Treasury releases much anticipated proposed regulations to implement CFIUS’ expanded jurisdiction under FIRRMA

The United States Department of Treasury has released the much anticipated proposed regulations that, when finalized, will implement CFIUS' expanded jurisdiction, as provided for under the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA),¹ to review certain: (i) non-controlling investments in US businesses that involve critical technologies, critical infrastructure, or sensitive personal data of US persons; and (ii) real estate transactions that do not involve the acquisition of a US business. Details regarding each set of proposed regulations are provided below.

Highlights of the proposed legislation

• The exclusion from CFIUS' jurisdiction of certain non-controlling investment and real estate transactions conducted by a new class of "excepted" investors who have a substantial connection to a limited number of friendly countries (which have not yet been identified).
• The ability for parties to submit a short form declaration, instead of a full notification, to CFIUS regarding any covered transaction, including covered control transactions, covered non-controlling investments, and real estate transactions.
• While the bulk of notifications/declarations will remain voluntary, including all transactions subject to the new real estate regulations, declarations (or a full notification in lieu of a declaration) will be mandatory in transactions where a foreign government has a "substantial interest" (e.g., owns a direct or indirect 49% or greater interest) in an acquiring entity which, itself, has at least a 25% direct or indirect voting interest in a covered US business.
• Neither set of proposed regulations would apply retroactively to transactions completed, filed with the Committee, or, in some circumstances, formally commenced, prior to the effective date of the final regulations.
• Special rules are established in the context of acquisitions by investment funds (similar to those under the existing pilot program regarding critical technologies²) or pure lending transactions (which are largely excluded, with some exceptions).
• Any person who fails to file a mandatory declaration will be subject to a civil penalty not to exceed the greater of the value of the transaction or US$250,000. Any material misstatements or omissions in a declaration or notice (regardless of intentionality or gross negligence) or a false certification will subject a party to a maximum civil penalty of US$250,000 per violation.

The proposed regulations do not, however, alter CFIUS' longstanding ability to review transactions that could result in foreign control of any US business. In addition, the regulations do not change the existing CFIUS pilot program or establish any filing fees (such regulations will come at a later date). Interested parties may submit comments to the proposed regulations by October 17, 2019 through the Federal Government's eRulemaking Portal or by mail. The final regulations, which may contain significant changes from these proposed rules, must then be implemented no later than February 13, 2020, but could become effective earlier.

Overall, the proposed regulations reflected a measured, or even restrained, approach by the US government as the scope of the new provisions are somewhat more limited, and more clearly defined, than many had anticipated. The presence of defined thresholds that must be met in order for CFIUS' expanded jurisdiction to apply will be welcomed by many parties evaluating whether their business or transaction may be subject to the new regulations. Nevertheless, when implemented, the new regulations would significantly expand CFIUS' existing jurisdiction and will subject many more transactions by foreign persons to the CFIUS review process.

I. Non-controlling investments

The proposed regulations would implement CFIUS' expanded jurisdiction to review certain direct or indirect non-controlling investments by foreign persons. The rules are similar to those already established under the existing pilot program, but apply regardless of whether the company is engaged in activities involving a pilot program industry.

In particular, non-controlling investments will be subject to CFIUS' jurisdiction where a foreign person: (1) invests in certain types of covered US businesses; and (2) obtains certain specified access to, or influence over, the covered US business or its products, technologies, infrastructure, or data.

A. Covered US Businesses

Under the proposed regulations, CFIUS' jurisdiction to review non-controlling investments would only extend to transactions relating to US businesses that involve certain critical technologies, critical infrastructure, or sensitive personal data (described in the regulations as "TID US Businesses").

1. Critical technologies

The proposed regulations would allow CFIUS to review transactions related to US businesses that design, test, manufacture, fabricate, or develop one or more critical technologies. Critical technologies are defined, as in the current pilot program, to include: (i) defense articles or services on the United States Munitions List (USML); (ii) dual-use items on the Commerce Control List (CCL) that are controlled for NS, CB, NP, MT, RS, or SL reasons; (iii) specially designed and prepared nuclear equipment, parts, components, materials, software and technology; (iv) nuclear facilities, equipment and material; (v) select agents and toxins; and (vi) emerging and foundational technologies (but only when regulations pursuant to the Export Control Reform Act are finalized by the US Department of Commerce).

