On November 14, 2008, the U.S. Department of Treasury (“Treasury”) issued Final Regulations implementing the Foreign Investment and National Security Act of 2007 (“FINSA” or the “Act”), which made more robust the review of foreign acquisitions on national security grounds. The Final Regulations for the Committee on Foreign Investment in the United States (“CFIUS”) are effective December 21, 2008.  

FINSA, which amended Section 721 of the Omnibus Trade and Competitiveness Act of 1988 (popularly known as “Exon-Florio”), in large measure codified and makes mandatory many of the measures adopted in practice by the Bush Administration to strengthen the U.S. government review of foreign acquisitions on national security grounds since the controversy surrounding the 2005 Dubai Ports acquisition. Among other things, FINSA expanded such national security reviews of foreign acquisitions to encompass transactions involving homeland security and critical infrastructure, mandated investigations when U.S. firms are being sold to foreign government-controlled buyers, added additional U.S. government agencies as players in the Exon-Florio process, and enhanced congressional oversight of the process.  

As discussed below, the Final Regulations made a number of important changes from Treasury’s earlier issued Proposed Regulations that are constructive in nature and provide useful guidance to the business community. Among other things, the Final Regulations clarify which classes of acquisitions by institutional investors and hedge funds are not “covered transactions” subject to the President’s authority to review and prohibit under FINSA. The Final Regulations also further illuminate the extent to which loans and minority shareholder rights will be considered covered transactions that can be reviewed, and prohibited or suspended, when they threaten to impair national security.  

However, parties looking for additional guidance on core underlying concepts or new substantive limits on the President’s national security review authority will be disappointed. The Final Regulations offer no further insight on standards to determine whether a foreign acquisition threatens to impair national security, and no further definition of “critical infrastructure” or when it would be threatened by a subject transaction. With the Final Regulations now in place, the Bush Administration leaves as a legacy a strong process that allows for a robust review of foreign acquisitions and adds broad flexibility to determine whether a covered acquisition threatens national security. It remains to be seen, however, the extent to which the review of foreign acquisitions on national security grounds will be different under the Obama Administration. At this early juncture, several preliminary observations can be made:  

  • The core CFIUS processes and procedures put in place in recent years are unlikely to change under the new Administration — at least in the short term. FINSA essentially requires the President and CFIUS to conduct a rigorous review of foreign acquisitions on national security grounds. Absent legislative changes, there is no walking back from the existing standards. While Treasury could amend the Final Regulations, this will undoubtedly be a low priority given other pressing economic and financial policy matters.
  • Thus, the real question is how the Obama Administration will exercise its discretion in reviewing particular transactions on national security grounds. In the aftermath of Dubai Ports, the longstanding “open U.S. investment policy” clearly became more restrictive in all areas touching on our critical infrastructure, and the Bush Administration became uneasy about investments by a broader range of buyers from a broader range of countries. The fundamental touchstone of the CFIUS review process has been risk aversion — and in the eyes of some observers, aversion to domestic political as well as national security risks. Moreover, the fact that potential buyers have powerful business incentives or legal obligations not to take actions adverse to U.S. national security has been afforded little weight in the CFIUS process. Indeed, Treasury, the Chair of CFIUS, has become more of a facilitator than in the past and is highly deferential to security agencies.
  • It remains to be seen whether the Obama Administration will approach CFIUS reviews in the same manner as the Bush Administration or will forge a different course. It should be noted, however, that several key members of President-elect Obama’s economic team have served on CFIUS and know the process well. Thus, if past is prologue, one can reasonably expect a more robust role for Treasury in the process and a more balanced approach.
  • In February of this year, then-Senator Obama said during the Presidential election campaign that he was “concerned” about sovereign wealth funds (“SWFs”) acquiring U.S. assets. While neither FINSA nor the Final Rule specifically addresses sovereign wealth funds, current Deputy Treasury Secretary Robert Kimmitt promoted investment in the United States by SWFs during a fall tour of the Persian Gulf. While Deputy Secretary Kimmitt stressed that a commercial investment does not typically raise security concerns, he noted that the Committee is currently considering a number of cases in this area. How the Obama Administration will view these types of investments remains to be seen.

This alert sets forth relevant background on CFIUS fundamentals and the changes made by FINSA in the existing CFIUS process, evaluates what is new in the Final Treasury Regulations, and provides considerations for businesses in their strategic planning process regarding foreign investments.  

