CFIUS 2.0: Treasury Releases Comprehensive Rewrite of CFIUS Regulations, Flood of Filings Expected in 2020
Enacted in August of 2018, FIRRMA represented the most sweeping overhaul of the operations and jurisdiction of CFIUS in its 44-year history. With an October 17, 2019 deadline for public comments to be submitted, the draft regulations are divided into two parts: certain investments (those not primarily involving real estate), and real estate transactions. They will take effect no later than February 13, 2020, after all timely comments have been considered and CFIUS officials have made revisions to the draft rules, as appropriate.
The Big Picture
The 319 pages of proposed CFIUS regulations will introduce substantial new levels of complexity and nuance, with definitions that contain many moving parts. Figuring out whether a given transaction might fall within the scope of CFIUS’s new jurisdiction will, in most cases, require more extensive regulatory analysis for foreign investors and US target companies alike. However, smooth navigation of the CFIUS process will also require counsel who have more than just familiarity with the new rules. The opaque CFIUS process is often called a “black box,” and a deep understanding of its member agencies’ national security sensitivities will be needed to anticipate their potential concerns pertaining to technology, infrastructure, data, real estate, and other areas. Effective counsel must have a solid grasp of CFIUS’s typical thought processes and risk analysis.
At the same time, the draft rules are not as aggressive in expanding CFIUS’s jurisdiction as some had expected, and they faithfully adhere to the legislative contours of FIRRMA. To the relief of many stakeholders, CFIUS elected not to make major substantive changes to core definitions such as “foreign person,” “foreign entity,” “control,” and “US business,” which have been bedrock concepts of CFIUS for many years. This will have the effect of preserving some consistency and stability in the process, especially with regard to CFIUS’s legacy jurisdiction over “control” transactions (e.g., mergers and acquisitions), which will remain intact under the new rules.
New Transaction Types To Be Covered By CFIUS
The proposed regulations will expand CFIUS’s jurisdiction to cover four new types of transactions:
- Non-passive minority-position investments involving critical technologies;
- Non-passive minority-position investments involving critical infrastructure;
- Non-passive minority-position investments involving the sensitive personal data of US citizens; and
- Purchases or leases of US real estate near sensitive facilities.
FIRRMA grouped the first three types together, so CFIUS created the concept of “TID US businesses” as shorthand to refer to these categories of US companies that are involved with critical technologies, critical infrastructure, or the sensitive personal data of US citizens. These transactions will typically be venture capital and other private equity investments through which a foreign person could obtain certain types of governance or information rights with the TID US business, including board membership or observer status (or the right to nominate someone to the board); access to the company’s “material nonpublic technical information”; or involvement in the company’s “substantive decisionmaking” pertaining to critical technology, critical infrastructure, or sensitive personal data (other than through shareholder voting).
Investments in US Companies with Critical Technologies
Under the draft regulations, CFIUS will have jurisdiction over these minority-position investments in US companies that design, test, manufacture, fabricate, or develop critical technologies. The exact scope of this new jurisdiction will depend on whether (and to what extent) the Commerce Department imposes export controls on any emerging or foundational technologies that are “essential” to US national security per the Export Control Reform Act, which was enacted last year alongside FIRRMA. If Commerce does, those technologies will automatically meet the definition of critical technologies, and that would subject certain investments involving them to CFIUS jurisdiction. Until then, the scope of critical technologies that may trigger CFIUS’s jurisdiction will be limited to those technologies that are regulated under legacy dual-use export controls and other existing regulatory schemes, such as the International Traffic in Arms Regulations.
CFIUS’s new, permanent jurisdiction over critical technology transactions under the draft regulations will very likely supplant the CFIUS critical technologies pilot program, which launched in November of 2018 and remains in effect for the time being. The scope of the new permanent jurisdiction will be much broader than CFIUS’s temporary jurisdiction under the pilot program. The pilot program only applied to 27 specific industries, whereas the permanent jurisdiction will not be limited by industry.
Investments in US Companies with Critical Infrastructure
Under the draft regulations, CFIUS’s newfound jurisdiction over deals involving critical infrastructure will center on 28 specific types of systems and assets within various infrastructure subsectors, such as telecommunications, utilities, energy, transportation, and manufacturing. Certain investments in US companies that own, operate, manufacture, supply, or service one of those enumerated systems or assets will be subject to this expanded jurisdiction. However, the scope of this new jurisdiction over critical infrastructure is narrower than it could have been, because it reflects only a subset of the 16 infrastructure sectors that the Department of Homeland Security considers critical.
Investments in US Companies with Sensitive Personal Data
The expansion of CFIUS’s jurisdiction to cover deals involving the sensitive personal data of US citizens was one of the most novel parts of FIRRMA and is arguably the most significant aspect of CFIUS’s newfound purview. Under the draft regulations, this new jurisdiction centers on 11 specific categories of personal data, including financial, geolocation, health, biometric, and security clearance data, as well as electronic communications such as emails, text messages, and chatting. Certain investments in US companies that maintain or collect these types of personal data will be subject to CFIUS review if the company either targets or tailors its products or services to specific populations of US citizens with national security sensitivity or collects or maintains this data on one million or more people (or has a business objective to do so). Separately, the collection of any genetic information will also put US companies within the scope of CFIUS’s jurisdiction, even if they don’t “target or tailor” or collect data on one million people.
