Skip to main content

Trade Compliance Flash: The Foreign Investment Risk Review Modernization Act Becomes Law; Significantly Expands CFIUS Scope and Powers

International Alert

On August 13, 2018, the long-awaited, much-debated, Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) was enacted, significantly expanding the powers of the Committee on Foreign Investment in the United States (CFIUS or the Committee) to review, and potentially prohibit, foreign investment that poses a threat to U.S. national security. As detailed in our Trade Compliance Flash following FIRRMA's introduction last November, growing fears about the perceived dangers of Chinese investment in the United States, especially with respect to transfers of sensitive technology and malicious cyber activity, were key drivers behind bipartisan support for the new law. Cybersecurity and data privacy considerations, now both regarded as national security priorities, are also featured prominently throughout FIRRMA.

Despite the clear intent to rein in Chinese investment, and the formal recognition of cybersecurity and data privacy as top-tier national security issues, FIRRMA sweeps much more broadly and it will have far-reaching effects globally on all types of foreign investment in the United States. The new law not only expands CFIUS jurisdiction by diversifying the types of "covered transactions" subject to review, it also introduces new procedural mechanisms that will impact the cost-benefit analysis parties undertake when deciding whether and when to file a notice with CFIUS. Once the law takes full effect, there also will be mandatory filings in certain instances, a first for CFIUS. Additionally, FIRRMA provides the Committee with unprecedented resources and tools to enforce its national security mandate. This latter point seems to signal that Congress and the President expect CFIUS to exercise its jurisdiction aggressively and intervene to police foreign investment more proactively than it has in the past.

Simultaneously with the signing of FIRRMA, the Committee issued initial guidance on the new law. Key elements of FIRRMA described and analyzed in more detail below include:

  • Expanded Scope of CFIUS Jurisdiction: The definition of "covered transaction" now includes certain real estate transactions; certain investments in U.S. businesses involved in critical infrastructure, critical technologies, or that maintain or collect sensitive personal data; certain changes in a foreign person's rights relating to a U.S. business or investment; and transactions designed or intended to evade or circumvent CFIUS jurisdiction.
  • Light Filings: FIRRMA allows for an abbreviated filing process involving a declaration in lieu of a lengthy formal notice to CFIUS. Although many declarations may ultimately result in a full notice being filed subsequently, it will be possible for CFIUS to conclude all action with respect to certain transactions on a shorter review timeline based on the declaration alone. 
  • Mandatory Filings: Declarations generally will be mandatory for investments in which a foreign government has a "substantial interest" in a foreign person acquiring a "substantial interest" in a U.S. business involved in critical infrastructure, critical technologies, or that maintains or collects sensitive personal data. The Committee also may require declarations with respect to covered transactions involving critical technology companies. 
  • Altered CFIUS Timelines: The initial review period will be expanded from 30 days to 45 days. In addition, regulations to be issued by CFIUS will provide for the possibility that the 45-day investigation period could be extended by the Committee in extraordinary circumstances for one additional 15-day period. 
  • Filing Fees: The Committee is authorized to assess a filing fee equal to the lesser of one percent of the value of the transaction or $300,000 with respect to each covered transaction for which a notice is filed, but this provision will not be implemented until CFIUS issues further guidance. 
  • Enhanced Tools for Exercise of CFIUS Jurisdiction: Separate provisions now allow for the Committee to establish a new process to identify non-notified and non-declared covered transactions; allow for the suspension of transactions; initiate unilateral reviews of completed covered transactions; and allow for more effective monitoring and enforcement of mitigation agreements.

In the short term, we believe that transaction parties evaluating their CFIUS options and risks under FIRRMA will face significant challenges and uncertainty due to the fact that the new law is facially broad in its reach, but leaves many details to be clarified or defined through implementing regulations. Based on past precedent, it is likely that it will take the Committee between 12 and 18 months to issue new regulations. Notably, certain provisions of FIRRMA go into effect immediately, but others do not become effective until an undetermined future date, possibly not for another 18 months. CFIUS is authorized to conduct pilot programs to implement any provisions of the legislation that are not immediately effective.

