As mandated by the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), the Committee on Foreign Investment in the United States (CFIUS) has issued new regulations (the Regulations) that will become effective on February 13 (the Effective Date) and will apply to all covered transactions that close on or after that date, unless certain key transaction milestones have occurred prior to the Effective Date. Consistent with the new authority granted to CFIUS by FIRRMA, the Regulations provide for review of certain transactions that afford a foreign person specified access, rights or involvement in certain U.S. businesses engaged in activities involving critical technology, critical infrastructure or sensitive personal data of U.S. citizens, irrespective of whether control of the U.S. business is conferred. In some cases, CFIUS review will be mandatory, unless the foreign investor qualifies as an “excepted investor” – i.e., an investor from Australia, Canada or the United Kingdom who meets specified criteria – or certain other limited exceptions apply. The Regulations also introduce certain process changes, including the ability to file a declaration in lieu of the traditional joint voluntary notice.
Under FIRRMA, CFIUS also gained authority to review certain real estate transactions. The new rules governing real estate transactions, also scheduled to come into force on the Effective Date, are the subject of a separate alert that can be viewed here.
‘Covered Transactions’ to Include Both ‘Covered Control Transactions’ and ‘Covered Investments’
Under the Regulations, CFIUS maintains its original authority to review “covered control transactions,” which are transactions “by or with any foreign person that could result in foreign control of any U.S. business.” Control remains broadly defined.
FIRRMA also granted CFIUS the authority to review covered investments. A “covered investment” is a direct or indirect investment by a foreign person (other than an excepted investor) that affords the foreign person the following rights with respect to a “TID U.S. business” (as defined):
- access to any material nonpublic technical information in the possession of the TID U.S. business;
- membership or observer rights on, or the right to nominate an individual to a position on, the board of directors or equivalent governing body of the TID U.S. business; or
- any involvement, other than through voting of shares, in substantive decisionmaking of the TID U.S. business regarding certain matters related to critical technologies, critical infrastructure or sensitive personal data of U.S. citizens.
TID U.S. Businesses Subject to ‘Covered Investment’ Jurisdiction
As noted above, CFIUS authority to review non-control transactions applies only to U.S. businesses engaged in certain activities involving critical technologies, critical infrastructure and sensitive personal data of U.S. citizens, i.e., TID U.S. businesses. Specifically, TID U.S. businesses are those that
- produce, design, test, manufacture, fabricate or develop one or more critical technologies;
- perform certain functions specified in the Regulations with respect to covered investment critical infrastructure; or
- maintain or collect, directly or indirectly, sensitive personal data of U.S. citizens.
The Regulations define “critical technologies” to include defense articles, technical data or defense services on the U.S. Munitions List; most commodities, technology and software on the Commerce Control List; certain controlled nuclear facilities, equipment, parts and components, materials, software, and technology; certain agents and toxins; and, once identified by the Department of Commerce, emerging and foundational technologies controlled for export pursuant to the Export Control Reform Act of 2018 (ECRA).
“Critical infrastructure” is defined broadly to mean “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems or assets would have a debilitating impact on national security.” These systems and assets include, but are not limited to, certain telecommunications and internet services, natural gas and oil pipelines, financial market utilities, rail lines, maritime ports, and electric energy and public water systems. The functions performed with respect to the “covered investment critical infrastructure” listed in the Regulations that will trigger review of a covered investment vary according to the critical infrastructure in question. For example, a U.S. business that owns or operates any crude oil storage facility with the capacity to hold 30 million barrels or more of crude oil is a TID U.S. business subject to review of covered investments, as is any business that owns or operates certain interstate oil or gas pipelines or certain maritime ports or any satellite or satellite system providing services to the Department of Defense.
As defined by the Regulations, “sensitive personal data” is identifiable data maintained or collected by a U.S. business that
- targets or tailors products or services to certain agencies of the U.S. government; or
- has maintained or collected such data, generally, on more than 1 million individuals or has a demonstrated business objective to do so and such data is an integrated part of the U.S. business’s primary products or services.
Furthermore, sensitive data must be financial data that could be used to determine an individual’s financial distress or hardship; nonpublic electronic communications; or certain consumer report, insurance, health, geolocation, biometric, genetic, federal government identification or security clearance data. However, sensitive personal data does not include data that is a matter of public record, such as certain court data or government records, or certain data concerning the employees of a target U.S. business who do not hold security clearances.
Mandatory Review Requirements for Certain Transactions
While still a largely voluntary process, under the new Regulations CFIUS will require mandatory filings for certain transactions, subject to limited exceptions discussed below.
Any “covered transaction” (i.e., “covered control transaction” or “covered investment”) that results in acquisition of a substantial interest in a TID U.S. business by a foreign person in which a foreign government holds a substantial interest will be subject to the mandatory filing requirements. In general, “substantial interest” in this context means a direct or indirect voting interest of 25% or more on the part of the foreign person and a direct or indirect voting interest of 49% or more on the part of the foreign government. Also subject to mandatory filing requirements are covered transactions related to TID U.S. businesses that
- produce, design, test, manufacture, fabricate or develop one or more critical technologies for their own use in certain North American Industry Classification System (NAICS) codes; or
- design such items for customers operating in such NAICS codes.
