On September 24, 2019, the U.S. Treasury Department, as chair of the Committee on Foreign Investment in the United States (“CFIUS” or the “Committee”), issued two proposed regulations (“Proposed Regulations”) to further implement the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”). Historically, CFIUS was empowered to review transactions that resulted in a foreign acquisition of control over a U.S. business to determine the potential impact on U.S. national security. Pursuant to FIRRMA, at more than 300 pages in length, the Proposed Regulations expand CFIUS’ jurisdiction to cover non-passive but non-controlling investments, whether direct or indirect, in U.S. businesses involved in critical technology, critical infrastructure or sensitive personal data, and certain real estate transactions. The Proposed Regulations also indicate that, for the first time, investors from certain “Excepted Foreign Countries" may receive preferential treatment, including in certain circumstances exemption from CFIUS review.

Background on Proposed Regulations

CFIUS, an interagency committee principally comprising nine members and chaired by the Secretary of the Treasury, has broad powers to initiate reviews of transactions, impose mitigation measures, suspend transactions, and, where appropriate, recommend that the President block or unwind a transaction.

FIRRMA made several substantial changes to the CFIUS process, including by:

  • Expanding the scope of CFIUS jurisdiction to permit review of a wider range of transactions;
  • Authorizing CFIUS to mandate notifications regarding certain types of transactions;
  • Adopting a new, short-form declaration process to notify the Committee about potentially covered transactions;
  • Extending the time period for CFIUS to conduct its review;
  • Strengthening the Committee’s authority to restrict transactions that threaten U.S. national security; and
  • Making other changes that impact non-U.S. investors and their U.S. targets.

To implement FIRRMA, CFIUS began with a pilot program in November 2018 to expand jurisdiction to certain non-controlling investments and mandate notifications to CFIUS in certain circumstances. The pilot program remains in place and is not impacted by the Proposed Regulations. The two September 2019 Proposed Regulations implement most of the remaining provisions of FIRRMA. Notable exceptions are described below.

One of the Proposed Regulations implements the majority of FIRRMA, in particular regarding businesses associated with critical technology, critical infrastructure, and sensitive personal data (technology, infrastructure, and data are defined together as “TID”) (TID Proposed Regulation) and is described below. The second Proposed Regulation expands CFIUS jurisdiction over certain real estate transactions (Real Estate Proposed Regulation) and is described separately here. CFIUS also published Frequently Asked Questions along with these Proposed Regulations.

The comment period for the Proposed Regulations will close on October 17, 2019, and final regulations must take effect by February 13, 2020.

Highlights from Proposed Regulations

1. CFIUS Jurisdiction Expanded to Include Non-Controlling “Covered Investments” in TID U.S. Businesses

CFIUS has jurisdiction over all “covered control transactions,” which, under the previous law, included mergers, acquisitions and takeovers that could result in a non-U.S entity’s control over a U.S. business.

FIRRMA expanded CFIUS jurisdiction to include non-passive but non-controlling investments, termed "covered investments," in certain U.S. businesses that permit a non-U.S. person to access material non-public technical information, appoint a board director or observer, or be involved in substantive decision-making of the U.S. business beyond voting shares. CFIUS has retained the term "covered transaction" to include both "covered control transactions" and "covered investments" as well as transactions designed to evade CFIUS review.

The new authority expands CFIUS jurisdiction to cover a non-controlling investment in a TID U.S. business that:

(1) produces, designs, tests, manufactures, fabricates or develops one or more critical technologies,

Critical technology includes defense items on the U.S. Munitions List, certain items on the Commerce Control List, specified items related to the nuclear energy industry, select agents and toxins, and “emerging and foundational technologies,” which, as discussed below are still being defined. Distinct from the pilot program for mandatory filings in connection with critical technology investments, the Proposed Regulation applies to voluntary filings and does not include a requirement that the critical technology be involved in one of 27 selected industries; a non-U.S. investment in any U.S. business that produces, designs, tests, manufactures, fabricates or develops critical technologies could be subject to CFIUS jurisdiction.

(2) owns, operates, manufactures, supplies or services critical infrastructure, or

Critical infrastructure under FIRRMA refers to systems and assets “whether physical or virtual, so vital to the U.S. that the incapacity or destruction of [them] would have a debilitating impact on national security.” Covered critical infrastructure has a wide range, including, among other sectors, the defense-industrial base, energy, telecommunications, utilities, and financial services.

