New CFIUS Rules – Eight Key Points

International Trade & Compliance Alert

CFIUS 新实施条例的八个要点

The Committee on Foreign Investment in the United States ("CFIUS") issued final regulations on January 13, 2020 to comprehensively implement the Foreign Investment Risk Review Modernization Act of 2018 ("FIRRMA") (the "Regulations").[1] The Regulations will become effective on February 13, 2020. CFIUS's existing regulations will continue to apply to transactions that close, or for which a definitive written agreement is signed, before February 13.

CFIUS issued proposed rules to implement FIRRMA (the "Proposed Rules") in September 2019 (see our September 2019 alert), and the Regulations largely track the Proposed Rules. But the Regulations include some important changes. Most public comments seeking to narrow the regulations were dismissed; extensive and detailed definitions, illustrations and elaborations generally add to the reach and complexity of the Regulations.

Key points about the Regulations are as follows:

  1. New Jurisdiction over Certain Non-Controlling Investments and Real Estate Transactions: The Regulations expand CFIUS's traditional jurisdiction over foreign investment transactions that could result in control over a U.S. business by a foreign person (now called "covered control transactions") to include two additional types of transactions:
    • Certain non-controlling investments in U.S. businesses involved with "critical technologies," "critical infrastructure" or "sensitive personal data" ("TID U.S. businesses") where the investor is accorded certain "triggering rights"; and
    • Certain transactions involving real estate.
  1. Mandatory Filings for Two Categories of Transactions: Most filings with CFIUS will remain voluntary, but certain foreign investment transactions involving critical technology or foreign government ownership will require mandatory filings, with certain exceptions. CFIUS implemented FIRRMA's mandatory filing requirement for certain critical technology investments through its "pilot program" regulations (the "Pilot Program") in October 2018 (see our October 2018 alert). The Pilot Program will terminate as of February 13, 2020, but its provisions are largely included in the Regulations. In a change from the Pilot Program, the Regulations restrict the scope of critical technology transactions for which filings are required by excluding encryption items that are covered by an export control license exception.
  1. Certain Exceptions for Qualifying Investors from Identified Countries: There are exceptions to CFIUS's expanded jurisdiction over certain non-controlling investments and real estate transactions for investors from "excepted foreign states" – initially Australia, Canada and the United Kingdom – that meet certain qualifications. These exceptions are likely of limited utility as, among other things, they do not extend to covered control transactions.
  1. Incremental Acquisitions: The Regulations continue to provide a safe harbor from future CFIUS review of additional investments in a U.S. business by a foreign person where CFIUS cleared a prior controlling investment, but not a non-controlling investment, by the same foreign person.
  1. Investment Funds: CFIUS has proposed an interim rule defining the term "principal place of business" using a "nerve center" test, which may serve to exclude from CFIUS's jurisdiction certain investment funds organized outside the United States but managed by U.S. general partners. In addition, indirect non-controlling investments in TID U.S. businesses by foreign persons through investment funds managed by U.S. persons are excluded from CFIUS's jurisdiction – even where the foreign person sits on the fund's advisory board or committee – if certain conditions are met.
  1. Optional Short-Form Filings: Investors will be permitted to make a CFIUS filing using either a traditional "notice" or an abbreviated "declaration." The use of a declaration offers the potential, but not a guarantee, of a shorter, streamlined review process.
  1. No Filing Fees Yet: CFIUS has not yet implemented a filing fee authorized by FIRRMA.
  1. Major Impact on Technology Sector: Concerns about technology transfer to China animated the policy debate that led to FIRRMA. Not surprisingly, the Regulations and related export control changes will have a decisive impact on large segments of the U.S. technology sector that were previously unaffected by CFIUS or export control requirements.

With the issuance of the Regulations, CFIUS is implementing the bulk of the sweeping reforms to the U.S. foreign investment review process mandated by FIRRMA. Future foreign investment transactions will need to be carefully measured against these expansive Regulations, and any assessment of a proposed transaction will be very fact-dependent. It will be important for parties to focus on CFIUS issues early when considering a potential transaction.