The industries covered by the specified NAICS codes include, among others, the aircraft, computer, nuclear power, and guided missile and space vehicle manufacturing industries. These mandatory requirements will replace the requirements of the “Critical Technology Pilot Program” that was implemented in 2018.
Exceptions to Mandatory Requirements
Mandatory filing requirements do not apply if the acquisition
- is conducted by a U.S.-controlled investment fund that meets the requirements specified by the Regulations; or
- involves acquisition of a regulated aircraft.
In addition, the critical technologies mandatory filing requirements do not apply to transactions involving excepted investors or TID U.S. businesses
- that have a security clearance and already operate under a mitigation agreement pursuant to the National Industrial Security Program; or
- whose only involvement with critical technologies is limited to involvement with encryption items eligible for License Exception ENC.
CFIUS jurisdiction does not extend to non-control transactions in which the foreign investor is from an “excepted foreign state” (currently only Australia, Canada and the United Kingdom), including
- the governments thereof;
- nationals thereof who are not also nationals of any other state; and
- entities organized in any such country or the United States whose principal place of business is in any such country or the United States,
provided that certain requirements are met. These requirements include limitations on the level of participation of investors, board members and observers from non-excepted foreign states.
In addition, any foreign person or any of its parents or subsidiaries who would otherwise qualify as an excepted investor will be disqualified if such a person or its parents or subsidiaries are listed on either the Bureau of Industry and Security’s Unverified List or the Entity List, or, within the five years preceding the completion of the transaction, have
- been involved in enforcement proceedings before the Office of Foreign Assets Control; the Departments of State, Commerce or Energy; or CFIUS; or
- been subject to a divestiture order in previous proceedings before CFIUS.
On an interim basis, CFIUS has defined “principal place of business” to be “the primary location where an entity’s management directs, controls or coordinates the entity’s activities, or, in the case of an investment fund, where the fund’s activities and investments are primarily directed, controlled or coordinated by or on behalf of the general partner, managing member or equivalent,” provided that any different principal place of business outside the United States identified in any government filing will take precedence over any U.S. principal place of business identified for CFIUS purposes.
However, while excepted investors are exempt from both CFIUS jurisdiction related to covered investments in TID U.S. businesses and the critical technologies mandatory filing requirements, it should be noted that, in the case of transactions that could result in foreign control, i.e., covered control transactions, all foreign persons remain subject to CFIUS jurisdiction, including excepted investors, and CFIUS may exercise its right to review any such transaction, including those involving excepted investors.
As under the Critical Technology Pilot Program, mandatory filings generally are to take the form of short-form declarations. In addition, for the first time, any party to a proposed or completed transaction may submit a declaration to CFIUS regarding the transaction. In assessing cases filed pursuant to the declaration process, CFIUS has the option of advising the parties that it cannot conclude action under Section 721 of the Defense Production Act, as amended by FIRRMA, on the basis of the declaration, in which case the parties would not obtain the “safe harbor” from an order suspending or prohibiting the transaction or requiring unwinding or divestment, unless the traditional notice procedure is undertaken.
On the other hand, traditional notices may be filed in any case, including in lieu of declarations in cases subject to mandatory filing requirements, so the parties to a transaction may decide to forgo the somewhat faster mandatory declaration process in favor of the additional certainty that may be offered by the traditional notice process.
Transitional Matters – and More Changes to Come
The Regulations take effect February 13, 2020, but do not apply to certain transactions. The regulations found in 31 C.F.R. Part 800 in effect on February 12 will continue to apply to any transaction for which any of the following occur prior to February 13:
- the completion date;
- the execution of a binding written agreement establishing the material terms of the transaction;
- a party has made a public offer to shareholders to buy shares of a U.S. business; or
- a shareholder has solicited proxies in connection with an election of the board of directors of a U.S. business, or an owner or holder of a contingent equity interest has requested the conversion of such interest.
Finally, the regulations found in 31 C.F.R. Part 801, which govern the Critical Technology Pilot Program (as amended by the Regulations only as to applicability), will continue to apply to any transaction subject to the pilot program for which any of the above-listed aspects of the transaction occurred on or after November 10, 2018, and before February 13, 2020.
In addition to ensuring that they evaluate their transactions under the applicable set of regulations, parties to transactions that may involve foreign investors should note the potential for new rules regarding matters such as CFIUS filing fees and the definition of principal place of business, which, as noted above, has been adopted as an interim final rule that remains subject to public comment. CFIUS also intends to issue a proposed rule that would revise the mandatory declaration requirements for transactions involving critical technology from one based on NAICS codes to one based on export control licensing requirements.
As noted above, although the initial list of excepted foreign states includes Australia, Canada and the United Kingdom, CFIUS has signaled that it may expand the list in the future to include other countries with “robust intelligence-sharing and defense industrial base integration mechanisms with the United States.” However, even the currently excepted countries will not enjoy this status beyond February 13, 2022, if they do not demonstrate that their national security-based foreign investment review processes and bilateral cooperation with the United States on such reviews meet the requirements of the Regulations. In this regard, CFIUS has announced its intention to publish a list of factors that CFIUS will consider when making a determination regarding an eligible foreign state’s national security-based foreign investment review program.