Podcast: CFIUS: Recent Regulatory Developments
In this Ropes & Gray podcast, Ama Adams and Brendan Hanifin discuss recent and forthcoming changes to the Committee on Foreign Investment in the United States (“CFIUS”) review process. The Foreign Investment Risk Review Modernization Act (“FIRRMA”), passed in August 2018, significantly expanded the scope of CFIUS’s jurisdiction to review foreign investments in U.S. businesses. This podcast discusses the implications of FIRRMA for U.S. and non-U.S. investors, as well as U.S. businesses that seek foreign investment.
Brendan Hanifin: Hello, and thank you for joining us today on this Ropes & Gray podcast, during which we will be discussing the Committee on Foreign Investment in the United States (“CFIUS”) review process. I am Brendan Hanifin, counsel in Ropes & Gray’s anti-corruption and international risk group, based in Chicago. Joining me for today’s discussion is Ama Adams, a partner in our Washington D.C. office. Ama is a fellow member of Ropes’ anti-corruption and international risk group, as well as the leader of the firm’s CFIUS practice. Ama, this is an area of law where there’s been significant regulatory development over the past 14 months. To provide context for these recent changes, could you provide a brief overview of CFIUS and its function?
Ama Adams: Thanks, Brendan. I’m glad to be here discussing this important and very timely topic. CFIUS is an interagency committee of the U.S. government with authority to review foreign investments in U.S. businesses that pose a risk to national security. CFIUS may impose mitigating measures on the parties to a covered transaction—or recommend that the President of the United States block a transaction entirely—if the Committee determines that the foreign investment threatens to impair U.S. national security.
Brendan Hanifin: What types of transactions and investments does CFIUS have the authority to review?
Ama Adams: Historically, CFIUS’s jurisdiction was limited to transactions in which a foreign person makes an investment that could result in control of a U.S. business. In applying this standard, it’s important to note that the CFIUS regulations generally do not define “control” in terms of a specified percentage of ownership interest or number of board seats; rather, the determination of control is fact-specific, and the definition is quite broad. Along similar lines, the term “U.S. business” encompasses both U.S. companies and the U.S. subsidiaries or U.S. operations of larger international businesses, meaning that CFIUS may be relevant for foreign-to-foreign transactions.
Brendan Hanifin: Until recently, the CFIUS review process was entirely voluntary, meaning that the parties to covered transactions were not required to notify CFIUS of the transaction. Given the voluntary nature of the process, why do parties bother with the time and expense of making a CFIUS filing?
Ama Adams: Although the review process has been voluntary, at least historically, failure to notify CFIUS of a covered transaction can result in significant risk where the transaction presents meaningful national security issues. The principal advantage in filing a voluntary notice is that CFIUS may pre-clear the transaction before closing, meaning that CFIUS cannot later raise concerns regarding the transaction. The risk of not filing a voluntary notice is that, if the Committee was concerned that the transaction threatened to impair national security, CFIUS could initiate its own review, which could result in the imposition of mitigation measures. Although post-closing investigations are relatively rare, CFIUS has the authority to initiate a review at any time after becoming aware of a covered transaction that has not been noticed to the Committee. There is no statute of limitations or time limit on CFIUS’s authority. Accordingly, if the parties do not seek and obtain CFIUS clearance, CFIUS can investigate a transaction years after the transaction has closed.
Brendan Hanifin: What factors does CFIUS consider when assessing national security risk? And what are typical mitigation measures that CFIUS could impose, short of recommending that the U.S. President block (or unwind) a transaction?
Ama Adams: With respect to the national security analysis, the CFIUS regulations do not define the concept “U.S. national security”; relevant factors traditionally have included the involvement of state-owned foreign companies, particularly from China and Russia; whether the U.S. business that is the subject of the transaction develops or produces sensitive products or technologies; whether the U.S. business has contracts with U.S. government agencies with national security responsibilities or access to classified data; whether the U.S. business occupies facilities in close proximity to U.S. national security interests, including sensitive government locations and military installations; and whether the U.S. business collects large volumes of sensitive, personal information on U.S. citizens. With respect to mitigation, CFIUS has authority to impose a wide range of mitigation measures, short of blocking a transaction in its entirety.
- Limiting the foreign investor’s access to sensitive technology or facilities;
- Limiting the foreign investor’s access to sensitive personal data on U.S. citizens;
- Limiting the foreign investor’s participation in, and access to, parts of U.S. businesses that provide services to the U.S. government; or
- Imposing periodic reporting requirements.