BACKGROUND: CFIUS Fundamentals & FINSA Changes

Notwithstanding the traditional U.S. open investment policy, the U.S. government has long reviewed and restricted foreign investments on national security grounds. Specifically, under the Exon-Florio provision, the President is authorized to investigate and block or suspend foreign acquisitions, mergers, or takeovers that threaten to impair national security. Since 9/11, the Bush Administration has gradually intensified its CFIUS reviews of foreign acquisitions. Moreover, in the aftermath of the Dubai Ports case, the Administration overhauled the CFIUS process, intensifying scrutiny of deals in 2006 and 2007. Subsequently, on October 24, 2007, FINSA was enacted — codifying a number of these changes and adding others.  

CFIUS Procedures and Timelines. Neither FINSA nor the Final Regulations change the existing procedural framework or timelines for the CFIUS review process (except with respect to acquisitions by foreign government-controlled entities1). Specifically, parties to a covered transaction have the right to make voluntary notifications of acquisitions for CFIUS to review, but such filings are not mandated by law. The Committee has the authority to initiate or re-open a review under certain circumstances (though typically a party that has not opted to file notice is given the opportunity to do so “voluntarily” if the Committee believes notice is in order). Once a notification filing is made, the process is as follows:

  • The Committee commences a 30-day preliminary national security “review” of the filing. Pursuant to FINSA, Treasury will designate a “lead agency” to have primary oversight of the review.
  • After 30 days, CFIUS either determines no action is needed (and effectively clears the transaction), or convenes an “investigation,” which must be complete within an additional 45 days, to fully ascertain the effects of the transaction on national security. CFIUS provides its findings and recommendations to the President.
  • After the investigation has been completed, the President has 15 days to suspend or prohibit the acquisition, or to take no action.

The Evolving Scope of CFIUS Review: The Focus on Homeland Security & Critical Infrastructure. While the CFIUS procedures have largely stayed intact, what has changed in recent years is the scope of the national security review in the post-9/11 era. Under Exon-Florio, the President has traditionally focused on whether foreign “control” of the U.S. business being acquired threatens to impair U.S. “national security.” While neither Exon-Florio nor FINSA nor the regulations thereunder define the term “national security,” in practice CFIUS has traditionally focused on two distinct sets of issues:

  • First, CFIUS reviews the conduct and behavior of the buyer and the policies of its host government to assess whether the buyer would be an appropriate steward of the U.S. business assets in question. In effect, the question is whether the U.S. government “trusts” the buyer and its host government.
  • Second, CFIUS reviews the nature of the U.S. business being sold. In this arena, CFIUS traditionally has examined security issues regarding transfers of technology and the unique character of the U.S. business being acquired.

Since 9/11, consistent with the broad interpretation of “national security,” CFIUS has expanded its examination to include the potentially adverse impact of the acquisition on homeland security. FINSA codifies this evolution, and mandates that the CFIUS national security review shall include consideration of whether covered foreign acquisitions threaten to impair “homeland security” and U.S. “critical infrastructure” — which are now part of “national security” by definition. FINSA also broadly defined “critical infrastructure” to mean virtual or physical systems and assets “so vital” to the United States that the incapacity or destruction of such systems or assets would have a “debilitating impact on national security.” Interested parties have been awaiting the Final Regulations to determine whether they shed any further light on this new authority.  

Other Major Changes Made by FINSA. Other significant changes in FINSA include: a restriction on delegation within the agencies; an expansion of the agencies that are members of CFIUS; clear authority to structure mitigation agreements; and a congressional notification requirement.  

  • Delegation of Authority. FINSA established that major decisions can not be delegated by an agency Secretary to anyone other than the Deputy Secretary or an Under Secretary involved in the review. For instance, in the case of a foreign government-controlled transaction, the Secretary may delegate the authority to determine that an investigation is not required only to the Deputy Treasury Secretary or to the deputy head of the lead agency. Similarly, only the Deputy Treasury Secretary or the deputy head of the lead agency can certify the report at the end of an investigation that there are “no unresolved national security concerns” remaining. In practice, this “no unresolved” standard has added an additional level of caution as senior officials have been unwilling in practice to sign off on transactions without sufficient comfort that they could accurately provide this required certification.
  • Expansion of CFIUS Agencies. The new law specifies that CFIUS comprises the Attorney General and the Secretaries of Homeland Security, Commerce, Defense, Energy, and State. The Director of National Intelligence and the Labor Secretary have been added as non-voting, ex officio members. Other officials may also be included on a case-by-case basis.
  • Mitigation Agreements. The Act codifies the Committee’s existing practice of using mitigation agreements with parties to a transaction as a means of addressing national security concerns posed by the deal. It provides clear authority to “negotiate, enter into or impose, and enforce” such agreements to mitigate security risks, and empowers a lead agency to oversee activities relating to such agreements on behalf of the Committee. Such agreements must be based on a risk analysis conducted by the Committee.
  • Congressional Notification. To facilitate congressional oversight, the Act expands the existing Exon-Florio congressional notification requirements. Specifically, CFIUS is required to file a certified notice upon completion of a 30-day review and a certified report upon completion of an investigation. Annual reports to Congress are also required.  

