Under the new regulations which took effect on 13 February 2020, CFIUS may review all "covered transactions", which include not only "covered control transactions", but also "covered investments" and select real estate transactions.
Covered control transactions
The term covered control transaction means "any transaction that is proposed by or with any foreign person that could result in foreign control of any US business, including without limitation such a transaction carried out through a joint venture". The term ‘control’ still means "the power, direct or indirect, whether or not exercised, through the ownership of a majority or a dominant minority of the total outstanding voting interest in an entity, board representation, proxy voting, a special share, contractual arrangements, formal or informal arrangements to act in concert, or other means, to determine, direct, or decide important matters affecting an entity". In other words, as it has for many years, CFIUS intends to continue to treat minority investment transactions that fall short of the common commercial understanding of corporate control as covered control transactions.
The term "covered investment" means "an investment, direct or indirect, by a foreign person other than an excepted investor in an unaffiliated TID US business that is … not a covered control transaction" and affords the foreign person:
- access to any material non-public technical information in the possession of the TID US business;
- membership or observer rights on the board of directors or equivalent governing body of the TID US business or the right to nominate an individual to a position on the board of directors or equivalent governing body of the TID US. business; or
- any involvement, other than through voting of shares, in substantive decision-making of the TID US business in certain matters regarding personal data, critical technologies or critical infrastructure.
TID US businesses are businesses that:
- produce, design, test, manufacture, fabricate or develop one or more "critical technologies";
- own, operate, manufacture, supply or service "critical infrastructure" as detailed in Appendix A to the regulations; or
- maintain or collect "sensitive personal data" of US citizens.
"Critical technologies" is defined to include certain items subject to export licensing restrictions under existing regulatory schemes, such as the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR), as well as "emerging and foundational technologies" controlled under the 2018 Export Control Reform Act, in which technologies are expected to be identified through proposed regulations to be initiated by the Bureau of Industry and Security of the Department of Commerce. In a final rule effective 15 October 2020, the Department of Treasury modified the scope of the mandatory filing requirement for certain "critical technology" transactions by reorienting it from being based on a ‘nexus’ to certain industries to being based on whether certain US government authorisations would be required to export, reexport, transfer (in-country) or retransfer the critical technology to foreign persons to the transaction. The rule narrows the range of critical technology mandatory filings by requiring a filing for a particular transaction only if an export authorisation would be required for the export of the relevant critical technology to the proposed foreign investor. Generally, export license exceptions under the EAR are to be disregarded in determining whether a filing is required but license exceptions, TSU, ENC and STA may be applied to the analysis, provided all of their requirements are met.
"Critical infrastructure" includes physical or virtual systems or assets across subsectors including telecommunications, utilities, energy, and transportation where the destruction or incapacitation of such systems or assets would have a debilitating impact on US national security. In its Appendix A, the regulations enumerate specific critical infrastructure and related functions which are integral to determining whether a US business is a TID business. CFIUS has stated that Appendix A is only relevant for this purpose and is not applicable in any other context, which indicates that in the context of traditional covered control transactions, it could view critical infrastructure more broadly. Nonetheless, Appendix A provides new insight into a particularly sensitive subset of critical infrastructure.
With respect to "sensitive personal data," CFIUS may review transactions related to US businesses that maintain or collect sensitive personal data of U.S. citizens that may be exploited in a manner that threatens national security. "Sensitive personal data" is defined to include ten categories of data maintained or collected by US businesses that include types of financial, geolocation, genetic information and health data, among others.
Under its new regulations, CFIUS also introduced the concept of "excepted investors" from "excepted foreign states". To become an excepted foreign state, a country must be identified by CFIUS as an eligible foreign state and satisfy CFIUS’s determination that the foreign state has established "a robust process to analyse foreign investments for national security risks and to facilitate coordination with the United States on matters relating to investment security". The regulations included Australia, Canada, and the United Kingdom on the initial list of foreign states eligible for the status of an "excepted foreign state". These three countries were given two years, ending on 13 February 2022, to meet the second determination requirement. On 5 January 2022, the Department of Treasury issued a rule announcing that Canada and Australia have met the determination requirement. The 5 January rule also extended the effective date for the CFIUS determination by one year to 13 February 2023, effectively giving the United Kingdom more time to continue with the implementation of its own new foreign investment regulations, which took effect on 4 January 2022. In the same rule, the Department of the Treasury also announced that New Zealand has been identified as an excepted foreign state. This is without regard to the determination criterion which, again, is not applicable until February 2023.
Foreign persons, including entities, which meet the rule’s criteria for nationals or organisations of an excepted foreign state are defined as "excepted investors". Excepted investors will not be subject to CFIUS’s expanded jurisdiction over transactions involving TID US businesses and will be exempted from certain mandatory reporting requirements. This exemption does not extend to CFIUS traditional jurisdiction over covered control transactions. Therefore any acquisition, merger or takeover of a US business by an Australian, Canadian, UK or New Zealand entity is still considered a covered control transaction that is subject to CFIUS jurisdiction, though a submission to CFIUS is not mandatory.
Real estate transactions
FIRRMA also specifically authorises CFIUS to review the purchase or lease by a foreign company of US real estate that is located within an air or maritime port or in close proximity to a US military installation or another facility sensitive for reasons relating to national security that could provide the foreign person the ability to collect intelligence or otherwise expose national security activities. The covered military installations are listed by name and location in an appendix to the regulations, while the relevant airports and maritime ports are included on lists published by the US Department of Transportation.