Two high-profile items that did not make it into the final version of FIRRMA are also worth noting. First, CFIUS's expanded jurisdiction does not include the ability to review outbound transfers of intellectual property or human capital through offshore joint ventures or licensing arrangements. Although this measure, aimed squarely at China, was part of the original version of FIRRMA introduced last year, it was eventually removed following an intense lobbying effort by private industry, which argued it would stifle innovation and economic growth. Second, the Senate's attempt to unwind the recent settlement agreement reached by the U.S. Department of Commerce and Chinese telecommunications giant ZTE in connection with violations of U.S. export control laws was also removed from the final version of the law after a compromise was reached during the conference committee process.

Below we discuss the key elements of FIRRMA referenced above, along with other notable aspects of the new law, and provide some initial perspective to assist parties in identifying and analyzing these issues. 

Expanded Scope of CFIUS Jurisdiction

Four new types of "covered transaction" will expand CFIUS jurisdiction beyond traditional merger and acquisition activities and certain investments resulting in "control" of a U.S. business. With certain exceptions described below, these new categories will not go into effect immediately, and they will each require clarification through implementing regulations to be issued by the Committee, as many of the concepts and terms used here are either novel or expanded considerably.   

  • Purchase or lease by, or a concession to, a foreign person of private or public real estate. This provision covers two types of real estate located within the United States. The first relates to real estate located within, or functioning as part of, an air or maritime port. The second covers real estate with a connection—whether close proximity or the opportunity for intelligence collection or surveillance—to a military installation or sensitive U.S. government facility. Both sub-categories expand the Committee's ability to act when a foreign person purchases or gains certain rights with respect to a physical property, as opposed to a U.S. business, that is strategically significant to U.S. national security. The inclusion of leases and concessions makes clear that contractual relationships conferring less than full control to a foreign party may nevertheless be subject to scrutiny under this provision. 
  • Any "other investment" in a U.S. critical infrastructure company; critical technology company; or company that maintains or collects sensitive personal data. The term "other investment" is defined to cover a broad range of activities—including access to non-public technical information, board membership, and certain substantive decision-making authority—that affords the foreign investor significant access to or influence over certain sensitive aspects of the U.S. company. The concept of "other investment" is essentially an attempt to establish the boundaries of a passive investment for purposes of CFIUS jurisdiction. Notably, an indirect investment through an investment fund that affords a foreign person certain limited partner rights would be excluded here, if certain criteria are met.
    1. Critical infrastructure company. Applies to a business that owns, operates, manufactures, supplies or services "critical infrastructure." That term is defined, pending new regulations, as systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems or assets would have a debilitating impact on national security. Although certain critical systems or assets are well known and understood, this category has the potential to be defined quite expansively in the future, especially because it includes virtual as well as physical systems.
    2. Critical technology company. Encompasses businesses that produce, design, test, manufacture, fabricate, or develop "critical technologies."  Significantly, that concept has been expanded beyond its traditional core of technology subject to U.S. export control laws, nuclear equipment and material, and select agents and toxins to include a new sub-category of "emerging and foundational technologies." Pursuant to the Export Control Reform Act of 2018, enacted at the same time as FIRRMA, an interagency process will be established to identify such technologies that are essential to the national security but are not otherwise covered under the definition of "critical technologies." The Secretary of Commerce is also charged with establishing appropriate export controls for "emerging and foundational technologies." Because this is a truly novel concept, it will require careful monitoring as it evolves over the next few years. Any number of technologies, whether nascent or well-established, could be encompassed by this new, undefined regulatory regime.        
    3. Company that maintains or collects sensitive personal data of U.S. citizens that may be exploited in a manner that threatens national security. This sub-category is notable because it acknowledges a growing concern of CFIUS in recent years and elevates it to an independent basis by which a transaction can be "covered." The ultimate impact here could be massive, as any U.S. business that holds or processes sensitive data concerning U.S. persons would likely be implicated. To the extent this has not become standard practice already, a foreign investor should consider the consequences of any U.S. data it may be acquiring or to which it may be gaining access and conduct a cost-benefit analysis from a U.S. national security perspective as part of its due diligence. 
  • Changes in a foreign investor's rights that could result in control of a U.S. business or an "other investment" in a U.S. business described directly above. The first prong of this category (i.e., foreign control of a U.S. business), which is effective immediately, acknowledges that foreign control of any kind through any means is a potential national security concern sufficient to justify CFIUS review. The remainder of this provision tracks the new "other investment" category of covered transactions and will have delayed applicability.
  • Other transactions, transfers, agreements, or arrangements, the structure of which is designed or intended to evade or circumvent CFIUS review. This final category, which is effective immediately, appears to give the Committee broad authority to review any deal structure or arrangement intended to avoid CFIUS review. As creative deal structures, including limitations on ownership interests and control rights, are common practice among transactional lawyers, it is now unclear whether such approaches alone would trigger CFIUS jurisdiction under this provision.  