  1. Expanded CFIUS Jurisdiction

    1. Certain Non-Controlling Investments in Critical Technology, Critical Infrastructure and Sensitive Personal Data Businesses: TID U.S. Business Investments

      Largely consistent with the Proposed Rules, under the Regulations, CFIUS will generally have jurisdiction over non-controlling investments conveying specified triggering rights in the following unaffiliated TID U.S. businesses to a foreign investor ("covered investments"):[2]

      • Critical Technology Businesses: U.S. businesses that produce, design, test, manufacture, fabricate or develop one or more "critical technologies." Critical technologies include: defense articles or services on the International Traffic in Arms Regulations U.S. Munitions List; items on the Commerce Control List of the Export Administration Regulations ("EAR") and controlled for specified security-related reasons; certain nuclear equipment and facilities; select agents and toxins; and "emerging" and "foundational technologies" (a key subset of critical technology yet to be identified by the U.S. Commerce Department).
      • "Covered Investment Critical Infrastructure" Businesses:[3] U.S. businesses that perform specified "functions" (owning, operating, manufacturing, supplying or servicing) with respect to certain systems and assets.[4] The covered critical infrastructure and corresponding functions are included in an appendix to the Regulations.
      • Sensitive Personal Data ("SPD") Businesses: U.S. businesses that maintain or collect, directly or indirectly, SPD of U.S. citizens that is susceptible to being exploited for national security reasons. In general, a U.S. business will be considered to maintain or collect SPD if it: (i) targets or tailors products or services to sensitive groups, such as military personnel; (ii) has maintained or collected SPD on more than one million individuals within the 12-month period preceding certain transaction-related events; or (iii) has a demonstrated business objective to maintain or collect SPD on greater than one million individuals and the SPD is an integrated part of the U.S. business's primary products or services. The Regulations identify specific categories of SPD, including certain financial, insurance and health data; certain non-public electronic communications; geolocation data; biometrics; and genetic testing results.

      For CFIUS to have jurisdiction over non-controlling investments in a TID U.S. business, the foreign investor must receive one or more of the following triggering rights in the U.S. business:

      • Access to material non-public technical information in possession of the U.S. business related to critical technology or covered investment critical infrastructure;
      • Membership or observer rights on, or the right to nominate an individual to a position on, the board of directors or equivalent governing body of the U.S. business; or
      • Involvement, other than through the voting of shares, in substantive decision-making of the U.S. business regarding the use of SPD of U.S. citizens; the development or release of critical technologies; or the operation or supply of covered investment critical infrastructure.  

    1. Real Estate Transactions

      CFIUS will have jurisdiction over certain purchases or leases by, or concessions to, foreign persons of certain U.S. real estate located in or within a certain distance from various sensitive locations ("covered real estate") that result in the foreign person having specified property rights. Sensitive locations include: (i) major airports and commercially strategic maritime ports;[5] and (ii) U.S. military installations and other U.S. government property deemed sensitive for national security reasons. The new real estate rules include an appendix that identifies the relevant military installations and other U.S. government sites.

      Such real estate transactions will fall within CFIUS's jurisdiction if they generally afford a foreign person at least three of the following property rights: (i) to physically access the property; (ii) to exclude others from physically accessing the property; (iii) to improve or develop the property; or (iv) to attach fixed or immovable structures or objects to the property.

      There are certain exceptions to CFIUS's jurisdiction over real estate transactions, including those involving: (i) qualifying foreign investors related to "excepted foreign states," as discussed below; (ii) certain real estate within an urbanized area or urban cluster; (iii) real estate that is a single housing unit; or (iv) certain foreign air carriers.

      There are no mandatory filings for covered real estate transactions.

  1. Mandatory Filing Requirements and Exceptions

    Under the Regulations, certain foreign investment transactions involving critical technology or foreign government ownership are subject to mandatory filing generally at least 30 days before closing.