Key Changes in the Final Regulations

On April 23, 2008, Treasury issued Proposed Regulations to implement FINSA and afforded interested parties an opportunity to comment. See 72 Fed. Reg. 21,868. The Final Regulations, and the accompanying 60-page preamble written by Treasury, are significant in numerous respects.  

  • The Final Rule has adopted most of the regulatory language and standards in the Proposed Regulations. Of note, a number of comments submitted by interested parties sought to narrow the definitions of “covered transactions” and “control,” thereby limiting CFIUS’s flexibility in administering FINSA and assessing whether national security is implicated by a proposed transaction. Significantly, Treasury rejected these types of proposed changes, thus preserving CFIUS’ discretion.
  • The Final Rule has also made a number of important changes that provide clarity with respect to investments by particular types of parties (institutional investors and hedge funds) and particular classes of transactions (loans and minority shareholder rights). In some areas, Treasury changed the Final Regulations themselves, and in others Treasury added examples or offered instructive guidance and insights in its Preamble that make it clear that certain types of transactions pose no real national security risk.  

The more significant elements of the Final Regulations are each discussed below:  

  • Control. The term “control” is a critical element of the Final Regulations, as only those acquisitions by foreign persons that could result in control are “covered transactions” subject to the President’s authority to suspend or prohibit. Significantly, the Final Rule codifies Treasury’s longstanding definition of “control” in “functional terms as the ability to exercise certain powers over important matters affecting an entity.” Preamble to Final Rule at 11; 31 C.F.R. § 800.204. Thus, Treasury makes clear that its definition “eschews bright lines” and that “all relevant factors are considered together in light of their potential impact on a foreign person’s ability to determine, direct, or decide important matters affecting an entity.” Preamble, at 11-12. However, Treasury does add the observation that the “[a]cquisition of influence falling short of the definition of control over a U.S. business is not sufficient to bring a transaction” under the regulatory scheme. Preamble, at 12.

Significantly, Treasury also offers new concrete guidance on whether “control” would exist in a range of specific situations, including collateralized lending, limited “passive” investments, minority shareholder rights, equity fund structures, and 50/50 joint ventures.

  • Collateralized Loan Transactions. The Final Rule clarifies that loans by foreign persons to a U.S. business, “regardless of whether accompanied by the creation in the foreign person of a secured interest in securities or other assets of the U.S. business” will not, without more, confer control and be considered a covered transaction. 31 C.F.R. § 800.303(a). Treasury also notes that CFIUS will accept voluntary notice filings for loans only “at the time that, because of imminent or actual default or other condition, there is a significant possibility that the foreign person may obtain control of a U.S. business as a result of the default or other condition.” Id. § 800.303(a)(1). While the Final Rule expressly reserves the issue of what “other condition” and “significant possibility” mean, the Committee will decline “to accept notices of covered transactions where the occurrence of the transaction is speculative or remote.” Preamble, at 38. Treasury does offer one example of when a “significant possibility” may exist: when “several persons other than the foreign lender also have security interests in the same collateral and it is very possible, but not certain, that the foreign lender will obtain control.” Id.
  • The Ten Percent “Passive” Investment Exemption. The Final Rule provides that a foreign person does not control an entity if it holds ten percent or less of the voting interest in the entity, and it holds that interest “solely for the purpose of passive investment,” i.e., when a “person holding or acquiring such interests does not plan or intend to exercise control, does not possess or develop any purpose other than passive investment, and does not take any action inconsistent with holding or acquiring such interests solely for the purpose of passive investment.” 31 C.F.R. §§ 800.302(b), 800.223. The addition of the word “passive” is designed to emphasize that the rules will not exempt a transaction if the “foreign person plans or intends to gain control over the U.S. business.” Preamble, at 35. The Committee will consider, for example, whether the foreign person’s negotiation for additional rights that include elements of control is evidence of a non-passive investment purpose. 31 C.F.R. § 800.223 ex. 2. An investment will be considered passive, however, when the foreign investor has no affirmative rights other than the ability to vote its shares pro rata, and no “negative” rights other than certain minority shareholder rights (see below). Preamble, at 35-36.
  • Minority Shareholder Rights. Treasury added to its existing list of certain minority shareholder protections that are not considered in themselves to confer control over an entity by a foreign person. Specifically, Treasury added two negative rights to the list: the power to prevent an entity from voluntarily filing for bankruptcy or liquidation, and the power to prevent a change of existing legal rights or preferences of a particular class of stock held by minority investors. 31 C.F.R. §§ 800.204(c)(1), (5). Treasury noted, however, that other negative rights proposed in specific transactions may also be found to confer control. Of significance, Treasury effectively articulated a standard that could provide guidance on when control is conferred, noting that it has excepted the enumerated list of negative rights as minority shareholder protections because “they protect the investment-backed expectations of minority shareholders and do not affect strategic decisions on business policy or day-to-day management of an entity or other important matters affecting an entity.” Preamble, at 23. Treasury also highlighted a long list of shareholder protections it will “consider favorably in the context of specific transactions” as rights that do not in themselves confer control:
    • The power to prevent changes in the capital structure of the entity, including through mergers, consolidations, or reorganizations, that would dilute or otherwise impair existing shareholder rights;
    • The power to prevent the acquisition or disposition of assets material to the business outside the ordinary course of business;
    • The power to prevent fundamental changes in the business or operational strategy of the entity;
    • The power to prevent incursion of substantial indebtedness outside the ordinary course of business;
    • The power to prevent fundamental changes to the entity’s regulatory, tax, or liability status; and
    •  The power to prevent any amendment of the Articles of Incorporation, constituent agreement, or other organizational documents of an entity.