2. Critical infrastructure

The proposed regulations would allow CFIUS to review transactions related to US businesses that perform particular functions with respect to 27 specific categories of infrastructure that are identified in Appendix A to Part 800 (Appendix A) of the Regulations. The categories of infrastructure identified in Appendix A include:

• Internet and telecommunications infrastructure (e.g., protocol networks, submarine cables, data centers)
• Satellites or satellite systems
• Manufacturers of industrial resources for defense programs that are not commercial off-the-shelf (COTS)
• Manufacturers of specialty metals, "covered material," or carbon alloy or armor steel plate
• Systems for the generation, transmission, or storage of electricity for the bulk-power system or military installations
• Refineries with specified production capabilities
• Crude oil and natural gas storage facilities, pipelines, and systems with specified capacities
• LNG import or export terminals
• Certain financial market utilities, exchanges, or providers
• Certain rail and connector lines
• Certain airports and maritime ports
• Public water systems serving a certain population or military installations

Covered transactions must involve not only one of the specific types of infrastructure but also a US business that engages in the specific functions (i.e., owning, operating, manufacturing, supplying or servicing) related to that infrastructure that are identified in Column 2 to Appendix A. Several examples from Appendix A are provided below to highlight the interplay between the type of infrastructure and the required functions to subject the transaction to CFIUS' jurisdiction:

3. Sensitive personal data

The proposed regulations would allow CFIUS to review transactions related to US businesses that maintain or collect ten specified categories of "sensitive personal data" of US persons, but only if the business also: (i) targets or tailors products or services to any US executive branch agency or military department with national security or homeland security responsibilities; (ii) has maintained or collected such data on greater than one million individuals at any point over the preceding 12 months; or (iii) has a demonstrated business objective to maintain or collect such data on greater than one million individuals.

Specified categories of sensitive personal data include:

• Data that could be used to analyze or determine an individual's financial distress or hardship
• Consumer report data
• Health insurance application data
• Data relating to an individual's physical, mental, or psychological health
• Non-public electronic communications of a business whose products or services are designed to facilitate third party user communications
• Geolocation data
• Biometric enrollment data
• Government identification card application data
• Data relating to US government employment or security clearances
• Genetic information (e.g., genetic tests, manifestations of diseases or disorders, and request for, receipt of genetic services, genetic research-related clinical trials).

Expressly excluded from the definition of sensitive personal data is: (i) data maintained or collected by a US business concerning the employees of that US business, unless it pertains to employees of US government contractors; or (ii) data that is a matter of public record, such as court records or other government records that are generally available to the public.

B. Required access or influence

Before CFIUS will have jurisdiction to review a non-controlling investment in a covered US. business, the foreign person must also obtain certain specified access to, or influence over, the US business or its products, technologies, infrastructure, or data. In particular, the investment must provide the foreign person:

• Access to any material non-public technical information in the possession of the US business: (i) regarding the design, location, or operation of any critical infrastructure; or (ii) necessary to design, fabricate, develop, test, produce, or manufacture a critical technology;
• Membership or observer rights on the board of directors or equivalent governing body of the US business (or the right to nominate such an individual); or
• Any involvement, other than through voting of shares, in substantive decision-making of the US business regarding: (i) the use, development, acquisition, safekeeping, or release of sensitive personal data of US citizens maintained or collected by the US business; (ii) the use, development, acquisition, or release of critical technologies; or (iii) the management, operation, manufacture, or supply of critical infrastructure.

II. Real estate transactions

The proposed regulations implement the requirements of FIRRMA by expanding CFIUS' traditional jurisdiction to cover, aside from certain exceptions specified below, the purchase, lease by, or concession to a foreign person of certain "covered real estate" in the United States, but only where the transaction (or change in rights) affords the foreign person three or more of the following property rights: (i) to physically access; (ii) to exclude; (iii) to improve or develop; or (iv) to affix structures or objects.

