On August 13, 2018, President Trump signed into law the National Defense Authorization Act (“NDAA”), which included the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”). This marks the most significant change in over ten years in the law governing the Committee on Foreign Investment in the United States (“CFIUS”). FIRRMA, in essence, codifies certain existing CFIUS practice with respect to covered transactions (as defined below), expands CFIUS’s jurisdiction to address perceived evolving national security threats due to the use of investment structures that previously have been outside of CFIUS jurisdiction, and seeks to modernize CFIUS’s processes to promote more timely and effective reviews of covered transactions. In particular, FIRRMA authorizes CFIUS to review certain non-controlling investments by foreign companies; enhances restrictions on investments in certain critical technologies or infrastructure and sensitive personal data; targets real estate transactions in proximity to sensitive US government sites; and requires mandatory filings for certain investments by foreign government-owned entities.
I. Background and existing CFIUS practice
CFIUS is a multi-agency US governmental committee that is authorized to review mergers, acquisitions, or takeovers that could result in a foreign person controlling a US business (“covered transactions”) in order to determine the effect of such transactions on US national security. Although CFIUS was created in 1975, its jurisdiction was established by the Exon-Florio Amendment in 1988, which created Section 271 of the Defense Production Act of 1950, the statutory basis for CFIUS, and has remained constant in the 30 years since then. The regulations provide a mechanism for companies involved in a potentially covered transaction to submit a voluntary notice to CFIUS. Alternatively, CFIUS or the President can initiate a review. Following a review period (historically, 30 days), the Committee could determine that the transaction did not present a threat to national security and could proceed, or the Committee could determine that an additional 45-day investigation was warranted. Following that investigation, the Committee could offer no recommendation or make an adverse recommendation to the President, triggering an additional 15-day review period by the President.
II. Key FIRRMA provisions
A. Expansion of CFIUS jurisdiction
CFIUS’s jurisdiction has extended to "covered transactions," generally defined until now as transactions that could result in foreign control of a US business. The new law gives CFIUS authority to review additional types of transactions as “covered transactions.” In particular, FIRRMA expands CFIUS’s jurisdiction by adding four new types of covered transactions:
- “Other investments” in certain US businesses that afford a foreign person access to material nonpublic technical information in the possession of the US business, membership on the board of directors, or other decision-making rights, other than through voting of shares;
- Any change in a foreign investor’s rights resulting in foreign control of a US business or an “other investment” in certain US businesses;
- A purchase, lease, or concession by or to a foreign person of real estate located in proximity to sensitive government facilities; and
- Any other transaction, transfer, agreement, or arrangement designed to circumvent CFIUS jurisdiction.
This expansion of CFIUS jurisdiction will not take effect immediately, as CFIUS will issue implementing regulations to define more fully the scope and applicability of these changes.
More specifically, CFIUS will have authority to review transactions involving the acquisition of non-controlling interests in US companies where the foreign acquirer is investing in a US business that involves "critical technologies,"[i] "critical infrastructure,"[ii] or "sensitive personal data of US citizens."[iii] CFIUS's authority would apply in circumstances where the investment would give the foreign person (1) access to material non-public technical information of the US business, (2) membership or observer rights on the board of directors (or the right to nominate directors), or (3) the authority to make substantive decisions about critical technologies, critical infrastructure, or sensitive personal data (other than through the voting of shares). Investments by US-based investment funds that are managed by US general partners generally will not be subject to CFIUS review so long as any non-US person limited partners or other passive investors will not gain access to material non-public technical information and will not otherwise have the ability to control investment decisions.
Additionally, CFIUS will have the authority to review transactions that involve a purchase, lease, or concession of land at or “in close proximity” to sensitive US sites, including airports, seaports, and sensitive government or military locations, if the site access could allow the foreign person to collect intelligence on activities at the site or otherwise expose national security activities at the site to foreign surveillance. The law has no bright lines on what it means to be “in close proximity” to a sensitive location, and CFIUS is charged with issuing regulations in due course. The regulations are meant to ensure that the term refers only to “distance or distances” within which the site access could pose a national security risk.
CFIUS is required to issue regulations that, among other objectives, limit the applicability of the new rules described above to certain categories of foreign persons. The criteria must take into account how a foreign person is connected to a foreign country or government and whether the connection could affect US national security. This is as close as the final law approaches to allowing a “white list” of persons not subject to the latest expansion in review authority.
B. Procedural changes
FIRRMA also makes a number of key changes to the CFIUS review and investigation process, including authorizing filing fees for the first time, providing additional resources for CFIUS staffing, increasing CFIUS’s authority to investigate transactions that were not notified to CFIUS, and providing for an abbreviated filing process and mandatory filings.
In particular and most notably, the new rules attempt to streamline the filing process. Parties will now have the option of submitting an abbreviated “declaration” that is limited to five pages. CFIUS cannot require the declaration to be submitted more than 45 days before the closing of the relevant transaction. CFIUS will be able to approve the deal, request that the parties file a full notice, or initiate a unilateral review. CFIUS will have 30 days to take an action on the declaration.