Brendan Hanifin: Now that we have a basic understanding of what CFIUS is and does, let’s discuss some of the recent changes to the CFIUS review process, which have been the subject of considerable attention by investors and investment targets alike. Ama, could you walk us through the high points?
Ama Adams: Sure. In August 2018, Congress passed—and the President signed into law—the Foreign Investment Risk Review Modernization Act (“FIRRMA”), which significantly expanded the scope of CFIUS’s jurisdiction. FIRRMA was passed on a bipartisan basis, and was motivated by the view among U.S. national security figures that CFIUS was not equipped to handle new threats to U.S. national security posed by foreign investment, particularly from China. A comprehensive discussion of FIRRMA is beyond the scope of this podcast, but for present purposes, FIRRMA introduced two fundamental changes to the CFIUS review process. First, FIRRMA expanded CFIUS’s jurisdiction to non-passive, non-controlling investments in three categories of U.S. businesses: companies that produce, design, test, manufacture, fabricate, or develop one or more critical technologies; companies that own, operate, manufacture, service, or supply critical infrastructure; and companies that collect or maintain sensitive data of U.S. citizens. Second, FIRRMA authorized CFIUS to introduce a mandatory filing requirement for certain categories of transactions.
Brendan Hanifin: When do these important changes take effect?
Ama Adams: In October 2018, CFIUS announced a “pilot program” that implemented certain aspects of FIRRMA, on a temporary/provisional basis. The remainder of FIRRMA is scheduled to be implemented by February 2020. In September 2019, the Department of Treasury published proposed rules that address most—but not all—remaining elements of the legislation; however, these rules are not yet final.
Brendan Hanifin: Focusing first on the pilot program, what do investors need to know?
Ama Adams: The pilot program introduced, for the first time, a mandatory CFIUS notification requirement for certain non-passive investments in critical technology companies. Failure to comply with the pilot program’s mandatory notice requirement can result in a significant civil penalty, up to the value of the entire transaction or investment. For an investment to trigger the pilot program’s mandatory notice requirement, three criteria must be present:
- The U.S. business that is the subject of the transaction must operate within, or develop technology for use in, one of 27 designated “pilot program industries.” These industries include, among others, aircraft, electronics, military, nuclear, chemical, biotechnology, and semiconductor manufacturing.
- The U.S. business must produce, design, test, manufacture, fabricate, or develop one or more “critical technologies.” As currently defined, “critical technologies” include most items controlled under U.S. export controls; certain nuclear-related materials and items covered by the select agents and toxins regulations. Of note, pursuant to the Export Control Reform Act—which was passed alongside FIRRMA—the Department of Commerce currently is in the process of identifying so-called “emerging and foundational technologies.” Once published, these technologies will be subject to export control restrictions, and covered under the definition of “critical technology.”
- The foreign investor must acquire at least one of three triggering rights: board membership or observer rights; access to non-public technical information concerning the U.S. business’s critical technology; or involvement in substantive decision-making regarding the U.S. business’s critical technology. Note, if the foreign investor obtains control over a critical technology business that would qualify as well. The parties to a pilot program covered transaction have the option of submitting a traditional CFIUS filing, known as a joint voluntary notice; or an abbreviated declaration. Each option presents certain advantages and disadvantages.
Brendan Hanifin: It sounds like the pilot program introduced some very significant changes to the process. How are investors coping?
Ama Adams: For firms whose funds may qualify as foreign persons (as broadly defined for CFIUS purposes), the pilot program has promoted a top-to-bottom reassessment of investment strategy and pre-investment due diligence requirements, increasing the risk—and the transaction costs—for parties that operate within, or seek to invest in, designated pilot program industries. Even for U.S. investment firms, the pilot program has sparked rethinking of fundraising strategy, as well as heightened attention to negotiation of investment documentation. However, as certain key terms in the pilot program regulations—most notably, “emerging and foundational technology”—have not yet been defined, the pilot program has had less bite than predicted. In practice, many parties negotiate contractual or side letter rights that remove one or more pilot program jurisdiction triggers, thereby eliminating the need for a mandatory CFIUS filing.
Brendan Hanifin: Understanding that these changes have not yet been implemented, how will FIRRMA affect investments in U.S. businesses that own or operate critical infrastructure; or collect or maintain sensitive data of U.S. citizens?