Light Filings  

New procedures will eventually allow for an abbreviated filing in the form of a short declaration in lieu of a lengthy formal notice to CFIUS. In response to a declaration, the Committee may take one of the following actions: request that the parties file a written notice; inform the parties that the Committee is not able to complete action with respect to the transaction on the basis of the declaration and the parties may file a written notice; initiate a unilateral review of the transaction; or notify the parties that the Committee has completed all action with respect to the transaction. Although many declarations may ultimately result in a full notice being filed subsequently, the prospect of a shorter review timeline based on the declaration alone will no doubt be an intriguing option for parties who believe their transaction presents low national security risks. 

Mandatory Filings 

Declarations generally will be mandatory for investments in which a foreign government has a "substantial interest" in a foreign person acquiring a "substantial interest" in a U.S. business involved in critical infrastructure, critical technologies, or that maintains or collects sensitive personal data. The precise meaning of "substantial interest" will be established via regulations, but should include the means by which the foreign government could influence the foreign person, including through board membership, ownership interest, or shareholder rights. The Committee also may require declarations with respect to covered transactions involving critical technology companies. Civil monetary penalties may be imposed by CFIUS with respect to a party that fails to comply with a mandatory filing requirement.

Altered CFIUS Timelines

The initial review period has been expanded from 30 days to 45 days, and regulations to be issued by CFIUS will provide for the possibility that the 45-day investigation period could be extended in extraordinary circumstances for one additional 15-day period (for a total of 60 days). Providing the Committee with additional time to complete its review and investigation of a specific transaction may be good news for transaction parties looking to avoid the longstanding withdraw-and-refile approach prompted by the sometimes difficult, if not impossible, task of completing action on a complex transaction within the required statutory timeline.   

Filing Fees

CFIUS is authorized to collect a filing fee equal to the lesser of one percent of the value of the transaction or $300,000 for all covered transactions for which a notice is filed, but the new CFIUS guidance makes clear that this authority is not yet being exercised pending issuance of further guidance. Notably, the assessment of a filing fee is not authorized in the event a declaration is the only filing with the Committee. The prospect of receiving a CFIUS clearance without the need to pay a substantial filing fee might be enough to incentivize parties to risk elongating the review process by filing a declaration in the first instance rather than proceeding directly to a full notice. In any event, regulations will be required to clarify the methodology used for filing fees, and whether any considerations will be taken into account to reduce the fees in certain circumstances.  

Enhanced Tools for Exercise of CFIUS Jurisdiction

Through a new process to be established, CFIUS now will seek to identify on a systematic basis non-notified and non-declared transactions. In considering whether to notify a transaction to CFIUS, parties will eventually need to factor in the stronger possibility that the Committee may learn about the transaction from other sources. Although this has always been a risk, a dedicated process designed to detect covered transactions that have not been brought before the Committee represents a new level of resource dedication and commitment on the part of CFIUS and, therefore, a heightened risk to transaction parties. FIRRMA also establishes authority for the Committee to suspend a transaction that may pose a risk to national security during the pendency of CFIUS review and investigation, and it also establishes that the Committee can initiate unilateral reviews, as in the case of a completed transaction where a party submitted false or misleading information, for instance. Finally, CFIUS now has new authority with respect to the imposition and monitoring of mitigation, as FIRRMA strengthens the requirements for the use of mitigation agreements, including the addition of compliance plans and the prospect of harsher penalties for failure to comply with the terms of a mitigation agreement.