Parties involved in a covered real estate transaction may submit a voluntary declaration or, in lieu of the declaration, full notification to CFIUS. There is no mandatory filing requirement for real estate transactions that do not involve the acquisition of a US business. Any transaction that involves the acquisition of, or non-controlling investment in, a US business, should be analyzed under those regulations, even if it also involves the acquisition of real estate.

A. Covered real estate

Under the proposed regulations, "covered real estate" would include:

• Real estate that is, is within, or will function as part of specified airports or maritime ports (as identified on a list published by the US Department of Transportation)
• Real estate that is within "close proximity" (defined as one mile from its boundary) of certain specified military installations (as identified in parts 1 or 2 of appendix A to the proposed regulations)
• Real estate that is within the "extended range" (defined as between one mile and 100 miles) of a smaller set of specified military installations (as identified in part 2 of appendix A to the proposed regulations)
• Real estate that is within any county or other geographic area identified in connection with specified active Air Force ballistic missile fields (as identified in part 3 of appendix A to the proposed regulations)
• Real estate that is any part of a US Navy off-shore range or operating area, as identified in part 4 of Appendix A that is also located within 12 nautical miles seaward of the coastline
• Other US government facilities or properties that are sensitive for national security reasons (no such properties have been identified at this time).

B. Urban area exception

Real estate transactions in an "urbanized area" (at least 50,000 individuals) or "urban cluster" (between 2,500 and 49,999 individuals), as defined by the Census Bureau, are excluded from the scope of CFIUS' jurisdiction unless they are in close proximity" (defined as one mile) to certain military installations (as identified in part 1 or 2 to Appendix A to the proposed regulations) or are within, or will function as a part of, an airport or maritime port. Information on urbanized areas and urban clusters, including a helpful map which can be filtered to only show urban areas, is available on the Census Bureau website.

C. Other exceptions

The proposed regulations also exclude from CFIUS' jurisdiction the following transactions:

• The purchase, lease, or concession of a single "housing unit," as defined by the Census Bureau (i.e., intended for occupancy as separate living quarters), including fixtures and adjacent land, as long as the fixture and land is incidental to the use of the real estate as a single housing unit.
• Transactions involving certain commercial office space in a multi-unit commercial office building, if upon completion of the transaction: (i) the foreign person and its affiliates do not, in the aggregate, hold, lease, or have a concession with respect to commercial office space in such building that exceeds 10 percent of the total square footage of the building; and (ii) the foreign person and its affiliates (each counted separately) do not represent more than 10 percent of the total number of tenants in the building.
• A lease by, or a concession to, a foreign person of covered real estate in an airport or maritime port that, according to the terms of the concession or lease, may only be used as a retail trade, accommodation, or food service sector establishment.

III. Excepted investors

The proposed regulations exclude from CFIUS' jurisdiction certain non-controlling investments or real-estate transactions that are conducted by a newly created class of "excepted investors" or "excepted real estate investors" who can demonstrate a substantial connection, as set forth in the regulations, to specific "excepted foreign states" and such connection will remain for at least three years after the completion date. Examples of excepted investors include: (i) a national of a foreign excepted state (and, for dual nationals, no non-excepted states); (ii) a foreign government of an excepted state; (iii) and certain foreign entities organized under the laws of a foreign excepted state that meet other specified criteria. The exception does not, however, apply to transactions where the foreign person would obtain traditional "control" over a US business.

In order to be considered an "excepted foreign state" or "excepted real estate foreign state," the country must be selected by the CFIUS chair, with the agreement of two-thirds of the voting members of the Committee. Such countries will be identified in separate lists that will be published on the Department of Treasury's website. Treasury has indicated that the lists, which have not yet been published, will contain a very limited number of countries due to the significant national security implications.

The proposed regulations also require that, beginning two years from the effective date of the final rule (or such other date as is ultimately agreed to), for a foreign country to qualify as an excepted foreign state, the CFIUS chair, with the agreement of a super-majority of CFIUS member agencies, will also need to determine that the foreign state has established and is effectively utilizing a robust process to assess foreign investments for national security risks and to facilitate coordination with the US on matters relating to investment security.

Foreign persons who have violated, or whose parents or subsidiaries, have violated certain US laws (e.g., CFIUS regulations or agreements or US trade-related restrictions or licenses) are ineligible to be considered excepted investors.