Trade Compliance Flash: New Proposed Regulations Significantly Expand CFIUS Jurisdiction; Certain Non-Controlling Investments and Real Estate Transactions Now Within Scope of CFIUS Review
On September 17, 2019, the U.S. Department of the Treasury issued proposed regulations that will significantly expand and redefine the jurisdiction of the Committee on Foreign Investment in the United States (CFIUS). More than a year in the making, the regulations were mandated by the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) in response to a perceived need to scrutinize more closely and police more aggressively the national security implications of foreign investment in the United States, in particular foreign investment from China. After a period of notice and comment that ends October 17, 2019, the final regulations will go into effect by February 2020.
Prior to FIRRMA, CFIUS review was limited to "covered transactions" that could result in foreign control of a U.S. business. The proposed regulations preserve and expand that traditional basis of CFIUS jurisdiction but now include a new broad category of "covered investments" – i.e., certain investments that do not result in foreign control of a U.S. business but may nevertheless afford a foreign person certain rights in, or influence over, a U.S. business or access to certain information in the possession of a U.S. business. U.S. businesses subject to the new covered investment rules include those that work in "critical technologies," "critical infrastructure," or "sensitive personal data," as defined in the regulations and explained further below. The proposed regulations also expand CFIUS review to include "covered real estate transactions," which are generally based on proximity to, or rights regarding certain aspects of, U.S. airports, seaports, military facilities, or other U.S. government property.
As a result, CFIUS now has jurisdiction to review a wide range of foreign investments in the United States, including many types of minority, non-controlling investments by foreign persons. Companies in the aerospace, defense, biotech, energy, life sciences, tech, telecoms, transportation, and utilities sectors are likely to be impacted heavily. Early-stage start-up companies — where investors may play a more active role in company decision-making — will also need to consider the possibility that previously routine, non-controlling, foreign investment may now trigger CFIUS scrutiny. Further, any U.S. companies that maintain or collect sensitive personal data of U.S. citizens, or have plans to do so in the future, may also have to reckon with CFIUS when considering foreign investment options.
In this alert, we summarize the new proposed CFIUS regulations and offer key takeaways for U.S. businesses and foreign investors that are likely to be impacted. We also highlight questions about the new proposed CFIUS regulatory regime that remain unanswered.
Summary of New Proposed CFIUS Regulations
The final versions of the new CFIUS regulations will be set forth in Title 31, Part 800 and 802 of the C.F.R. Part 800 sets forth the regulations for transactions that could result in foreign control of a U.S. business as well as the new regulations on "covered investments" that may afford a foreign person certain access to information in the possession of, rights in, or involvement in the decision-making of U.S. businesses that work with "critical technologies," "critical infrastructure," or "sensitive personal data." Part 802 sets forth the new regulations for "covered real estate transactions." (Part 801 set forth the regulations governing the "pilot program" that CFIUS adopted to test certain investment review procedures authorized by FIRRMA regarding "critical technologies." The pilot program remains in place for the time being.) We summarize Part 800 and Part 802 below.
Part 800 – Covered Control Transactions and Covered Investments
By virtue of the updated regulations in Part 800, CFIUS continues to have jurisdiction to review transactions that could result in foreign "control" of a U.S. business. Such control transactions — including mergers, acquisitions, and takeovers — have been the traditional purview of CFIUS. The definition of "control" remains largely unchanged in the new regulations, covering the power, direct or indirect, through various means to determine, direct, take, reach, or cause decisions regarding certain important matters. The definition of a "U.S. business" also remains largely unchanged, covering any entity, irrespective of its place of incorporation or the nationality of the persons that control it, that engages in interstate commerce in the United States. Under the nomenclature of the new regulations, this category of transactions is called "covered control transactions."
Part 800 also contains new regulations implementing CFIUS review of "covered investments." By definition, a "covered investment" is one where a foreign person acquires an equity interest or a contingent equity interest and the acquisition is not deemed to result in foreign control of a U.S. business. Instead, CFIUS review is triggered when a non-controlling investment (1) involves a U.S. business that works with "critical technologies," "critical infrastructure," or "sensitive personal data" and (2) affords a foreign person certain rights within that U.S. business. We explain these terms in more detail below:
First, a covered investment must involve one of three categories of U.S. businesses — referred to collectively as "TID U.S. businesses" for technology, infrastructure, and data:
- Businesses that produce, design, test, manufacture, fabricate, or develop one or more "critical technologies." Such critical technologies include technologies that are currently subject to U.S. export controls, namely defense technologies designated on the United States Munitions List (USML) and dual-use technologies designated on the Commerce Control List (CCL). "Critical technologies" also includes a new category of "emerging and foundational technologies," the definition of which is currently under consideration by the Department of Commerce's Bureau of Industry and Security (BIS) and being discussed with interagency partners. Based on an advance notice of proposed rulemaking (ANPRM) published in November 2018, the regulatory definition of "emerging and foundational technologies" will likely include many technologies at the cutting edge of U.S. innovation, including in the fields of artificial intelligence/machine learning, integrated circuits, data analytics, additive manufacturing (e.g., 3D printing), robotics, and so-called advanced "surveillance" technologies such as faceprint and voiceprint technologies.
