The Committee on Foreign Investment in the United States (CFIUS) last week added considerable teeth to its powers through draft regulations implementing key provisions of the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), which last August overhauled the U.S. law governing CFIUS national security reviews. The proposed rules expand CFIUS jurisdiction beyond controlling investments, which are defined as those transactions that give foreign investors authority to make important business decisions for a U.S. business, to cover certain noncontrolling investments.
The proposed rules would extend jurisdiction to non-controlling investments in U.S. critical infrastructure, critical technologies, U.S. ports, real estate in close proximity to sensitive U.S. Government facilities and businesses that collect sensitive personal data of U.S. citizens. The draft rules, which are subject to public comment, also expand the situations in which parties are required to make a CFIUS declaration or file a notice. In addition to those critical technologies listed in regulations finalized last November, acquisitions by foreign government-controlled entities of significant stakes in certain U.S. businesses also now require declarations or notifications. The regulations also start a process for delineating those U.S. allies that will in certain cases not be subject to certain CFIUS requirements.
Congress made it clear through its long deliberation process over FIRRMA that it was concerned that China was gaining access to sensitive U.S. technologies despite U.S. export control requirements and getting a foothold in U.S. critical infrastructure, often through minority and noncontrolling investments. Congress addressed these perceived loopholes through FIRRMA by expanding jurisdiction to the non-controlling investments listed above and by starting a process to expand export licensing requirements for certain U.S. technology through the Export Control Reform Act of 2018, which was companion legislation to FIRRMA. [Month ##, ####]
When FIRRMA was enacted last August, however, many of FIRRMA's most significant changes were put off until CFIUS could craft rules for dealing with these issues. Last November, CFIUS took the first step in this process by setting up as a pilot program extending CFIUS jurisdiction to certain noncontrolling foreign investments in certain U.S. critical technology businesses and by subjecting those investments, whether controlling or not, to a mandatory short-form CFIUS declaration. Prior to FIRRMA, CFIUS filings were generally voluntary, although CFIUS had the authority to selfinitiate a formal review.
These new regulations address most of the remaining key areas of FIRRMA, are comprehensive and go well beyond the November 2018 pilot program. They are subject to public comment for a 30-day period.
NEW RULES FOR NON-CONTROLLING INVESTMENTS IN US CRITICAL TECHNOLOGY, CRITICAL INFRASTRUCTURE AND COMPANIES COLLECTING SENSITIVE DATA
US Technology, Infrastructure and Data Companies
CFIUS has previously limited its jurisdiction to controlling investments, a term that did not require a majority equity share but was rather defined by looking at governance, equity and other factors, so that for example board seats and a minority equity stake could be considered a controlling interest. CFIUS defines such a transaction as a "covered transaction." CFIUS maintains this term in the new regulations, but also coins a new term, "covered investment," to include investments that due to lack of governance or equity could not be considered controlling but over which CFIUS may assert jurisdiction primarily to stop access to sensitive data or technology. The draft regulations define covered investment as direct or indirect, non-controlling foreign investments in certain U.S. technology,
infrastructure and data companies, or "TIDs." Mirroring FIRRMA, the proposed new rules for covered TID investments only apply when the investments would give the foreign investor access to any material nonpublic technical information in the possession of the U.S. business; membership or observer rights on the board of directors of the U.S. business; or any involvement, other than through voting of shares, in substantive decision making of the U.S. business regarding sensitive personal data of U.S. citizens, U.S. critical infrastructure or U.S. critical technologies.
[Month ##, ####]
FIRRMA extended CFIUS jurisdiction to certain non-controlling investments in any unaffiliated U.S. business that owns, operates, manufactures, supplies or services critical infrastructure.
For controlling investments, the existing CFIUS regulations define critical infrastructure broadly as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems or assets would have a debilitating impact on national security." The new draft regulations supplement that definition for non-controlling foreign investments in U.S. critical infrastructure by specifically listing those sectors and functions that fall within the rule for non-controlling investments. For example, in the sector labeled "crude oil storage facility with the capacity to hold 30 million barrels or more of crude oil," CFIUS could assert jurisdiction over a non-controlling foreign investment over a U.S. business that "owns or operates any crude oil storage facility with the capacity to hold 30 million barrels or more of crude oil." In other words, CFIUS is limiting its reach to businesses whose activities in these sectors really could affect national security. For example, an investment in a U.S. business that provides janitorial services at a facility in a covered sector may not be covered by the new rules, but it might if its employees had access to sensitive information.
The list of covered sectors and associated functions is included in an appendix to the proposed regulations. As would be expected, these sectors include internet and telecommunications networks, submarine cable systems, data centers, satellite systems, certain specialty metals used in defense production, energy transmission and generation, oil refineries, LNG terminals, rail lines, stock exchanges, interstate gas and oil pipelines, airports, maritime ports, among many others.
