Published on:

New Proposed CFIUS Regulations Implementing FIRRMA

On September 17, 2019, the U.S. Department of Treasury issued two new proposed rules for the Committee on Foreign Investment in the United States (CFIUS) implementing the Foreign Investment Risk Review Modernization Act (FIRRMA), which was enacted in August 2018. The first proposed rule covers, among other things, FIRRMA’s expansion of CFIUS’ jurisdiction to non-controlling investments in U.S. businesses engaged in critical technology, critical infrastructure and sensitive personal data. The second proposed rule addresses FIRRMA’s expansion of CFIUS’ jurisdiction over certain real estate transactions.

The two proposed rules will be published in the Federal Register on September 24, 2019. Interested parties may submit written comments through October 17, 2019. As required by statute, final regulations implementing FIRRMA must become effective no later than February 13, 2020.

Critical Technology Pilot Program Remains Unaffected
The proposed rules do not impact or alter the existing critical technology pilot program. CFIUS continues to assess the scope of the pilot program based on the comments it has received from industry. CFIUS expects to address comments to the pilot program in its final rule.

New Terms – “Covered Control Transactions,” “Covered Investments” and “TID U.S. Businesses”
The proposed regulations continue to provide CFIUS with jurisdiction over what are now defined as “covered control transactions” (i.e., a foreign person acquires control of a U.S. business).

Additionally, the proposed regulations authorize CFIUS to review non-controlling “covered investments.” First, the “covered investment” must involve a U.S. business that either:

  • Produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies;
  • Owns, operates, manufactures, supplies, or services critical infrastructure; or
  • Maintains or collects sensitive personal data of United States citizens that may be exploited in a manner that threatens national security.

The proposed rules refer to these businesses as “TID U.S. Businesses” (Critical Technologies, Critical Infrastructure, and Sensitive Personal Data).

Second, the non-controlling covered investment must afford a foreign person:

  • Access to material nonpublic technical information;
  • Membership or observer rights on the board of directors; or
  • Any involvement other than through voting of shares, in substantive decision making of the United States business regarding:
    • Sensitive personal data of U.S. citizens;
    • Critical technologies; or
    • Critical infrastructure.

The proposed rule contains an Appendix A that comprehensively outlines 28 categories of critical infrastructure and the related “functions” for each type of infrastructure. Examples include certain aspects of telecommunications, energy facilities, financial markets, satellites, and airports and maritime ports. Only a non-controlling foreign investment in a U.S. business that performs one of the specified “functions” in Column 2 of Appendix A with respect to the corresponding type of critical infrastructure listed in Column 1 is a “TID U.S. Business” for purposes of critical infrastructure covered investments.

Sensitive personal data is defined to include a number of categories of “identifiable data” touching on areas such as financial, health, insurance, geolocation, biometric, and genetic data. To be covered, the data that is collected must be “identifiable data” which excludes information that is aggregated or anonymized, unless a party to the transaction has the ability to disaggregate or de-anonymize the data. Identifiable data also does not include encrypted data unless the U.S. business has the means to decrypt the data so as to distinguish or trace an individual’s identity.

Exceptions for Covered Investments in TID U.S. Businesses
The proposed rule retains the pilot program clarification for indirect investments by foreign persons as limited partners in investment funds. An indirect investment by a foreign person in a TID U.S. Business through an investment fund is not a covered investment if the rights of the foreign person are sufficiently limited.

With regard to the treatment of specific countries, the proposed rule provides additional information but leaves many unanswered questions. The proposed rule adopts a white list approach which ultimately will identify certain “excepted foreign states” that may be eligible for exclusion in connection with covered investments (not covered control transactions). CFIUS has yet to publish this list and has suggested it will be very limited, at least initially.

CFIUS will employ a two-factor test:

  • First, the foreign state must be included in the defined group of eligible foreign states to be published on the Department of Treasury website; and
  • Second, a supermajority (2/3 vote) of CFIUS is required to determine that a country has established and is effectively utilizing a robust process to assess foreign investments for national security risks and to facilitate coordination with the U.S. on matters relating to investment security.

CFIUS is considering delaying implementation of this second factor in order to provide eligible foreign states time to enhance their foreign investment review processes and bilateral cooperation. Moreover, there are several limitations on the types of “excepted foreign investors” who may qualify for this exclusion. A comprehensive examination of a company’s organizational structure and board of directors/observers will be required in order to assess eligibility under the country carve-out for covered investments.

Real Estate Transactions
FIRRMA expands CFIUS’ jurisdiction to include certain types of real estate transactions involving the purchase or lease by, or concession to, a foreign person of certain private or public real estate located in the United States. FIRRMA focuses on two general categories of real estate: (1) real estate described by its relation to airports and maritime ports, (2) real estate described by its relation to U.S. military installments and other sensitive facilities.

CFIUS has published a list of military installations and other facilities in several subparts that must be considered as part of a proximity analysis. The analysis will vary depending on the installation involved and may consider covered real estate to be in “close proximity” (defined as within 1 mile) or the “extended range” (up to 99 miles) of the particular facility.

There are a number of exclusions for certain types of real estate transactions, including real estate in certain urban areas, commercial office space, and leases of retail locations located in airports and maritime ports.

Real estate transactions are not subject to mandatory filing requirements and parties may submit a voluntary notice or declaration.

Declarations – Mandatory versus Voluntary Filings
FIRRMA introduced a new streamlined “declaration” in lieu of a formal notice. This short form process was created, in part, to help reduce the regulatory burden on parties who currently are required to prepare complete notifications and go through the full review process in order to receive clearance even if the transaction may not present national security concerns.

The proposed rule will allow parties to file a declaration with CFIUS instead of a written notice. The contents and procedure for submitting a voluntary declaration are identical to that which is required for mandatory submissions. However, as we have seen with the pilot program, CFIUS may not necessarily conclude review based on a declaration. Parties should consider whether a transaction is likely to be considered sensitive enough to warrant submitting a full notice in order to save the time involved in filing a declaration plus a notice.

There are a limited number of instances where mandatory declarations are required. First, mandatory declarations continue to be required in connection with the CFIUS critical technology pilot program. As mentioned, the pilot program remains unaffected by the proposed rule.

The proposed rule adds a new category of mandatory declarations, namely when a foreign person in which a foreign government has a “substantial interest” acquires a “substantial” interest in any of the three types of TID U.S. businesses. The “substantial interest” definition uses different numerical thresholds when examining a foreign government’s ownership interest in the foreign acquirer/investor (49% or more) and the ownership interest that foreign party is acquiring in a TID U.S. business (25% or more).