Podcast: CFIUS Update: Key Takeaways from the FIRRMA Implementing Regulations
In this Ropes & Gray podcast, Ama Adams and Brendan Hanifin discuss new regulations implementing the Foreign Investment Risk Review Modernization Act (“FIRRMA”). The new regulations, which took effect on February 13, 2020, significantly expanded the scope of CFIUS’s jurisdiction to review foreign investments in U.S. businesses. This podcast discusses the implications of FIRRMA for U.S. and non-U.S. investors, as well as U.S. businesses that seek foreign investment.
Brendan Hanifin: Hello, and thank you for joining us today on this Ropes & Gray podcast, during which we will be discussing the Committee on Foreign Investment in the United States (“CFIUS”) and, in particular, the new regulations implementing the 2018 CFIUS reform legislation, the Foreign Investment Risk Review Modernization Act (“FIRRMA”). I am Brendan Hanifin, counsel in Ropes & Gray’s Chicago office. Joining me for today’s discussion is Ama Adams, a partner in our Washington, D.C. office, and the leader of the firm’s CFIUS practice. Today, our discussion will focus on key changes introduced by the FIRRMA implementing regulations, which went into effect on February 13, 2020.
Ama, historically, CFIUS has had authority to review a relatively narrow subset of foreign investments in U.S. businesses—specifically, investments that could result in foreign control of a U.S. business. How do the FIRRMA rules expand the scope of CFIUS’s jurisdiction?
Ama Adams: Thanks, Brendan. The FIRRMA rules expanded CFIUS’s jurisdiction to review non-passive, non-controlling investments in three categories of U.S. businesses: critical technology companies, critical infrastructure companies, and companies that collect or maintain sensitive personal data of U.S. citizens. In this context, a non-passive, non-controlling investment is one that affords a foreign investor: board member or observer rights; access to material nonpublic technical information in the possession of the U.S. business; or involvement in substantive decision making of the U.S. business regarding critical technology, critical infrastructure, or sensitive personal data.
Brendan Hanifin: In assessing whether CFIUS’s expanded jurisdiction may be triggered under FIRRMA, it is important to note that the Committee construes the phrases “involvement in substantive decision making” and “access to material nonpublic technical information” broadly. In particular, broadly worded inspection, information, or management consultation rights may be sufficient to trigger CFIUS’s expanded jurisdiction (although, we note that the definition of “material nonpublic technical information” explicitly excludes financial information).
Ama Adams: Exactly. For this reason, investors and investment targets increasingly are seeking to clarify in transaction documents the scope of information and access rights that will be extended to foreign investors.
Having discussed what investor rights may trigger the Committee’s expanded jurisdiction, let’s next drill down on the three categories of U.S. businesses to which the expanded jurisdiction applies.
Brendan Hanifin: The FIRRMA rules introduced a new definition – “TID U.S. Business” – short for Technology, Infrastructure, and Data U.S. Business. This definition covers the three categories of U.S. businesses that are the central focus of FIRRMA; namely, U.S. businesses that:
- Produce, design, test, manufacture, fabricate, or develop one or more critical technologies;
- Own, operate, manufacture, supply or service any of 28 identified categories of critical infrastructure; or
- Maintain or collect sensitive data of U.S. citizens.
The first category, critical technology businesses, has perhaps attracted the most attention, primarily owing to the critical technology pilot program that CFIUS implemented in late 2018. At the time, CFIUS stated that the pilot program would end no later than March 2020. Do the FIRMMA rules address the pilot program?
Ama Adams: Yes, the FIRRMA rules largely codified the critical technology pilot program regulations, which introduced a mandatory filing requirement for certain investments in U.S. businesses that produce, design, test, manufacture, fabricate, or develop critical technology for use in certain, designated industries. However, CFIUS is in the process of implementing modifications that may provide some relief for investments in U.S. critical technology companies. These potential modifications include: proactively exempting transactions involving certain encryption-related items, to mitigate the risk of companies that develop commercially available encryption software being caught up in mandatory filings; and eliminating the current industry-focused criteria in favor of criteria that focus on export control licensing requirements.
Collectively, these modifications may alleviate some of the uncertainty around what constitutes a critical technology company. In addition, the changes may usher in a modest reduction in the number of transactions subject to a mandatory filing requirement going forward.
Brendan Hanifin: The critical technology pilot program regulations defined “critical technologies” to include emerging and foundational technologies controlled pursuant to the Export Control Reform Act of 2018. Do the FIRMMA regulations clarify what technologies qualify as “critical technologies”?
Ama Adams: Unfortunately, no. In recent weeks, it has become clear that the Commerce Department intends to introduce new export controls pursuant to the Export Control Reform Act on a rolling basis, rather than through issuance of a single, comprehensive rule. The Commerce Department published the first set of new restrictions—related to geospatial imagery software—on January 6. Interested parties—including those operating or considering investments in the biotechnology, artificial intelligence, advanced computing, and robotics spaces—will need to continue to monitor for new developments.
Brendan Hanifin: We’ve touched on the mandatory filing requirement for certain investments in U.S. critical technology companies. We should also note that the FIRRMA rules introduced a mandatory filing requirement for transactions that result in the acquisition of a “substantial interest” in a TID U.S. Business by a foreign person in which a foreign government has a “substantial interest.” In this context, substantial interest means that two thresholds are met:
first, that a foreign person acquires a 25% or greater voting interest in a TID U.S. Business; and second, that a foreign government owns at least a 49% voting interest in the foreign investor.