However, Treasury noted that its favorable view of the foregoing minority rights does not “preclude it from finding that the existence of one or a combination of these rights confers control under the facts and circumstances of a particular transaction.” Preamble, at 24.  

  • Equity Fund Structures. The Final Rule confirms when the Committee will consider limited partners in private equity funds to have sufficient “control” to warrant a CFIUS review. Specifically, under a new example set forth in the Final Regulations, when two limited partners, each holding a 49% interest in the partnership, and a general partner, holding a 2% interest and the sole authority to decide important matters, operate a fund, it is the general partner alone who will be viewed as controlling the partnership. However, if each limited partner has veto authority over major investment decisions and power to choose fund representatives on the boards of portfolio companies, then all partners control the partnership. 31 C.F.R. § 800.204 ex. 8 and 9.
  • 50/50 Joint Ventures. The Final Rule retains Proposed Rule § 800.301(d)’s example 1, which indicates that the creation of a 50/50 joint venture by a foreign person that contributes only cash and a second party that contributes a U.S. business is a covered transaction. This is because the joint venture partner would obtain the same degree of power over the important matters affecting that joint venture (and therefore the U.S. business, according to Treasury) as a foreign person who made a direct investment to acquire a 50% interest in the U.S. business.
  • Critical Infrastructure. On a closely watched issue, Treasury rejected suggestions that it further define or limit FINSA’s broad definition of “critical infrastructure.” Treasury notes in the Rule’s Preamble that it will not deem classes of systems or assets to be, or not to be, critical infrastructure. Also, while FINSA makes clear that “major energy assets” are part of U.S. critical infrastructure and that the “long-term projection of United States requirements for sources of energy and other critical resources and material” should be factors in national security reviews under the law (i.e., whether the acquisition will adversely affect access to secure sources of energy), the Final Rule does not define what may constitute a major energy asset.
  • Pre-Filing Consultations & Confidentiality. The Final Rule encourages a long-standing practice of engaging in pre-filing consultations with Treasury prior to the submission of a voluntary notice, particularly where a party has not previously prepared a notice or where a transaction is unusually complex. This process has proven useful — especially for more sensitive or complex cases — because it affords CFIUS agencies the ability to review a transaction off the clock. The Final Rule was also amended to extend explicitly the confidentiality provisions of the rules to information or documentary material provided during the course of pre-notice consultations regardless of whether a notice is ultimately filed with the Committee. 31 C.F.R. § 800.702. The confidentiality provisions will continue to apply even when the transaction is no longer before CFIUS.
  • Expanded Voluntary Notice Contents. In response to concerns that the range of information required by the Proposed Rule to be submitted in voluntary notices was unduly burdensome and somewhat confusing, the Final Rule narrowed the scope of certain required information and clarified what is required in submissions. 31 C.F.R. § 800.402. Specifically, with these changes, the new information requirements (i.e., beyond those required in the existing Treasury regulations) are as follows:
    • A discussion of any rebranding or incorporation of the U.S. business’s products or services by another company or in another company’s products (in exceptional cases where this is extraordinarily burdensome, the filer may request modification of this requirement);
    • A statement of the plans of the acquiring party to ensure compliance of the U.S. business with the Defense Priorities and Allocations System;
    • A description and copy of cyber security plans used to protect against cyber attacks on the operation, design, and development of the U.S. business (regardless of whether the company is in the information technology industry);
    • A statement of whether a foreign government has any affirmative or negative rights not already identified in the filing (the Final Rule rejected covering only “material” rights); and
    • Certain personal identifier information, including curriculum vitae for selected persons.

