On September 17, 2019, the U.S. Department of the Treasury issued proposed rules to implement the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), legislation that significantly expanded the jurisdiction of the Committee on Foreign Investment in the United States (CFIUS). The proposed regulations define the contours of CFIUS's jurisdiction over non-control investments in U.S. critical technology and critical infrastructure businesses and those that maintain sensitive personal data. CFIUS also set the rules for mandatory filings for foreign government controlled investments, and opened the door to exempting qualified investors that are closely tied to certain countries. At the same time, CFIUS has not proposed any changes to the investment fund rule or the current pilot program for critical technology investments. A separate proposed rule covers CFIUS's expanded jurisdiction over real estate transactions. CFIUS will accept public comments on the proposals until October 17, 2019.
Below is a summary of the main aspects of the proposed regulations.
Non-Control Investments Regarding Critical Infrastructure, Critical Technology, and Sensitive Personal Data
The proposed regulations implement FIRRMA's expansion of CFIUS's authority to review non-control covered investments in U.S. businesses that deal in or maintain critical technology, critical infrastructure, and sensitive personal data, collectively referred to as "TID" businesses. To be a "covered investment" (a new term introduced by CFIUS), a foreign person must obtain one of the following rights: (1) access to material nonpublic technical information; (2) membership or observer rights on the board of directors; or (3) other involvement, including consultation rights, in the substantive decision-making process of the U.S. business.
A TID business is defined as follows.
- Critical Infrastructure: Systems or assets whose incapacity or destruction would have a debilitating impact on national security. Appendix A to Part 800 lists specific systems and assets, along with the type of functionality that would make that asset considered critical infrastructure.
- Critical Technology: As with the CFIUS pilot program, this includes most items controlled under ITAR, Commerce Control List of the EAR, and nuclear export controls, as well as "emerging and foundational technologies" that will be controlled by the U.S. Commerce Department's Bureau of Industry and Security pursuant to an ongoing rulemaking process.
- Sensitive Personal Data: Data that contains identifiable information, maintained by a U.S. business that (i) targets or tailors products or services to any U.S. executive branch agency or military department with national security functions, (ii) maintained or collected data on over one million individuals in the last 12 months, or (iii) has a business objective to maintain or collect data on over one million individuals, and that data is an integrated part of the U.S. business's primary products or services. The data must also fall into the following categories: genetic data; data that could help analyze or determine a person's financial distress; healthcare data; biometrics; and geolocation. The regulations exempt data that is a matter of public record and data that U.S. businesses collect on employees, unless it relates to employees of U.S. government contractors who hold U.S. government security clearances.
As contemplated by FIRRMA, certain transactions will be subject to a mandatory filing requirement. Specifically, if a foreign government holds at least a 49% voting interest in a foreign person that in turn holds at least a 25% interest in a TID U.S. business, then the parties to the transaction must file a mandatory declaration at least 30 days before the transaction closes. These thresholds are higher than many commentators expected, which may limit the number of mandatory filings under the proposed rule. The pilot program mandatory declarations remain in place at least until the final regulations are issued, and as with the pilot program, any parties required to file a declaration may submit a full written notice instead. In addition, parties to any covered transaction will be able to file a short-form declaration in lieu of a full written notice. Parties that fail to file a mandatory declaration with CFIUS are subject to a fine of up to $250,000 or the value of the transaction, whichever is greater.
As is the case under the current pilot program, CFIUS can respond to a declaration in one of the following ways: (i) request the parties to file a full written notice; (ii) notify the parties that CFIUS cannot take any action on the basis of the declaration and that they may submit a full written notice; (iii) initiate a unilateral review of the transaction; or (iv) clear the transaction and conclude all action. While the declaration process is intended to save time and resources, the CFIUS process may instead be longer if parties must (or decide to) file a full written notice after a 30-day declaration process. For this reason, and because the pilot program reportedly resulted in relatively few outright approvals, many parties have elected to file a full written notice instead of a mandatory declaration.
One of the new proposed regulations creates new Part 802 to implement FIRRMA's expansion of CFIUS jurisdiction over certain real estate transactions. Covered transactions include those involving or in certain proximity to airports, maritime ports, and military installations or other U.S. government sites that are sensitive for national security purposes. Appendix A to Part 802 lists certain military installations that would be covered under this rule. In particular, real estate located in the following areas will be covered: (i) within one mile of certain specified military and government sites; (ii) within 100 miles of other specified military and government sites; (iii) within 12 nautical miles of specified coastal military installations; or (iv) within specified counties and other similar geographic areas near intercontinental ballistic missile sites of the U.S. Air Force.
Additionally, the foreign person must acquire at least three of the following four property rights: (i) physical access to the real estate, (ii) right to exclude others from physical access, (iii) right to improve or develop the real estate, and (iv) right to attach permanent structures or objects to the real estate. Exempted transactions include those in urbanized areas and urban clusters (except those in close proximity to certain military installations), single housing units, retail and certain other establishments in airports and maritime ports, commercial office space, and Native American and Alaskan-owned lands. There are no required CFIUS filings under the new real estate rules. However, the analysis and rules in this Part 802 would only apply if a transaction were not covered under Part 800. Therefore, it may have limited applicability, mostly to greenfield transactions or acquisitions of empty land.
The proposed regulations provide for filing exemptions for "excepted investors," to begin two years from the date of the publication of the final rule. The new regulations may not apply to these excepted investors for their investments in TID U.S. businesses and covered real estate. Such investors must be a national or government of an excepted foreign state, a foreign entity organized and with a principal place of business in the excepted foreign state or the United States, or maintain a board of directors composed only of nationals of excepted foreign states and the United States.
Investors from an excepted foreign state must also meet certain requirements none of the foreign person, its parents, or subsidiaries may have:
(i) Received written notice from CFIUS that it has submitted a material misstatement or omission, or violated a material provision of a mitigation agreement;
(ii) Received an OFAC penalty or entered into an OFAC settlement agreement, a notice of debarment from the DDTC, or a BIS violation;
(iii) Been convicted of a felony in the United States; or
(iv) Been placed on the BIS Unverified List or the Entity List as of the date of the transaction.
CFIUS has not yet designated any countries as "excepted foreign states," but has said that it intends to include only a narrow list of countries, at least initially. To be an excepted foreign state, a country must first appear on a list of "eligible foreign states" to be established by the Department of the Treasury. Then, CFIUS will review whether the country has strong processes "to assess foreign investments for national security risks and to facilitate coordination with the United States on matters relating to investment security."
FIRRMA authorizes CFIUS to set filing fees for written notices. The proposed rule does not address these fees, and notes that a separate proposal will be published on filing fees.
Additionally, there have been no changes proposed to the rules on foreign limited partners investing in U.S. investment funds. The private equity fund carve-out that was introduced in FIRRMA and adopted as part of the pilot program will remain in place.
These proposed regulations implement CFIUS's expanded authority and highlight FIRRMA's focus on foreign access to sensitive technology and personal data. The new rules especially regarding critical infrastructure, sensitive personal data, and real estate are quite broad. However, they are also detailed and well-defined. So while the CFIUS jurisdiction and risk analysis may become more involved for future transactions, these rules also provide greater jurisdictional certainty and guidance on the issues of concern to CFIUS.
Any company involved in international mergers and acquisitions, private equity funds, or U.S. real estate transactions should become familiar with FIRRMA and the new procedures surrounding CFIUS. If you have any questions regarding FIRRMA and its changes to the CFIUS regime, or would like to discuss submitted comments on the proposed regulations, please reach out to the contacts listed below.