The TID Proposed Regulation delineates what constitutes critical infrastructure in Appendix A to Part 800 (Column 1 (covered infrastructure type), and Column 2 (covered infrastructure function)). Only non-controlling investments in a U.S. business that is listed in Column 1 and performs the function in Column 2 will be captured by CFIUS’ expanded jurisdiction. For example, while internet protocol networks are identified as a potential critical infrastructure sector, only investments in U.S. businesses that own or operate such networks would be considered a covered investment in critical infrastructure. U.S. businesses that merely supply or service internet protocol networks would not be captured (unless they are caught by other provisions).

(3) maintains or collects sensitive personal data (“SPD”) that may be exploited in a manner that threatens U.S. national security.

FIRRMA expanded CFIUS’ jurisdiction to include authority to broadly review transactions involving SPD. The TID Proposed Regulation focuses this authority based on the sensitivity of the data, the sensitivity of the population about whom the data is maintained or collected, and whether the data can be used to distinguish/trace a person’s identity. This focused definition narrows the range of U.S. businesses potentially subject to review.

Under the TID Proposed Regulation, “sensitive personal data” would include certain types of identifiable data maintained or collected by a U.S. business that targets or tailors its products or services to sensitive U.S. Government personnel or maintains or collects such data on greater than one million individuals (or has a demonstrated business objective to surpass this threshold). “Sensitive personal data” also includes genetic information such as genetic tests, family disease histories, or genetic counseling. Examples of categories of SPD include: consumer reports, mortgage applications, insurance applications, geolocation data from mobile mapping applications and GPS services, biometric identification or genetic information, and government personnel security clearance applications. These examples demonstrate that some sectors of the economy not traditionally considered sensitive from a national security perspective now may be subject to CFIUS scrutiny.

2. Certain Foreign Government Investors and Investments Subject to Extra Scrutiny and Mandatory Filing Requirements

Under the TID Proposed Regulation, certain foreign government-controlled investments in TID U.S. businesses would be subject to mandatory filing requirements. Specifically, mandatory filing requirements would apply to transactions in which a non-U.S. government holds a 49% or greater direct/indirect interest in a non-U.S. person that obtains a 25% or greater direct/indirect interest in a TID U.S. business. (Importantly, the foregoing thresholds for mandatory filings apply only in the foreign government context described above; CFIUS has broad jurisdiction and a voluntary CFIUS filing may be advisable for non-U.S. investors acquiring less than these thresholds.)

Parties subject to a mandatory filing may submit a short-form declaration instead of a full notice. Such mandatory filings must be submitted 30 days prior to the completion of the transaction. Notably, this is a departure from the pilot program where parties have 45 days to submit such a declaration.

Failure to comply with the mandatory filing requirement may result in potential penalties of the greater of $250,000 per violation or the value of the transaction.

3. CFIUS Maintains Private Equity Exception for U.S. Investment Funds

FIRRMA also narrows CFIUS’ jurisdiction by exempting certain investments by funds.

An indirect investment through an investment fund that affords a non-U.S. investor membership as a limited partner is not a covered transaction as long as certain requirements are met, including that:

(i) the fund is managed by a U.S. general partner (or equivalent),

(ii) the fund board or committee on which the non-U.S. limited partner sits does not have control over the U.S. fund’s management or investment decisions, and

(iii) the non-U.S. limited partner does not have access to material non-public technical information of the target company, and other potential requirements.

Accordingly, an indirect, non-controlling investment by a non-U.S. limited partner in an investment fund will not be subject to CFIUS jurisdiction simply because the non-U.S. limited partner (or a designee) is given membership rights regarding advisory boards or committees of the fund, but it may be subject to CFIUS jurisdiction if the foreign limited partner has access to certain information or is granted certain control or decision-making rights regarding the actions taken by the fund.

The exception is intended for passive investments in a U.S. investment fund by a non-U.S. person. As discussed above, if a non-U.S. person has control over the fund’s management/investment decisions, and/or has access to material non-public technical information, CFIUS would not consider such an investment to meet the passivity requirement.