In some instances, declarations will be mandatory, which represents an important departure from prior practice. Previously, there was no requirement that the parties to a covered transaction notify CFIUS of the transaction, though parties have elected to undergo CFIUS review because it is the only way to obtain assurance that the President will not block or order divestment of their transaction in connection with national security concerns. Under FIRRMA, however, a declaration is required for an acquisition of a “substantial interest” in a US critical infrastructure or critical technology company by a foreign person in which a foreign government has a “substantial interest.” “Substantial interest” will be defined in the regulations. In developing the regulations, CFIUS is required to consider how and the extent to which the foreign government influences the actions of the acquirer, including through board membership, shareholder rights, and ownership interests. Substantial interest will not include a voting interest of less than 10 percent. CFIUS can waive the mandatory declaration requirement if the investments of the acquirer are not directed by a foreign government, and the foreign person has a history of cooperation with CFIUS. CFIUS also will be required to issue regulations listing other types of investments requiring a mandatory declaration.
Further, FIRRMA expands the timeline for CFIUS to review transactions. The initial review period will be 45 days, rather than the previous 30 days, for reviews initiated after August 13, 2018. In “extraordinary circumstances,” CFIUS can request an additional 15 days be added to the 45-day investigation that follows the review. There is only an investigation if there are unresolved national security issues at the end of the initial review period, although investigations generally are mandatory for transactions in which a foreign government controls the acquirer. The overall effect of these changes will be to lengthen the maximum potential review period from 90 to 120 days. This does not include, however, the time it takes to prepare the filing and any pre-filing CFIUS review.
Additional procedural changes include the following:
- CFIUS will have the ability to suspend a transaction while it is under review if CFIUS believes it poses a national security risk. This means that the deal would not be permitted to close until CFIUS completes its review, which is a significant departure from past practice.
- The parties will be able to stipulate that a deal is a covered transaction that CFIUS has authority to review or a foreign government-controlled transaction. The effect of these stipulations is to focus the review on the national security implications of the deal, and not whether CFIUS has the right to review the deal. If a stipulation that CFIUS has authority to review the transaction is made, CFIUS would be required to provide comments on a draft or formal written notice, or to accept a formal written notice no later than 10 business days after submission. CFIUS will address these stipulations through regulations or other guidance.
- CFIUS may collect filing fees for written notices, though not for the abbreviated declarations. The fees cannot exceed one percent of the transaction value or, if less, $300,000 (adjusted for inflation). The filing fees are not immediately effective, but will be addressed in the implementing regulations.
III. Export control reform
The NDAA includes the Export Control Reform Act (“ECRA”), the key provisions of which include reestablishing the statutory basis for the US Department of Commerce’s regulatory jurisdiction; requiring interagency review of the export controls on countries subject to a comprehensive US arms embargoes (e.g., China); establishing an interagency process to identify “emerging and foundational technologies,” which are undefined in the ECRA, and to control their export; and requiring the Commerce Department to consider the impacts of export licensing on the US “defense industrial base.”
IV. Practical implications
FIRRMA will generally apply to all pending and future transactions on or after August 13, 2018. However, the statute contains many provisions that will require notice and comment rulemaking to implement (a process that FIRRMA requires to be completed by February 13, 2020). Therefore, although CFIUS can conduct pilot programs to implement any authority provided in this law sooner, which may impact higher risk transactions as early as this fall, the practical implications of some of the most significant provisions, including expansion of the categories of covered transactions and the mandatory filing requirements, may not be seen for up to 18 months.
In some ways, FIRRMA might be expected to streamline the CFIUS process because at least routine transactions can be fast-tracked through an abbreviated declaration. However, the declarations could serve to delay completion of the review process if CFIUS determines that national security concerns are implicated that warrant the filing of a lengthier notice. In addition, the review process for written notices could now take up to 105 days, instead of the previous 75 days. The 15-day extension might not have a significant, practical effect, however, if it simply gives CFIUS the time to complete its reviews without requiring the parties to withdraw and resubmit their notices.
For many transactions, the impact of these legislative developments may not be profound because they arguably codify existing practices of CFIUS and underscore concerns that have long been focal points for CFIUS, including protection of sensitive data, enhancing cybersecurity, and securing sensitive technologies. However, the changes are not trivial. Notably, FIRRMA expands the number of covered transactions reviewable by CFIUS and the ECRA can lead to greater export restrictions on newer types of technologies not currently subject to export controls. These developments could warrant more robust consideration of potential mitigation measures earlier in a transaction and enhancements of export compliance procedures.
Companies should, therefore, anticipate that the changes may present some new issues in connection with foreign investment and international trade, and monitor closely the regulatory developments that will take place over the next several months.
[i] The definition of "critical technologies" includes any technology subject to US export controls (e.g., listed on the US Munitions List or Commerce Control List) as well as "emerging and foundational technologies," which will be defined by US export control authorities and may include technologies not currently subject to significant export controls.
[ii] The definition of "critical infrastructure" includes "systems or assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems or assets would have a debilitating impact on national security." Although this definition suggests that very few deals involve critical infrastructure, critical infrastructure (and perhaps control) have been viewed by CFIUS in ways that parties have found surprising.
[iii] The definition of "sensitive personal data" includes information about US citizens that "may be exploited in a manner that threatens national security."