There is no mandatory filing requirement for real estate transactions. Parties may file a notice or submit a short-form declaration notifying CFIUS of a covered real estate transaction to potentially qualify for a "safe harbor" letter that generally prevents CFIUS from later initiating a review of the transaction.
To assist parties in determining whether a proposed real transaction is subject to CFIUS jurisdiction, CFIUS has made available a ‘geographic reference tool’ on its website. This online tool was developed to "assist the public understanding certain aspects of the regulations at 31 C.F.R. part 802 (part 802) in connection with specific real estate locations". Key features of the tool include the identification of urban areas and urban clusters designated by the US Census Bureau as well as publicly available information pertaining the location and purpose of Department of Defense properties which includes, among other sites, the military installations identified in the relevant appendix to the regulations.
CFIUS Review Process
The CFIUS review process remains largely voluntary, where parties may elect to file a notice, and the notice requirements have not meaningfully changed. However, since February 2020 CFIUS has accepted short-form declarations of covered control transactions and covered investments. Such declarations allow parties the opportunity to bypass the longer review process for a voluntary notice and instead submit basic information regarding a transaction. CFIUS has 30 days to assess a covered transaction that is the subject of a declaration. As data and anecdotal evidence on declarations practice have developed, both the prevalence of use of the short form declaration process, and the number of positive outcomes from declarations are trending upwards.
For certain covered transactions, filing a declaration for a transaction will be mandatory. Specifically, in addition to the mandatory declaration required for select foreign investments in "US businesses that produce, design, test, manufacture, fabricate, or develop one or more critical technologies" as inherited from the Pilot Program, under the new regulations, CFIUS mandates the submission of declarations for transactions where:
- a foreign person will hold a "substantial interest" in a U.S. business;
- a foreign government (other than an excepted foreign state) holds a "substantial interest" in the foreign person; and
- the US business that is the subject of the transaction is a TID US business.
The regulations require the CFIUS to respond to a voluntary or mandatory declaration within 30 days by clearing the transaction, advising the parties that it is unable to conclude action and that the parties may elect to file a written notice or requesting that the parties file a full written notice, initiating a unilateral review.
While mandatory declarations are required only for the aforementioned transactions, foreign investors should examine any transaction or investment opportunity for CFIUS-related risks and consider whether to file a voluntary declaration or notice even when the investment would not be subject to a mandatory declaration requirement. Foreign buyers and investors should undertake such analysis and file voluntary declarations or notices as appropriate to eliminate risks of potentially adverse CFIUS action and guard against CFIUS interference late in the transaction process. Whether a result of a voluntary notice or notice required by CFIUS following review of a declaration, CFIUS’s initial review of a full notice must conclude within 45 days, or else CFIUS must enter its investigation phase, which must conclude within an additional 45 days. FIRRMA also allows the treasury secretary to grant one 15-day extension of the 45-day investigation period in "extraordinary circumstances." If CFIUS has not resolved any identified national security concerns at the end of its investigation period, CFIUS is responsible for making a formal recommendation to the president on whether to clear or block the transaction. The president then has up to 15 additional days to decide whether to suspend, prohibit, or impose conditions on the deal. In some cases, if CFIUS has not concluded its review by the end of the investigation period, CFIUS may request that the parties withdraw the notice and refile as that will restart the clock on the review process, providing more time for CFIUS to review the transaction and the parties to work with it on mitigation measures to address any potential national security concerns identified.
While FIRRMA expanded CFIUS’ reach and increases the number of transactions subject to its reviews, the US welcomes foreign investment and maintains an open investment legal regime. Even following the implementation of the Pilot Program in 2018, the majority of investments submitted to CFIUS continue to be cleared. In the over thirty years since the "Exon-Florio" amendment to the Defense Production Act codified the CFIUS review process, only seven cases have resulted in a presidential blocking or divestment order. Four of those cases have occurred in the administration of President Trump and two occurred under President Obama. All of these have involved either Chinese investors, or a concern about the investors’ ties to China.
Many more cases never reach the president’s desk but are effectively blocked or the subject of post-closing divestment orders by CFIUS when the parties acquiesce to CFIUS’ position and do not force a decision by the president. However, while the number of blocked transactions has increased in recent years, particularly in cases involving Chinese investors, such occurrences remain the outliers of the CFIUS process. In some cases, CFIUS clears transactions subject to conditions intended to mitigate the identified national security risks. These mitigation measures can range from assurance letters between CFIUS or one of its member agencies and the parties, where the parties agree to undertake certain steps to ease national security concerns, to significant agreements that impose governance requirements, or operational restrictions.
Cases cleared following mitigation agreements are monitored closely and can be reopened in the event of material breach. Under the new regulations, if at any time after a mitigation agreement is entered into CFIUS determines that a party or parties are not in compliance with the terms of the agreement, CFIUS may negotiate a plan with the parties to remediate the non-compliance, require the parties to file a notice or declaration, seek injunctive relief. Any person who submits a material misstatement or omission in a declaration or notice or makes a false certification may be penalised up to $250,000 per violation. Any person who fails to file a mandatory declaration or who violates a material provision of a mitigation agreement may be liable for a civil penalty not to exceed $250,000 per violation, or the value of the transaction, whichever is greater. The new regulations set out new penalty administration procedures through which parties are notified of the imposition of a penalty and may petition against the penalty. Penalties, damages, and injunctions may be pursued by the US in federal district court.
Jason Waite is an international trade and regulatory law expert at Alston & Bird LLP.