Personal Data of US Citizens
FIRRMA extended CFIUS jurisdiction to certain non-controlling foreign investments in U.S. businesses that maintain or collect sensitive personal data of U.S. citizens that may be exploited in a manner that threatens national security. Given the widespread collection of data by U.S. businesses, there has been considerable consternation among investors of how far CFIUS might go in restricting foreign investment based on this criteria. CFIUS has taken a relatively conservative approach in the new regulations, limiting its reach to specific categories of identifiable data [Month ##, ####] collected by U.S. businesses that "target or tailor" their products or services to sensitive U.S. Government personnel or contractors, maintain or collect such data on greater than one million individuals, or aspire to, and such data is an integrated part of the U.S. business's primary products or services.
The regulations define "personal sensitive data" as "identifiable data" including genetic information, data that could show financial problems of individuals, data in consumer reports, health-related data, including "data relating to the physical, mental, or psychological health condition of an individual," non-public electronic communications, geo-collection data, biometric enrollment data, U.S. Government security-clearance data, and state or federal identification data, among others.
FIRRMA extended CFIUS jurisdiction to certain non-controlling investments in U.S. businesses that design, test, manufacture, fabricate, or develop one or more critical technologies. "Critical technologies" is defined in the new draft regulations to include certain items subject to export controls and other existing regulatory schemes, as well as emerging and foundational technologies controlled pursuant to the Export Control Reform Act of 2018. That law directed the President to start an interagency process to identify "emerging and foundational technologies" that "are essential to the national security of the United States" and not already included in existing definitions of critical technologies, a process that is still underway.
CFIUS regulations implemented in November 2018 created a pilot program requiring a mandatory, short-form declaration in cases in which a foreign person makes a controlling or certain non-controlling investment in an unaffiliated U.S. business that produces, designs, tests, manufactures, fabricates, or develops any of 27 critical technologies listed in those regulations. The proposed rule issued last week would not change that
program, but CFIUS does signal that it is considering modifying it, specifically with respect to the mandatory declaration requirement for the listed technologies. CFIUS notes in the discussion of the draft regulations that it continues to evaluate the pilot program and "welcomes comments on the retention of the mandatory declaration aspect" of it, perhaps signaling a relaxation of the rule.
SPECIAL RULE FOR INDIRECT INVESTMENTS THROUGH INVESTMENT
[Month ##, ####]
The draft regulations also further clarify FIRRMA rules regarding indirect investments by a foreign person in an unaffiliated TID U.S. business through an investment fund in which the foreign person is a limited partner or equivalent on the fund's advisory board or a committee of the fund. In such cases, "the foreign limited partner's membership on the investment fund's advisory board or committee does not in and of itself render the foreign person's indirect investment in an unaffiliated TID U.S. business a covered investment," provided the following:
- The fund is an investment company, as defined in section 3(a) of the Investment Company Act of 1940;
- The fund is managed exclusively by a general partner who is not the foreign person;
- Neither the advisory board nor the foreign person has the ability to approve, disapprove, or otherwise control investment decisions of the fund or the entities in which the fund is invested or to unilaterally select or dismiss the general partner; and
- The foreign person does not have access to material non-public technical information as a result of its participation on the advisory board or committee.
MANDATORY AND VOLUNTARY DECLARATIONS
CFIUS did not, in the new draft regulations, extend the mandatory declarations applied in the pilot program to all critical infrastructure or personal data investments, but it did implement a FIRRMA provision requiring such declarations when the investor is a foreign government or an investor controlled by a foreign government. FIRRMA provides that parties to a covered transaction shall submit mandatory short-form declarations to
CFIUS if the transaction would result in the acquisition of a substantial interest by a government-controlled entity in a U.S. critical infrastructure or critical technologies business or one that maintains or collects sensitive personal data of U.S. citizens. The proposed regulations define "substantial interest" for this purpose as a 25 percent voting interest, direct or indirect, in a U.S. TID business. The regulations also declare that a foreign investor is government controlled when it is at least 49 percent owned by a foreign government.
In addition, the new regulations set out rules and information requirements[Month ##, ####] for filing voluntary short-form declarations instead of longer notices. The declarations require less information and have shorter CFIUS deadlines, but CFIUS may after reviewing the declarations inform parties that a full CFIUS notice is necessary in order to receive a CFIUS letter that there are no unresolved national security issues related to the transaction.
INVESTORS FROM CERTAIN COUNTRIES GET A PASS
The draft regulations create an exemption for foreign investors from certain countries, termed "excepted investors," based on their ties to a list of presumably close U.S. allies. The regulations provide that the excepted investor must be from a "group of eligible foreign states, which will be separately published on the Department of the Treasury website. As this is a new concept with potentially significant implications for the national security of the United States, CFIUS initially intends to designate a limited number of eligible foreign states. CFIUS plans to review this group in the future and potentially expand the number of eligible foreign states. Such "excepted investors" must be organized under the laws of the excepted foreign state or in the United States, have its principal place of business there, and its board members must be a U.S. national or a foreign national from an excepted foreign state. The excepted foreign investor would still be subject to the rules defining control under the CFIUS regulations, and could not have recently violated OFAC sanctions or certain other U.S. laws.