Ama Adams: As noted, in mid-September, the Department of Treasury published proposed rules that would expand CFIUS’s jurisdiction to review non-passive, non-controlling investments in certain critical infrastructure companies, as well as certain companies that collect sensitive data of U.S. citizens. With respect to critical infrastructure, the expanded jurisdiction would apply to U.S. businesses that perform specified services with respect to a delineated list of critical infrastructure. Covered critical infrastructure would include, for example, specified airports and maritime ports; public water systems; certain interstate oil and natural gas pipelines; and certain electrical energy infrastructure. With respect to personal data, the expanded jurisdiction would apply to U.S. businesses that collect genetic information, as defined under HHS regulations; or collect certain categories of “identifiable” data and either tailor their products and services to U.S. agencies with intelligence, national security, or homeland security responsibilities; or maintain or collect such data on greater than one million individuals.
In all cases, for the expanded jurisdictional requirements to apply, the foreign investor must acquire qualifying rights in respect of the U.S. business. These rights will be familiar from our discussion of the pilot program. The qualifying rights include: board member or observer rights; access to material non-public technical information in the possession of the U.S. business; or involvement in substantive decision-making regarding the use, development, acquisition, or release of critical technology, critical infrastructure, or sensitive personal data. Importantly—subject to one key exception—the proposed rules would not extend the mandatory notification requirement to U.S. businesses that deal in critical infrastructure or sensitive personal data. The exception is that the proposed rules would introduce a new, mandatory filing requirement for transactions in which a foreign government would acquire a substantial interest in a U.S. critical technology company, U.S. critical infrastructure company, or U.S. personal data company. “Substantial interest” is defined as a 25% or greater voting interest by a foreign person, in which a foreign government holds a 49% or greater voting interest.
Brendan Hanifin: When FIRRMA was passed, the legislation’s treatment of real estate transactions prompted a lot of concern among foreign investors. Would the proposed rules implement any changes with respect to real estate investments?
Ama Adams: Yes. Historically, CFIUS has had jurisdiction over real estate transactions only where the transaction could result in control by a foreign person over an entity engaged in interstate commerce in the United States. The proposed rules would expand CFIUS’s jurisdiction to include certain types of real estate transactions, even where there is no accompanying investment in a U.S. business. Specifically, CFIUS would have jurisdiction to review any purchase or lease by, or concession to, a foreign person of covered real estate, that affords the foreign person at least three qualifying rights. Covered real estate is defined to include real estate that is located within, or will function as part of, an airport or maritime port; or located within specified proximity of a designated military installation or other facility or property of the U.S. government. Qualifying property rights would include the right to physically access the real estate; exclude others from physical access to the real estate; improve or develop the real estate; or attach fixed or immovable structures or objects to the real estate. Notably, the proposed rules would not introduce a mandatory notice requirement for covered real estate transactions. In addition, the proposed rules would incorporate key exceptions based on the type of real estate transaction, such as covered real estate located in urbanized areas or that qualifies as a single housing unit.
Brendan Hanifin: Many foreign investors are surprised to learn that CFIUS—at least historically—has not differentiated from a jurisdictional perspective between countries that are friendly to the United States, such as Canada and the United Kingdom, and countries that are perceived to be less friendly to (or competitors of) the United States, such as China and Russia. The introduction of the mandatory filing requirement exacerbated this issue, as the filing requirement—and penalties for failure to file—apply across the board. Would the proposed rules address this incongruity?
Ama Adams: One of the questions that the U.S. government has grappled with in implementing FIRRMA is whether to issue a so-called “white list” of countries or investors that are exempt from CFIUS’s jurisdiction, to reduce the burden on the Committee of reviewing notices and declarations and to focus CFIUS’s energy on the actors that, in the U.S. government’s estimation, present the greatest national security risk. The proposed rules introduce the concept of “excepted foreign states,” a list of which will be published by the Department of Treasury at a future date. However, if the proposed rules were implemented in their current form, there is a reason to believe that the “excepted foreign state” exemption will be narrow.
Specifically, the proposed rules suggest that the list of “excepted foreign states” will be quite short, at least initially. In addition, not all parties located in or organized under the laws of an “excepted foreign state” would be exempt from CFIUS’s jurisdiction. To qualify for the exemption, the party must be organized in, and maintain its principal place of business within, the excepted foreign state or the United States. In addition, all directors and investors over 5% must be citizens of either the excepted foreign state or the United States. In addition, the “excepted foreign state” exemption will not be available to parties that have been subject to any adverse action by CFIUS or a range of other agencies of the U.S. government, including the agencies responsible for administering U.S. economic sanctions and U.S. export controls. Accordingly, while there may indeed be a “white list” once FIRRMA is fully implemented, the exemption may have limited practical application.