- Businesses that own, operate, manufacture, supply, or service "critical infrastructure." Critical infrastructure includes a subset of systems or assets, both physical or virtual, with heightened national security significance. U.S. businesses that own, operate, manufacture, supply, or service these systems or assets are subject to CFIUS review for covered investments. These systems or assets, defined in Appendix A of Part 800, generally relate to telecommunications, satellite networks, government procurement sources, utilities, energy facilities, financial markets, transportation services, and public water systems.
- Businesses that maintain or collect "sensitive personal data." Sensitive personal data means identifiable data of U.S. citizens that are (1) (A) held by a company that targets or tailors its offerings to U.S. government employees or contractors, (B) collects data on more than one million people, or (C) has a business objective to maintain data on more than one million people and such data is part of the U.S. business's primary products or services; and (2) fall into 10 broad categories set out in the rule, namely: data that could determine someone's financial distress, consumer report data, insurance application data, data on individual health, non-public electronic communications, geolocation data, biometric enrollment data, data for state or federal government identification cards, government personnel security clearance data, and genetic information. Many financial services, healthcare, technology, and telecommunications companies are likely to be impacted by the sensitive personal data regulations.
Second, a covered investment must afford one of three categories of rights to a foreign investor:
- Access to any material non-public technical information in the U.S. business's possession. Material non-public technical information means information that provides non-publicly available knowledge or understanding about the design, location, or vulnerabilities of critical infrastructure or information that is not publicly available and is necessary to design, fabricate, develop, test, produce, or manufacture critical technology. It does not necessarily include financial, legal, or business information, even if material and non-public. It also does not necessarily include information that is public about a technology or infrastructure, such as, potentially, information that would be made available to prospective customers.
- Membership or ability to nominate members to the U.S. company's board of directors.
- Any involvement in the substantive decision-making of the U.S business regarding certain matters. Substantive decision-making generally means the process by which decisions regarding certain significant matters are undertaken. Matters covered by this rule include the use, development, acquisition, or release of critical technologies; the management, operation, manufacture, or supply of critical infrastructure; or the use, development, acquisition, safekeeping, or release of sensitive personal data.
The proposed changes to Part 800 also include other new provisions of interest, notably:
- Safe harbor for "excepted investors" and "excepted foreign states." The proposed regulations allow CFIUS to identify and define certain "excepted foreign states" and certain "excepted investors" from such states who will not be subject to CFIUS review for covered investments. Such investors will remain subject to CFIUS review for covered control transactions. CFIUS has not yet released a list of "excepted foreign states," but the development of such a list in the coming months and years will be a fascinating exercise in the limits of U.S. leverage over foreign partners and their own respective foreign direct investment rules.
- Parameters for future mandatory declarations. Before FIRRMA, CFIUS was a purely voluntary regime, although many foreign investors and U.S. businesses chose to disclose in order to take advantage of the safe harbor that prevents CFIUS from later unwinding a noticed transaction. The new proposed regulations make declarations mandatory for certain foreign investments, including those in which a foreign person obtains a substantial interest in a U.S. business where a foreign government in turn holds a substantial interest in the foreign person.
- Evasion provisions. As specified by FIRRMA, the new regulations clarify that a "covered transaction" includes any transaction, transfer, agreement, or arrangement, the structure of which is designed or intended to evade or circumvent CFIUS review.
Part 802 – Covered Real Estate Transactions
Prior to FIRRMA's enactment, CFIUS often raised national security concerns on the basis of the "proximity" or "co-location" of a proposed investment to certain sensitive government facilities, including military bases and properties with sensitive U.S. government tenants. Part 802 formalizes this long-standing practice by defining certain real estate transactions — called "covered real estate transactions" — that are covered transactions subject to CFIUS review. These covered real estate transactions include any purchase, lease, or concession to a foreign person of "covered real estate" that includes the rights, whether or not exercised or shared concurrently with any other person, to physically access the property, exclude others from the property, improve or develop the property, or attach fixed or immovable structures or object to the property.
As with all CFIUS jurisdictional questions, the unique facts and circumstances of a particular transaction are going to dictate whether it is "covered." Covered real estate transactions, in particular, are often going to hinge on the specific rights afforded by a sale contract, lease, or concession agreement. Consulting with the various "examples" set forth throughout Part 802 is a useful place for parties to start when conducting such an analysis.