For investment funds, the substantial interest test is met where a foreign government holds a 49% or greater interest in the general partner, managing member, or equivalent. This is important, as under the originally proposed version of the FIRRMA rules, a 49% or greater limited partner interest would have qualified as a substantial interest.
Ama Adams: Fortunately, unless a foreign government investor would meet the substantial interest test, the FIRRMA rules do not impose a mandatory filing requirement for the other categories of TID U.S. Businesses: critical infrastructure and sensitive data companies.
With respect to critical infrastructure, the expanded jurisdiction applies to U.S. businesses that perform specified services with respect to a delineated list of critical infrastructure. Covered critical infrastructure includes, for example, specified airports and maritime ports; public water systems; certain interstate oil or natural gas pipelines; and certain electrical energy infrastructure. With respect to data companies, the expanded jurisdiction applies to U.S. businesses that collect or maintain: patient identifiable genetic test results; or other categories of “identifiable” data (e.g., financial, health, and geolocation data) and either tailor their products and services to U.S. agencies with intelligence, national security, or homeland security responsibilities or collect such data on greater than 1 million individuals within a 12-month period.
Brendan Hanifin: Another key aspect of FIRRMA is the legislation’s treatment of real estate investments. The FIRRMA rules expand CFIUS’s jurisdiction to include certain types of real estate transactions, even where there is no accompanying investment in a U.S. business.
Specifically, CFIUS now has jurisdiction to review any purchase or lease by, or concession to, a foreign person of covered real estate that affords the foreign person at least three qualifying rights (e.g., access rights or development rights). Real estate located within certain ranges of proximity to, or inside, airports, maritime ports, military installations, and other identified facilities are now subject to CFIUS review. Helpfully, CFIUS is in the process of developing an online tool to assist the public in understanding what real estate is covered given the broad geographical areas and locations that are identified in the FIRMMA rules.
Ama, CFIUS has been grappling with whether to issue a so-called “white list” of countries or actors that are exempt from CFIUS’s jurisdiction. Do the FIRRMA rules introduce the concept of a white list?
Ama Adams: Yes, although the white list is quite narrow. Specifically, the FIRRMA rules exempt from CFIUS jurisdiction certain, limited categories of investments by Australian, Canadian, and UK investors. For the exemption to apply, the foreign investor must be organized and have its principal place of business in the United States or an excepted foreign state (e.g., Australia, Canada, and the United Kingdom). In addition, the foreign investor must meet stringent ownership and director nationality thresholds. Importantly, the white list exception is not to be available for “control transactions”—i.e., investments that afford a foreign person the ability to control a U.S. business – that are within the scope of CFIUS’s traditional jurisdiction.
Brendan Hanifin: For Australia, Canada, and the United Kingdom, the excepted foreign state designation applies automatically between February 13, 2020 and February 13, 2022. After February 13, 2022, each of these countries—as well as any future candidates—will qualify as excepted foreign states only upon a determination by CFIUS that the country has established and is effectively utilizing a robust process to analyze foreign investments for national security risks and to facilitate coordination with the United States on matters relating to national security.
Ama, putting this all together, what industries are most likely to be affected by FIRRMA?
Ama Adams: Without a doubt, the implications of FIRRMA are being felt across a broad range of industries. For companies that may deal in “emerging and foundational technologies,” we will not be able to assess the full impact of FIRRMA until the Commerce Department fulfills its mandate under the Export Control Reform Act. With those caveats, I think the changes introduced by FIRRMA are having the most immediate—and dramatic—implications for the health care and life sciences industry, as well as big data companies. As we have discussed, the FIRRMA rules significantly expand CFIUS’s jurisdiction with respect to health care and life sciences investments, in two key respects.
- CFIUS now has jurisdiction to review non-passive, non-controlling investments in U.S. businesses that operate within the biotechnology industry and deal in critical technology. The definition of critical technology remains in flux, but is expected to ultimately encompass categories of biotechnology (e.g., nanobiology; synthetic biology; genomic and genetic engineering; and neurotech), artificial intelligence/machine learning, and advanced data analytics.
- CFIUS now has jurisdiction to review non-passive, non-controlling investments in U.S. businesses that collect or maintain patient identifiable genetic test results (including any related genetic sequencing). Given that many health care and life sciences companies have access to identifiable genetic test results—and, potentially, other categories of sensitive personal data—FIRRMA expands CFIUS’s jurisdiction to include a significant percentage of foreign investments that previously were not subject to CFIUS review.
Along similar lines, the FIRRMA rules expand CFIUS’s jurisdiction to non-passive, non-controlling investments in U.S. companies that collect sensitive personal data. Given the emergence of consumer data as a product in itself—and the ease with which U.S. businesses can collect such data—many U.S. businesses that historically would not have presented obvious national security concerns are now captured by CFIUS’s expanded jurisdiction.
Brendan Hanifin: Thank you, Ama, for joining me today for this discussion. And thank you to our listeners. For more information regarding the topics discussed today or other aspects of the CFIUS review process, as well as links to our recent client alerts and analyses, please visit our CFIUS practice page at www.ropesgray.com. If we can help you to navigate this complex and rapidly developing area of the law, please do not hesitate to contact our team. You can also subscribe and listen to this series wherever you listen to podcasts, including on Apple, Google or Spotify. Thanks again for listening.