Other Notable Aspects of FIRRMA

  • Relevant considerations regarding "covered transactions." As part of the "sense of Congress" directly preceding the newly expanded definition of "covered transaction," Congress set forth some policy-based considerations that CFIUS may look to when evaluating national security risks during the course of a review. These include:
    • Whether a transaction involves a country of special concern that has a demonstrated strategic goal of acquiring critical technology or critical infrastructure that would affect U.S. leadership in certain areas related to national security (e.g., China);
    • The potential effects of cumulative control by a foreign person or foreign government of any one type of critical infrastructure, energy asset, critical material, or critical technology;
    • Whether the foreign person has a history of compliance with U.S. laws and regulations;
    • The impact of control of U.S. industries and commercial activity by foreign persons as it affects the capability and capacity of the United States to meet the requirements of national security;
    • The extent to which a covered transaction is likely to expose personally identifiable information, genetic information, or other sensitive data of U.S. citizens to access by a foreign government or foreign person that may exploit that information in a manner that threatens national security; and
    • Whether a covered transaction is likely to have the effect of exacerbating or creating new cybersecurity vulnerabilities in the United States or is likely to result in a foreign government gaining a significant new capability to engage in malicious cyber-enabled activities against the United States.
  • Special hiring authority. FIRRMA grants special hiring authority for CFIUS agencies and departments to appoint candidates directly to positions in the competitive service to allow them to carry out CFIUS-related functions.
  • Information sharing. The new legislation urges establishment of a formal process for the exchange of information with the governments of U.S. allies and partners to facilitate the harmonization of action with respect to trends in investment and technology and to provide for the sharing of information with respect to specific technologies and entities. CFIUS is also expressly permitted to share information with any domestic or foreign governmental entity to the extent necessary for national security purposes. 
  • Annual report. The unclassified version of the CFIUS annual report submitted to Congress must now contain information detailing, among other things, the number of notices and declarations filed during the relevant time period, the amount of time CFIUS took in accepting and responding to all notices and declarations, and the total number of reviews and investigations during the relevant time period.
  • Other reporting requirements. To underscore the fact that China was the primary source of concern underlying the passage of FIRRMA, the law requires that every two years from the date of enactment through 2026, the Secretary of Commerce must submit to Congress and CFIUS a report on foreign direct investment by China. Similarly, the Director of Homeland Security must report to Congress by August 13, 2019 an assessment of the national security risks related to investments in the United States by state-owned or state-controlled entities in freight rail, public transportation rail systems, or intercity passenger rail systems.
  • Judicial review. The D.C. Circuit has been identified as the exclusive venue for any civil suits challenging CFIUS actions or findings. The government also gains added protection in the event any classified portions of the CFIUS record are necessary to resolve such a dispute, as it must be permitted to submit such information to the court ex parte and in camera and does not have to provide it to the party bringing suit. 


FIRRMA represents the first substantive expansion of CFIUS in more than a decade. During that period, perceived threats to U.S. national security from foreign investments, most notably those originating from China, have evolved significantly. The new law is intended to allow CFIUS to be more effective in combatting these threats now and into the future while preserving the U.S. commitment to an open foreign investment policy. Inbound U.S. investment from China has slowed markedly over the past year, perhaps as a result of CFIUS or other regulatory concerns. With its enhanced powers and the political winds at its back, CFIUS may prove to be an even bigger hurdle for Chinese investment in the near term. One thing is certain, however, for covered transactions involving Chinese parties, understanding CFIUS risks under the new law and formulating a clear strategy to address those risks is absolutely critical. Otherwise, the chances of a successful CFIUS outcome could be quite low. 

For the rest of the global investment community, the next 12 to 18 months—while implementing regulations are being drafted and the Committee itself is acclimating to the scope of its new jurisdiction and authorities—will be a critical time to assess the ultimate impact of FIRRMA and adjust the CFIUS risk calculus accordingly. Miller & Chevalier will be tracking new FIRRMA-related developments closely. Please contact us should you have specific questions or need assistance with regard to any CFIUS issues affecting your company.

For more information, please contact any lawyer in our Export Controls & Economic Sanctions practice.

The information contained in this communication is not intended as legal advice or as an opinion on specific facts. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. For more information, please contact one of the senders or your existing Miller & Chevalier lawyer contact. The invitation to contact the firm and its lawyers is not to be construed as a solicitation for legal work. Any new lawyer-client relationship will be confirmed in writing.

This, and related communications, are protected by copyright laws and treaties. You may make a single copy for personal use. You may make copies for others, but not for commercial purposes. If you give a copy to anyone else, it must be in its original, unmodified form, and must include all attributions of authorship, copyright notices, and republication notices. Except as described above, it is unlawful to copy, republish, redistribute, and/or alter this presentation without prior written consent of the copyright holder.