Investments through funds controlled by non-U.S. persons will be subject to the expanded CFIUS jurisdiction described above. As discussed below, foreign-controlled funds should monitor how CFIUS will handle “Excepted Foreign Countries” (defined below) and excepted investors from such countries.

4. Transactions Involving Real Estate Co-Located Near U.S. Defense Facilities Will Be Subject to Review by CFIUS

FIRRMA expanded CFIUS jurisdiction to cover real estate transactions that pose national security risks, as described in detail in our companion analysis.

5. Incremental Acquisitions by Non-U.S. Persons in U.S. Businesses Subject to CFIUS Review

In circumstances where non-U.S. persons acquire an additional interest in U.S. businesses that CFIUS previously reviewed/cleared, the additional interest will be subject within CFIUS’ jurisdiction and potentially subject to review.

What’s Ahead?

While the Proposed Regulations offer important guidance, investors should expect additional proposed regulations from the U.S. Government to complete implementation of FIRRMA. While the Proposed Regulations are subject to public comment, they must become effective by February 13, 2020 under FIRRMA.

1. CFIUS Filing Fees Forthcoming

FIRRMA authorized CFIUS to impose filing fees not in excess of the lesser of 1% of the value of the transaction or $300,000 (inflation-adjusted). The TID Proposed Regulation states that CFIUS soon will publish a proposed regulation regarding filing fees.

2. Certain Non-Controlling Investments by Allies to be Exempt from CFIUS Jurisdiction

Historically, CFIUS did not provide country-wide exemptions from applicable regulations. The Proposed Regulations indicate a change in direction, as a list of “Excepted Foreign Countries” will be published. The timing is unknown, and CFIUS stated that it may delay implementation of this exemption. Excepted Foreign Countries will be selected by a super-majority of CFIUS member agencies – a notable deviation from the historic approach to decision-making by consensus, perhaps acknowledging the sensitivity of this issue. While the precise criteria for qualification as an Excepted Foreign Country are not yet fixed, they will include establishment of a robust foreign investment review process and coordination with the United States on matters of investment security. Given the diplomatic and national security issues related to the creation of this white list, we expect that the initial list of countries will be quite limited.

Under certain circumstances (nationality alone will not suffice), foreign investors with ties to Excepted Foreign Countries may be exempted from filing requirements regarding non-passive but non-controlling investments in TID Businesses. At the same time, transactions resulting in control of a U.S. business will remain subject to CFIUS jurisdiction. Fund managers will continue to diligence potential investors and carefully consider the rights to be afforded to limited partners bearing in mind the potential impact on CFIUS exemptions and mandatory filings.

3. Voluntary Declarations Process & Future of Pilot Program Forthcoming

Parties whose investments are subject to CFIUS jurisdiction, but not to a mandatory filing requirement, would be permitted under the Proposed Regulations to file a short-form voluntary declaration instead of a full notice. Parties may still file a full notice if they wish to do so. The Proposed Regulations suggest that voluntary declarations will be based on the existing critical technology pilot program mandatory declarations.

It will be important to monitor whether/how the pilot program as a whole will be amended by CFIUS. Under the pilot program, CFIUS may respond to a short-form declaration by informing parties that it: (1) has cleared the transaction, (2) is initiating a unilateral review, (3) is requesting that the parties submit a full formal notice, or (4) is unable to reach a decision regarding clearance on the basis of the declaration alone. Under this last option, transaction parties do not have the investment protection that accompanies formal CFIUS clearance and do not have clear guidance from CFIUS as to how to proceed. As a result, even in the first year of the pilot program, many parties already have determined that it is preferable to submit a full formal notice from the outset so as to be guaranteed a final response from CFIUS that will provide certainty.

4. Emerging/Foundational Technologies Definitions Forthcoming from Commerce Department

The TID Proposed Regulation does not change the pilot program’s definition of a critical technology. Critical technologies include items controlled under the U.S. export control measures, including items that the U.S. Commerce Department will identify as “emerging” or “foundational” technologies pursuant to the Export Control Reform Act of 2018. The Commerce Department is expected to promulgate guidance on these issues in the near-term.


The new regulations will give effect to a wide array of changes to CFIUS’ powers and to the CFIUS review process. They provide meaningful additional guidance but add considerable complexity. These changes reinforce the importance of considering CFIUS implications early in the process of developing plans to pursue investments in and acquisitions of U.S. businesses.