In reality, these new requirements make submitting a voluntary filing considerably more time-consuming and expensive than in the past. Treasury does suggest, however, that it would be willing to waive requests that place an “extraordinary burden” on the parties on a case-by-case basis if such modification “would not impair the full and efficient consideration of the transaction.” Preamble, at 44.

  • Corporate Reorganizations Under Same Ultimate Parent. Treasury declined to keep a provision in the existing CFIUS rules that provided that an acquisition is not subject to review if the parent of the entity making the acquisition is the same as the parent of the entity being acquired. Treasury took the position that Exon-Florio requires CFIUS to review any transaction that could result in control of a U.S. business by a foreign person. Thus, Treasury concluded that a corporate reorganization that results in a new foreign person acquiring control of a U.S. business would be a covered transaction even if the ultimate parent of the U.S. business may not have changed. The Preamble does note, however, that such reorganizations would present national security considerations only in “exceptional” cases.
  • Incremental Acquisitions. A transaction in which a foreign person acquires an additional interest in a U.S. business that was previously the subject of a covered transaction for which CFIUS concluded all action under Exon-Florio will not be considered a covered transaction. 31 C.F.R. § 800.204(e). However, if the prior investment by a foreign person was not notified to CFIUS, or if CFIUS determined that the prior investment was not a covered transaction, then the subsequent investment may be a covered transaction depending on whether foreign control of the U.S. business will ensue.
  • Penalties for Material Misstatements, False Certification, or Breach of Mitigation Agreements. Consistent with new FINSA authority, the Final Regulations provide penalties for material misstatements or omissions made to CFIUS, false certifications, and breach of mitigation agreements or conditions. 31 C.F.R. § 800.801. A new provision in the Final Rule states that CFIUS will not consider to be material minor inaccuracies, omissions, or changes relating to financial or commercial factors not having a bearing on national security. 31 C.F.R. § 800.509. Notably, a mitigation agreement may now include a provision providing for liquidated or actual damages for breaches. 31 C.F.R. § 800.801(c). The regulations require CFIUS to set the amount of liquidated damages as a “reasonable assessment of the harm to the national security that could result from a breach.”  

Strategic Business Planning

In light of FINSA and the Final Regulations, a transaction involving the acquisition of U.S. assets by foreign investors will be more complicated — if for no other reason than that filing a notice with CFIUS will more often be the advisable course of action when foreign control is implicated. Additional agency scrutiny will undoubtedly slow down the process. Filing parties will have the burden of demonstrating to CFIUS that there will be no threat to national security or critical infrastructure. If that burden is not met, the Committee may require a mitigation agreement. As such, it is important that companies incorporate the risks associated with the Exon-Florio process into their business planning when considering transactions that may meet the “covered transaction” definition.  

A company should consider taking the following steps:  

  • Evaluate Company and Country Conduct. CFIUS will evaluate whether there are issues of technology transfer, industrial espionage, illicit payments, or other matters that bear on the willingness of CFIUS agencies to “trust” the potential buyer with sensitive assets. Hence, firms considering acquisitions should also consider these issues in making business judgments about potential investments.
  • Undertake Due Diligence on Proposed U.S. Target Acquisitions. It is critical to build an evaluation of Exon-Florio considerations into due diligence assessment of a potential target, including:
    • Does the target have sensitive or unique technologies? Do other U.S. firms have similar capabilities? What proprietary rights concerning the technology does the U.S. entity possess?
    • Does the target have classified contracts?
    • Are the target’s operations proximate to U.S. military or other security operations and sensitive data?  


In sum, the CFIUS review process established by FINSA and the Final Regulations will mean continued robust scrutiny of foreign transactions that implicate national security. Over time, we anticipate that the review process will become more predictable as CFIUS gains broader experience under the new requirements, particularly in the critical infrastructure area. At the same time, the Final Regulations add useful clarifications that help identify when particular classes of transactions by hedge funds or institutional investors are not covered transactions subject to national security review under FINSA.