Brendan Hanifin: Assuming the “excepted foreign state” exemption did not apply, are there other exemptions that foreign investors may avail themselves of?
Ama Adams: Yes, with the caveat that all of the exemptions are fairly narrow in practice. For example, the CFIUS regulations recognize an exception for so-called “greenfield investments,” meaning investments in start-up initiatives without current operations, on the theory that such initiatives do not qualify as “U.S. businesses.” Under the regulations, a foreign person makes a “greenfield investment” in the United States if the investment involves only such activities as “separately arranging for the financing of and the construction of a plant to make a new product, buying supplies and inputs, hiring personnel, and purchasing the necessary technology.” In practice, this exception is very narrow. In particular, in some cases, CFIUS may view assets assembled in anticipation of forming a future business as sufficient to constitute a “U.S. business.” In addition, the regulations describe a “safe harbor” for transactions that result in a foreign person holding 10% or less of the outstanding voting interest in a U.S. business. CFIUS narrowly construes the safe harbor exemption, and the Committee will scrutinize any action by a foreign investor that is inconsistent with holding or acquiring an interest solely for the purpose of passive investment. With respect to critical technology companies, critical infrastructure companies, and companies that collect sensitive data of U.S. citizens, the safe harbor will not be available if the foreign investor acquires a qualifying right (such as board or observer rights; access to material non-public technical information; or involvement in substantive decision-making).
Finally, FIRRMA codified what has become known as the “indirect investment fund exception.” This exception provides that indirect participation by foreign persons through investment funds in covered transactions will not automatically result in CFIUS jurisdiction, even if the foreign investor is represented on an advisory board or a fund committee. For the exception to apply, the following criteria must be met: the fund must be managed by a U.S. general partner or a U.S. managing member (or equivalent); the relevant advisory board or committee must not approve, disapprove, or control the fund’s investment decisions; the foreign person must not otherwise have the ability to control the fund; and the foreign person must not have any access to material nonpublic technical information as a result of its advisory board or committee representation.
Because of the complexity of fund structures, application of the indirect investment fund exception can require nuanced, structure-specific analysis.
Brendan Hanifin: FIRRMA is scheduled to be fully implemented by February 2020. What should investors and investment targets be doing between now and then?
Ama Adams: First, parties should familiarize themselves with the proposed rules published on September 17 and assess whether those rules—if implemented in their current form—would present new and significant CFIUS considerations. Because the rules are not yet finalized, it is difficult to fully account for them in the drafting of limited partnership agreements, due diligence questionnaires, and similar documents. However, as the proposed rules indicate where CFIUS appears to be headed, this is an opportune time for investors and investment targets to begin some advance planning, particularly as significant transactions and fundraising activities can involve many months’ lead-time.
Second, parties should be on the lookout for the Department of Commerce’s forthcoming rulemaking on “emerging and foundational technologies.” In addition to expanding the scope of the critical technology pilot program, this rulemaking will affect transactions that are excluded from the scope of FIRRMA, such as licensing arrangements and pure technology transfers. Although these transactions will remain outside of CFIUS’s jurisdiction, they could require export licenses from the Department of Commerce.
Finally, parties should prepare themselves to contribute greater time and resources to conducting CFIUS diligence pre-investment, on both the investor and the investment target side. The introduction of a mandatory notice requirement for certain transactions significantly increases the importance of ensuring that the pre-investment CFIUS analysis is based on accurate and complete information. Along similar lines, the pending regulations to implement FIRRMA foreseeably will result in an increase in CFIUS filings (and, thereby, longer CFIUS review periods).
Brendan Hanifin: Thank you, Ama, for joining me today for this discussion. And thank you to our listeners. For more information regarding the topics discussed today or other aspects of the CFIUS review process, as well as links to our recent client alerts and analyses, please visit our CFIUS practice page at www.ropesgray.com. If we can help you to navigate this complex and rapidly developing area of the law, please do not hesitate to contact us. You can also subscribe and listen to this series wherever you regularly listen to podcasts, including on Apple, Google or Spotify. Thanks again for listening.