Real Estate Deals
The draft regulations, as expected, cast a fairly wide net in scoping CFIUS’s newfound jurisdiction over certain real estate transactions. CFIUS will have jurisdiction over the purchase or lease by a foreign person (or concession to a foreign person) of certain US real estate that affords that person at least three of the following four property rights: physical access to the real estate, the exclusion of others from physical access, the improvement or development of the real estate, and the affixing of structures or objects to it. For now, this new area of CFIUS jurisdiction will focus on specific US military installations, airports, and seaports.
To help investors and other members of the public identify which sites will be covered, the draft rules enumerate nearly 200 military installations and other sensitive national security facilities, including certain missile fields and offshore military training and testing ranges. The rules would also apply to all major airports (passenger, cargo, and joint military-civilian use) and certain maritime ports, including the top 25 tonnage, container, and dry bulk ports, as well as seaports designated as “strategic.” It may come as a relief to many real estate stakeholders that the draft rules exempt single housing units and some commercial office space in multi-unit commercial office buildings, as well as most real estate in “urbanized areas” or “urban clusters.”
Two Key Aspects of FIRRMA Implementation Still Pending
The draft regulations were silent, for now, on whether CFIUS will continue to mandate the filing of short-form declarations for critical technology investments. This was a major aspect of the critical technologies pilot program, but CFIUS is apparently still considering to what extent this is necessary and appropriate. CFIUS has also not yet decided how to utilize the authority it was granted in FIRRMA to impose filing fees for CFIUS reviews. Both of these issues are expected to be decided prior to the draft regulations being finalized ahead of the February 13, 2020 deadline.
Safe List: “Excepted Investors” from “Excepted Foreign States”
As many stakeholders had hoped, CFIUS exercised FIRRMA’s “country specification” authority in the draft regulations, creating a type of “safe list” of low-risk foreign investors who will be exempt from CFIUS reviews for minority-position investments and real estate transactions. This concept of “excepted investors” will be based on the foreign person’s connections to a country that meets the criteria to be an “excepted foreign state,” as well as the foreign person’s compliance with certain US laws, regulations, and other rules. In turn, the concept of excepted foreign state will be based on a determination by CFIUS that the foreign state has in place an effective, robust process for screening foreign investments for national security risks and coordinating with the US on related matters. The use of the safe list, for CFIUS purposes, will create two de-facto tiers of foreign investors: those who are seen as inherently low-risk, and everyone else. However, the definition of excepted investor is quite narrow, reflecting CFIUS’s concern over the growing complexity of ownership structures and its desire to prevent the circumvention of its jurisdiction (which was also a primary motivation of the authors of FIRRMA). So, it is unclear whether many foreign states will qualify for excepted status, at least initially.
Number of Annual CFIUS Reviews Projected to More Than Quadruple
Deep in the fine print of the regulations, CFIUS shared its estimate regarding how many filings these draft regulations will yield. For context, the most recent statistics on the total number of annual reviews date back to 2017, when CFIUS processed 240 full-length filings (“notices”). The draft regulations will arguably open the proverbial floodgates, with CFIUS projecting 1,100 filings annually. Specifically, CFIUS estimates that the regulations will result in 350 filings per year (150 notices and 200 declarations) for real estate deals and 750 filings per year (200 notices and 550 declarations) for other investments, which includes minority-position investments in critical technology, critical infrastructure, and sensitive personal data. If those projections bear out, the new regulations will more than quadruple the number of filings that CFIUS evaluates each year.
Also noteworthy, FIRRMA both preserved CFIUS’s ability to unilaterally initiate reviews and required CFIUS to establish a process to identify so-called “non-notified” and “non-declared” transactions, where information is reasonably available. It’s unclear whether those unilateral reviews are incorporated into the 1,110-filing estimate, but CFIUS has taken this mandate seriously. It apparently intends to use resources such as Pitchbook to scour available transaction data and identify those non-notified and non-declared transactions that may warrant CFIUS review.
More Regular Updates to the CFIUS Regulations?
The last time CFIUS implemented comprehensive regulations was in November of 2008. Prior to the enactment of FIRRMA, those regulations had not been updated in over a decade. The background section of the new regulations explains that, once these regulations are finalized and put in place, more regular updates may become the norm: “Given the level of specificity provided in certain provisions of the proposed rule, the pace of technological development, the evolving use of data, and the evolving national security landscape more generally, the Department of the Treasury anticipates that it will periodically review, and as necessary, make changes to the regulations, consistent with applicable law.”
What Should Stakeholders Do Now?
Foreign investors and US companies who expect to undergo CFIUS review in the future may wish to consider filing comments on the proposed regulations during the 30-day window, and Arent Fox can assist with drafting those. Once the new regulations take effect, Arent Fox can help foreign investors and US target companies understand how the new rules apply to them, conduct advance planning, or draft filings and navigate the opaque CFIUS process. Consulting knowledgeable, experienced CFIUS counsel early on will be more important than ever under the new rules.
- Related Industries