SEPARATE REGULATIONS ON SENSITIVE REAL ESTATE
FIRRMA extends CFIUS jurisdiction to certain non-controlling investments in real estate, including those involving property located at U.S. ports or those in close proximity to U.S. military installations or sensitive U.S. Government facilities when such proximity could expose national security activities there. In entirely separate regulations focused only on real estate, CFIUS defines the key terms of this FIRRMA provision and lists specific U.S.
facilities subject to the new rules. Again, the primary change here and focus of the new regulations is the extension of CFIUS jurisdiction to noncontrolling investments. CFIUS retains the power to assert jurisdiction over controlling investments in real estate under established rules.
Real Estate Covered by the Regulations
Under the draft regulations, CFIUS jurisdiction would extend to noncontrolling investments in specific, delineated sites certain airports, maritime ports, military installations, and other facilities or properties of the[Month ##, ####] U.S. Government and specific areas in or around those sites. Covered airports include major passenger and cargo airports in the United States based on volume, as well as "joint use airports" where both military and civilian aircraft share use of the military. Covered maritime ports include "strategic seaports" and the top 25 container or dry bulk ports as specifically defined on lists put out by the federal government. The covered military sites are also specifically listed, in this case in an annex to the regulations.
CFIUS jurisdiction would apply to any purchase or lease by, or concession to, a foreign person of covered real estate, that affords the foreign person at least three of the following property rights: (a) to physically access the real estate; (b) to exclude others from physical access to the real estate; (c) to improve or develop the real estate; or (d) to attach fixed or immovable structures or objects to the real estate. Any change in a foreign investor's interests in covered real estate that would result in that person acquiring three of the listed rights would also be covered by the new rules.
The regulations also define "close proximity." With respect to military installations and other facilities or property of the U.S. government, close proximity means the area outward one mile from the boundary of those facilities. The regulations introduce a new term "extended range," which extends the range for CFIUS jurisdiction outward to 99 miles for certain military installations and, where applicable, no more than 12 nautical miles seaward of the coastline of the United States. Transactions in certain U.S. counties listed in the appendix are also subject to the regulations.
Among other significant provisions, the definition of concession includes situations in which a U.S. public entity grants a right to use real estate for the purpose of developing or operating infrastructure for an airport or maritime port, which is another CFIUS first in that this rule could capture certain greenfield investments, which prior to this were outside the reach of CFIUS.
Perhaps sensing the difficulty in determining what is and what is not covered under the proposed real estate regulations, CFIUS has indicated that it will be providing additional guidance on this issue.
Similar to the regulations related to TIDs, the real estate regulations create an "excepted investor" category exempting from CFIUS jurisdiction certain foreign investors who meet certain criteria establishing sufficiently close ties to certain foreign states. Those countries have yet to be determined. [Month ##, ####]
The purchase, lease or concession of a single "housing unit," as defined by the Census Bureau, is also exempted from the proposed regulations, as are transactions in urbanized areas and urban clusters, retail establishments in airports and ports and certain commercial office space.
Finally, as also found in the TID regulations, the real estate regulations provide rules and procedures for filing voluntary declarations instead of a full CFIUS notice. There is no mandatory declaration requirement for covered real estate transactions.
As noted above, however, all of these exceptions do not necessarily apply to CFIUS rules related to control in the existing CFIUS regulations.
CFIUS is taking another major step in extending its jurisdiction beyond acquisitions and controlling investments, but it also took a measured approach in limiting mandatory declarations and in exempting investors from certain U.S.-friendly countries, still to be listed. While CFIUS still must clarify its rules on mandatory declarations for certain investments in critical infrastructure and still has not implemented a fee structure for CFIUS filings, CFIUS has otherwise completed the long reform process taken up by Congress several years ago. The result is a process that will closely scrutinize investments in what CFIUS and the U.S. Congress consider highly sensitive areas no matter what the equity stake, while possibly streamlining the CFIUS process if the voluntary declarations live up to their potential.
Counsel, Litigation +1 202 508 8180 firstname.lastname@example.org
Head of Government Relations +1 202 508 8049 lraisner@Shearman.com
Global Co-Managing Partner Head of Global M&A +1 212 848 8787 email@example.com
Head of Global M&A +1 212 848 8576 firstname.lastname@example.org
[Month ##, ####]
ABU DHABI AUSTIN BEIJING BRUSSELS DUBAI FRANKFURT HONG KONG HOUSTON LONDON MENLO PARK MILAN NEW YORK PARIS RIYADH* ROME SAN FRANCISCO SO PAULO SEOUL SHANGHAI SINGAPORE TOKYO TORONTO WASHINGTON, DC
Attorney Advertising. This memorandum is intended only as a general discussion of these issues. It should not be regarded as legal advice. We would be pleased to provide additional details or advice about specific situations if desired.
@ 2019 Shearman & Sterling LLP. Shearman & Sterling LLP is a limited liability partnership organized under the laws of the State of Delaware, with an affiliated limited liability partnership organized for the practice of law in the United Kingdom and Italy and an affiliated partnership organized for the practice of law in Hong Kong.
Attorney Advertising -- Prior results do not guarantee a similar outcome. *Dr. Sultan Almasoud & Partners in association with Shearman & Sterling LLP