International Trade & Compliance Alert
As anticipated in our prior alert, today the Committee on Foreign Investment in the United States (“CFIUS”) published a final rule that ties CFIUS’s mandatory filing requirement for certain “critical technology” transactions to U.S. export control licensing requirements, rather than to use of the “critical technology” within one of 27 “covered industries.” The final rule, once implemented, will require a CFIUS filing for certain transactions where an export authorization would be required to transfer a U.S. business’s critical technology to a foreign investor or parties holding significant interests in the foreign investor.
The new regulations will continue a trend of tying CFIUS requirements ever closer to export control requirements. Furthermore, foreign investments in U.S. businesses with critical technology will likely trigger mandatory CFIUS filings more often than currently is the case. That will be especially true for investors from countries subject to far-reaching U.S. export control restrictions – such as China and Russia.
The final rule becomes effective October 15, 2020 with respect to transactions within CFIUS’s jurisdiction (“covered transactions”) with a completion date (or other qualifying event, such as the execution of a binding written agreement) after October 15, 2020.
The impending changes are consistent with the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”), which authorizes CFIUS to mandate filings for covered transactions involving certain U.S. businesses that produce, design, test, manufacture, fabricate or develop one or more critical technologies. Critical technologies comprise goods, services, software and technical information that are export-controlled or similarly regulated in specified ways.
Among other things, FIRRMA extended CFIUS’s jurisdiction to cover not only acquisitions of control of U.S. businesses (“covered control transactions”), but also “covered investments” – non-controlling investments by foreign persons in unaffiliated U.S. businesses involved with “critical technologies,” “critical infrastructure” or “sensitive personal data” (“TID U.S. businesses”) where the investor is accorded certain “triggering rights.”
Under CFIUS’s current regulations, with certain exceptions, transaction parties are required to notify CFIUS of any covered control transaction or covered investment involving a TID U.S. business that produces, designs, tests, manufactures, fabricates or develops one or more critical technologies utilized in connection with the TID U.S. business’s activity in, or designed by the TID U.S. business specifically for use in, one or more of 27 specified industries (identified by their North American Industry Classification System (“NAICS”) codes).
Once the new final rule comes into force, the current NAICS codes-based test will be replaced with an export control-based test. Specifically, a proposed covered transaction will be subject to the CFIUS mandatory notification requirement where one or more “U.S. regulatory authorizations” would be required to export, reexport or retransfer one or more of the U.S. business’s critical technologies to the foreign investor or a foreign person holding a significant ownership or control stake in a foreign investor.
For these purposes, “U.S. regulatory authorization” means a license or authorization under one of the four major U.S. export control regimes: (i) the U.S. Department of State’s International Traffic in Arms Regulations (the “ITAR”); (ii) the U.S. Department of Commerce’s Export Administration Regulations (the “EAR”); (iii) the Department of Energy’s regulations governing assistance to certain foreign atomic-energy activities; and (iv) the Nuclear Regulatory Commission’s regulations governing the export and import of certain nuclear equipment and material.
The export authorization test must be applied with respect to a person that: (i) could directly control a relevant U.S. business as a result of a covered control transaction; (ii) is directly acquiring an interest that is a covered investment in such U.S. business; (iii) has a direct investment in such U.S. business and whose rights with respect to such U.S. business are changing, with such change potentially resulting in a covered control transaction or a covered investment; (iv) is a party to any transaction or other arrangement aimed to evade or circumvent CFIUS’s rules; or (v) is a person that individually holds, or is a part of a specified group of foreign persons that, in aggregate, holds, a 25% or greater direct or indirect voting interest in any person listed in clauses (i) through (iv). For an entity whose activities are primarily directed, controlled or coordinated by or on behalf of a general partner, managing member or equivalent, the applicable threshold will be a 25% or greater interest in such general partner, managing member or equivalent.
Generally, the export control test will apply without regard to any ITAR license exemption or EAR license exception, other than EAR License Exceptions TSU (15 C.F.R. § 740.13), ENC (15 C.F.R. § 740.17(b)) and STA (15 C.F.R. § 740.20(c)(1)). That is, a foreign investment in a U.S. critical technology business that would otherwise trigger a mandatory CFIUS filing requirement will be excepted from such requirement if the U.S. business has met all of the EAR requirements to qualify for one or more of License Exceptions TSU, ENC or STA, and one of those EAR License Exceptions covers all exports of the critical technology to all foreign persons covered by the criteria set forth above.
The final rule will apply to any covered transaction for which any of the following occurs on or after October 15, 2020:
The export control test could present particular challenges for U.S. companies that deploy encryption software but do not have occasion to export it, such as companies that administer software-as-a-service (“SaaS”) businesses. SaaS companies commonly store encryption platform software in the cloud. They normally do not export the platform software and, thus, often have no reason to assess its export control classification or establish that it qualifies for License Exception ENC. If the SaaS platform software falls within certain categories set forth in the EAR, exports of the software will not qualify for License Exception ENC unless and until an encryption classification request covering the software has been submitted to the Department of Commerce. As a result, SaaS companies may find themselves required to make submissions to the government not for export control compliance purposes, but rather for reasons relating to CFIUS requirements.
Under CFIUS’s regulations, parties to a proposed transaction are also required to notify CFIUS of the proposed transaction if the transaction involves the acquisition of a “substantial interest” (defined as a 25% or greater direct or indirect voting interest) in a TID U.S. business by a foreign person in which a single foreign government has a “substantial interest” (defined as a 49% or greater direct or indirect voting interest).
CFIUS’s current regulations provide for special treatment for foreign investors with a general partner, managing member, or equivalent, specifying that in those cases, a foreign state is considered to have a substantial interest in the entity only if the government holds 49% or more of the interest in the general partner, managing member or equivalent (limited partnership interests do not count).
The final rule clarifies that the special treatment applies only in instances where a general partner, managing member or equivalent primarily directs, controls or coordinates the activities of the entity, and not where an entity simply has a general partner, a managing member or equivalent but that party does not primarily direct, control or coordinate the investor’s activities.
Should parties fail to submit a mandatory filing, they may be liable for a civil penalty up to the greater of $250,000 or the value of the transaction.
Once implemented, the final rule will require every U.S. business either being acquired by a foreign person or receiving investment from a foreign person to determine the export control status of its products and technology in order to determine if the CFIUS mandatory notification requirement applies. This will be the case even if the U.S. business never exports its products or technology. Insofar as U.S. export control regulations can be rather complicated and esoteric, this new requirement could be burdensome for many U.S. businesses.
 For CFIUS to have jurisdiction over non-controlling investments in a TID U.S. business, the foreign investor must receive one or more of the following triggering rights in the U.S. business:
 Specifically, if the software falls within the categories described in 15 C.F.R. § 740.17(b)(2) or (b)(3).