    1. Critical Technology

      The Regulations implement and amend certain elements of the Pilot Program. Filing is mandatory for covered transactions – controlling or non-controlling – involving a TID U.S. business that (i) produces or otherwise develops critical technologies for use by the U.S. business in one or more of 27 specified industries defined by the North American Industrial Classification System ("NAICS") codes[6] or (ii) designs critical technology specifically for use in one or more of these industries.[7] In an important change that will alleviate some of the burden anticipated under the Proposed Rules on U.S. companies using encryption that falls within the definition of critical technology, U.S. software companies are excepted from this mandatory filing requirement if their only critical technology is eligible for export pursuant to License Exception ENC under the EAR. Also excepted are investments covered by foreign, ownership, influence or control mitigation agreements and covered control transactions by excepted investors (discussed below).

    1. Foreign Government "Substantial Interest"

      Filing is mandatory for transactions resulting in an acquisition, directly or indirectly, of a "substantial interest" in TID U.S. businesses by a foreign person in which a certain foreign government has, directly or indirectly, a "substantial interest." The term "substantial interest" has two meanings in this context: if a foreign person's investment in a TID U.S. business gives the foreign person a 25% or greater direct or indirect voting interest in the business and a foreign government holds a 49% direct or indirect interest in such foreign person, a filing with CFIUS will generally be required. In a change from the Proposed Rules, the Regulations provide that if the foreign person has a general partner or equivalent, the foreign state will be considered to have a substantial interest in the entity only if the government holds 49% or more of the interest in the general partner or equivalent. Limited partnership interests will not count.

    There are also exceptions to both categories of mandatory filings for certain transactions by investment funds, as discussed below.

    The government may assess civil monetary penalties for a failure to make a mandatory filing against the foreign investor, the U.S. investment target business or both up to the greater of $250,000 per violation or the value of the transaction.

  1. Excepted Foreign States: Investments in TID U.S. Businesses and Real Estate Transactions

    Importantly, CFIUS's expanded jurisdiction generally does not extend to non-controlling investments and real estate transactions by foreign persons with a specified connection to one of the "excepted foreign states," as identified by CFIUS due to aspects of their robust intelligence sharing and defense industrial base integration mechanisms with the United States. CFIUS has only identified three such countries in the Regulations – Australia, Canada and the United Kingdom. For a country to remain or become excepted after February 13, 2022, CFIUS must determine that the country has a robust national security-based foreign investment review process that facilitates coordination with the United States.

    While this is an important exception, its benefits are likely to be limited as it does not affect CFIUS's traditional jurisdiction over covered control transactions. In addition, to qualify for the exception, the foreign person must meet certain criteria outlined in the Regulations, such as where the foreign person is an entity, specified limits on percentages or numbers of directors, board observers and shareholders from non-excepted jurisdictions. Moreover, a foreign person will not qualify as an excepted investor if it has violated certain laws, including U.S. sanctions laws, or been identified by the U.S. government for certain "bad" activities, such as being included on the Commerce Department's Entity List, or notified by CFIUS that it has previously violated a mitigation agreement.

  1. CFIUS's Jurisdiction over Incremental Acquisitions

    Under the Regulations, in general, if CFIUS clears a covered control transaction based on either a notice or a declaration, any subsequent acquisition by the foreign person of an additional interest in or change in its rights with respect to the U.S. business will not constitute a covered transaction. However, if a different foreign person that did not previously acquire control of the U.S. business is a party to the new transaction, the later transaction may constitute a covered transaction. Notably, CFIUS clearance of a non-controlling investment does not provide a safe harbor with respect to a future acquisition of additional interest or rights in a U.S. business if the later acquisition falls within the scope of the covered investment or covered control transaction definition.

  1. Investment Funds and New Principal Place of Business Definition

    To address comments on the Proposed Rules regarding investment funds managed and controlled by U.S. persons, CFIUS has concurrently issued an interim rule defining "principal place of business," a term used in the definition of "foreign entity." An organization organized under the laws of a foreign state whose principal place of business is in the United States is not a foreign entity. The new definition of principal place of business uses a "nerve center" test: "the primary location where an entity's management directs, controls, or coordinates the entity's activities, or, in the case of an investment fund, where the fund's activities and investments are primarily directed, controlled, or coordinated by or on behalf of the general partner, managing member, or equivalent." However, if an entity has represented to the U.S. or a state or foreign government in its most recent filing that its principal place of business or the address of its principal executive offices or headquarters is outside the United States, such location will be deemed its principal place of business, unless it can demonstrate that such location has changed to the United States. This new definition may help certain foreign-organized investment funds managed by general partners located in the United States avoid classification as foreign entities, thus staying outside CFIUS's jurisdiction when investing in U.S. businesses.

