parties—particularly the buyer—have no contractual protections against such actions. Historically, the practical risk of CFIUS pursuing a non-notified transaction was usually quite low, but with substantially increased resources and focus, this has become a more significant risk consideration and it is getting increasingly difficult for potentially sensitive deals to "fly under the radar."
Parties may also want to obtain CFIUS clearance upfront to "future proof" their deals in case evolving national security interests or geopolitical dynamics might later make CFIUS interested in reviewing a long-closed deal. For example, ten years ago data collection was not generally considered a national security issue, but given how data has become crucial to a broad range of industries and is now widely collected, this has become a frequent CFIUS focus area, including in pursuing reviews of completed transactions. So far, as would be expected, the outreach on past transactions has largely seemed aimed at deals involving Chinese and Russian investors.
Declarations can be a valuable tool for expedited CFIUS review: When the FIRRMA regulations took effect in February 2020, declarations became a notification option for all covered transactions. In our experience, clients have been availing themselves of this option and have often found it to be effective for transactions that do not seem likely to present substantial national security concerns. This trend is also reflected in CFIUS's reporting. In 2020, there were 126 declarations submitted (up from 96 in 2019, when only transactions subject to the CFIUS Pilot Program were eligible), which corresponded to the number of formal notices declining from 231 to 187.
CFIUS has also been clearing more transactions via declarations. In 2020, approximately 64 percent of cases notified by declaration were cleared by CFIUS. This was a sharp increase from 2019, when approximately 37 percent of declarations resulted in CFIUS clearance. This increase was largely due to fewer cases receiving the "shrug" outcome. In 2020, only approximately 13 percent of declarations received the shrug, compared with approximately 34 percent in 2019. Notice requests following assessments of declarations also declined in 2020 to approximately 22 percent of cases compared with approximately 28 percent in 2019. Overall, the decision of whether to notify a transaction via a declaration or notice has become a key issue in CFIUS strategy planning, and a variety of factors must be weighed, including complexity and potential sensitivity of the transaction, and timing considerations.
Threats and vulnerabilities considered broadly: CFIUS's risk-based analysis is broad and considers various types of potential "threats" and "vulnerabilities." For example, CFIUS routinely reviews transactions for "third-country threats"—channels through which China and other deemed strategic competitors might cause harm through the foreign investor (even if the foreign investor itself is not from such a country). On the vulnerability side, FIRRMA identified key areas of potential substantive sensitivity with its expanded authorities over investments in TID US businesses and its new real estate jurisdiction.
This does not mean that critical technologies, critical infrastructure, sensitive personal data and close proximity are the only areas of concern to CFIUS. The concept of national security remains broad, and CFIUS has shown interest in transactions covering a range of industries. Indeed, we have seen CFIUS pursue reviews of numerous non-notified transactions—and identify national security risks—where the US business did not qualify as a TID US business or involve covered real estate. External events can also affect national security sensitivities, such as an increased focus on health and supply chain security issues in light of the COVID-19 pandemic.
Continued emphasis on compliance and enforcement: FIRRMA provided additional resources for compliance and enforcement, and CFIUS officials have indicated that they will be looking closely at compliance with existing mitigation agreements. CFIUS issued its first penalty in 2018, which was for US$1 million for repeated violations of a mitigation agreement. CFIUS also issued another penalty in 2019 for US$750,000 for violations of an interim CFIUS order.
CFIUS did not assess or impose any penalties due to a material breach in 2020, though CFIUS reported that remediation activities were instituted in three cases for minor violations. CFIUS officials are currently working on promulgating enforcement guidelines. Parties under existing mitigation agreements, or parties entering into new ones, should focus on compliance to avoid potential CFIUS enforcement action.
HOW FOREIGN INVESTORS CAN PROTECT THEMSELVES
It is critical for foreign investors to consider CFIUS issues—including assessing jurisdictional matters, whether mandatory CFIUS filing will apply, and potential substantive risks—as early as possible in cross-border transactions involving foreign investment (direct or indirect) in a US business. Notably, this includes minority and venture capital investments. Given potentially severe penalties for noncompliance, parties need to know early whether filing will be required—and where it is not, may want to include relevant representations in the purchase agreement to provide additional protection.
In cases where filing is mandatory or the parties voluntarily notify CFIUS, allocation of CFIUS mitigation risk will be a key issue. Most transactions are cleared without mitigation, but when it is required, mitigation can have a substantial impact on transaction goals and present unexpected costs. The range of mitigation measures that can be imposed by CFIUS is quite broad (based on the risk profile of the deal), and it is important for investors in particular to have as clear an understanding as possible with respect to what mitigation measures would be acceptable to them.
2021 UPDATE HIGHLIGHTS
- The number of CFIUS reviews continues to remain high—with the number of transactions notified to CFIUS increasing substantially in 2020, and more parties notifying CFIUS via declarations. Though not always advisable, declarations often prove an attractive and useful option for parties, particularly for transactions that are not expected to present substantial national security concerns
- It is important to analyze potential CFIUS issues early in the deal process—including assessing whether mandatory filing requirements apply—and, where relevant, incorporate CFIUS-related terms into transaction agreements
- The substantial decline in Chinese investment in the US correlated with a notable decrease in transactions being stopped by CFIUS. China, however, remains a key focus of CFIUS—including assessment of Chinese-related risks for transactions involving non-Chinese investors
- CFIUS has substantially increased its pursuit of non-notified transactions of interest, including for transactions that previously closed, even years ago. Senior CFIUS officials have explicitly stated that no deal is too small or too old for them to pursue if it might raise national security considerations
- CFIUS continues to approve most notified transactions without mitigation measures
- Notwithstanding mandatory filing requirements, CFIUS remains predominantly a voluntary process
- Declarations—short-form CFIUS filings that are reviewed on an expedited basis—can be a valuable tool for parties in transactions that do not present national security concerns
- Where CFIUS has national security concerns, it can impose mitigation conditions that can have significant implications on the foreign investor's involvement with the US business and increase costs. It remains critical for investors to consider mitigation risks at the outset and negotiate protections into the transaction agreement
- The decrease in Chinese investment in the US has correlated with a decline in transactions being stopped by CFIUS, though China remains a key CFIUS focus even in non-Chinese transactions
- CFIUS's increasingly aggressive pursuit of non-notified transactions means closed deals could come under CFIUS scrutiny and parties to new deals should carefully assess CFIUS considerations when determining whether to voluntarily notify CFIUS
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2021 White & Case LLP