    The Regulations also implement provisions of FIRRMA that exclude certain non-controlling indirect investments in TID U.S. businesses through investment funds from CFIUS's jurisdiction. An indirect investment in a TID U.S. business by a foreign person through an investment fund that accords the foreign person membership as a limited partner or equivalent on an advisory board or a committee of the fund is not a covered investment if:

    • The fund is managed exclusively by a general partner or equivalent that is not a foreign person;
    • The advisory board or committee does not have the ability to control investment decisions of the fund or decisions made by the general partner or equivalent related to entities in which the fund is invested;
    • The foreign person does not otherwise have the ability to control the investment fund; and
    • The foreign person does not receive any of the triggering rights discussed above (related to critical technology information access, board/observer rights or involvement in decision-making).

    In addition, the Regulations exempt from the mandatory filing requirements any covered transaction in a TID U.S. business by an investment fund that meets the criteria described in the first three bullets in the preceding paragraph even if the investment fund itself receives triggering rights. If the foreign person invested in the fund receives any triggering rights, however, its indirect investment would be subject to a mandatory declaration, even though the investment fund’s direct investment would not.[8]

  1. Declaration as Alternative to Traditional Notice

    Parties may generally choose to file "declarations" (abbreviated notices) or conventional written notices for covered transactions. Within 30 days of CFIUS's acceptance of a declaration, CFIUS must (i) request a formal written notice; (ii) initiate unilateral review; (iii) inform the parties that review cannot be completed based on the declaration; or (iv) clear the transaction. Thus, the short-form declaration offers a possibly speedier review process. But because, depending on CFIUS's disposition of a declaration, the parties may wind up having to file a notice later, they will need to consider carefully which type of filing makes sense for a particular transaction.

  1. Fees

    The Treasury Department expects to engage in a separate proposed rulemaking at a later date in connection with assessment and collection of filing fees for covered transactions consistent with FIRRMA authorizations.

  1. Technology Sector to Feel Effects Most Acutely

    While the Regulations will broadly affect sectors from energy and infrastructure to finance, their foremost impact will likely be on the U.S. technology sector. CFIUS requirements have had little or no impact on many companies in areas such as artificial intelligence and autonomous vehicles. Particularly with export controls expanding into these areas, CFIUS requirements will have decisive effects on international investing in these subsectors.

[1] The Regulations include two final regulations: 31 C.F.R. Parts 800 and 801 (Provisions Pertaining to Certain Investments in the United States by Foreign Persons), available here; and 31 C.F.R. Part 802 (Provisions Pertaining to Certain Transactions by Foreign Persons Involving Real Estate in the United States), available here.

[2] The term "covered transaction" has been amended to include both covered control transactions and covered investments. It also includes changes in a foreign person's rights with respect to a U.S. business in which the foreign person has an investment, if the change could result in a covered control transaction or a covered investment, and transactions or arrangements designed or intended to evade or circumvent FIRRMA or the Regulations.

[3] Covered investment critical infrastructure is a subset of "critical infrastructure," which is defined as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems or assets would have a debilitating impact on national security." For purposes of covered control transactions, CFIUS will continue to use this broader definition of critical infrastructure.

[4] Examples of these systems and assets include, for example, electric energy systems or facilities providing electric power to or located near military installations and petroleum facilities, LNG terminals or storage facilities and interstate petroleum and LNG pipelines.

[5] The ports themselves are also considered covered real estate.

[6] The list of industries is included in an appendix to the Regulations.

[7] CFIUS has indicated that it intends to revise this mandatory declaration requirement from one based on NAICS codes to one based upon export control licensing requirements, but no timeframe has been indicated.

[8] The exception to the critical technology mandatory filing requirement applies if the general partner exclusively managing the fund either is not a foreign person or is ultimately controlled by U.S. nationals.