Whether a property is "covered real estate" is generally based on location, and includes any of the following categories:
- Real estate located within or that will function as part of certain airports or maritime ports. Only certain airports and maritime ports are now subject to expanded CFIUS review, generally based on passenger and cargo traffic, as well as military use. Covered airports are those that handle one percent of commercial air passengers annually, any airport with annual aggregate all-cargo landed weight greater than 1.24 billion pounds, or any airport that is owned by the Department of Defense but is shared with civilian aircraft. Covered maritime ports are those included in the National Port Readiness Network or are one of the top 25 tonnage, container, or dry bulk ports in the U.S. according to the Department of Transportation.
- Real estate located within one mile of certain military installations or other identified U.S. government facilities or property. Covered real estate includes properties within "close proximity" — defined to mean one mile — of certain military installations or other identified U.S. government facilities or property. The list of such military installations and U.S. government facilities are set forth in Part 1 and Part 2 of Appendix A of Part 802.
- Real estate located within the "extended range" of certain military installations. Covered real estate also includes properties within the "extended range" of U.S. military installations. The extended range is defined as 99 miles outside of the outer boundary of close proximity but no more than 12 nautical miles seaward of the U.S. coastline. The list of such military installations is set forth in Part 2, Part 3, and Part 4 of Appendix A of Part 802.
Part 802 also includes other provisions of interest, notably:
- Safe harbor for "excepted real estate investors" and "excepted real estate foreign states." Similar to Part 800, Part 802 calls for CFIUS to identify certain "excepted real estate foreign states," certain investors from which will not be subject to CFIUS review for covered real estate transactions. CFIUS has not yet released a list of "excepted real estate foreign states."
- Exclusion of certain categories of real estate from "covered real estate." Finally, the new regulations exclude many common categories of real estate transactions from CFIUS review, namely:
- Real estate within an urban cluster or urbanized area. An urban cluster is a designation given by the Census Bureau for certain areas with populations between 2,500 and 50,000 individuals. An urbanized area is a designation given by the Census Bureau for certain areas with populations of at least 50,000 individuals.
- Single housing units.
- Commercial office space within a multi-unit commercial office building. This excepted category requires that the foreign real estate investors and their affiliates not own or lease more than 10 percent of the building's square footage nor represent more than 10 percent of the total tenants in the building.
- Evasion provisions. Like Part 800, Part 802 clarifies that a "covered real estate transaction" includes any transaction, transfer, agreement, or arrangement, the structure of which is designed or intended to evade or circumvent CFIUS review.
Key Takeaways and Unanswered Questions
As the Committee moves toward finalizing and implementing the regulations in early 2020, there are a number of considerations and questions — for U.S. businesses and foreign investors alike — to bear in mind.
- Before seeking new foreign investment, U.S. companies should determine whether they are TID U.S. businesses (i.e., work with critical technologies, critical infrastructure, or sensitive personal data) or operate near or within covered real estate. As a practical first step toward understanding CFIUS risk, U.S. businesses should determine whether they will fall within the scope of CFIUS's enhanced jurisdiction. Tackling the relatively straightforward task of assessing this fundamental question will prove invaluable in numerous contexts, including with respect to making decisions on future foreign investments and potentially how to structure such investments. Although this exercise could be especially challenging for early stage start-ups or other companies without sophisticated compliance programs, the risk of not doing so — and simply pushing a growth model dependent on foreign investment — could prove disastrous, especially if CFIUS later determines that certain non-notified investments were within its jurisdiction.
- Many types of foreign investments remain outside the scope of CFIUS review. Despite the expansion of CFIUS's jurisdiction, several types of transactions with foreign persons remain unequivocally outside the Committee's review power. For example, only transactions involving a "U.S. business" are covered. As was the case before FIRRMA, the definition of a U.S. business includes entities engaged in interstate commerce in the United States but does not necessarily include foreign subsidiaries or joint ventures of U.S. companies that operate entirely outside the United States and do not sell to the U.S. market. Similarly, the new concept of "covered investments" does not necessarily include transactions where a foreign person does not obtain any equity interest or contingent equity interest, such as debt-only transactions, sales contracts, technical assistance agreements, license agreements for intellectual property, or certain transfers of certain assets such as real or intellectual property. Also, as has always been the case, so-called Greenfield investments by foreign persons in the United States (i.e., establishing new operations in the U.S. without acquiring or investing in an existing U.S. business) are not subject to CFIUS review without some additional jurisdictional basis (e.g., lease of "covered real estate").
- When will we ever get a list of "emerging and foundational technologies" and what should companies do in the meantime? By all accounts, BIS is nowhere near the release of regulations defining the scope of "emerging and foundational technologies." For now, U.S. businesses involved in the development of artificial intelligence or robotics, to use two examples, that are not otherwise subject to existing export control restrictions may fall within a gap in the new proposed regulations because they may not be squarely within the definition of "critical technologies." Nevertheless, such companies, as well as foreign investors with interest in such companies, should proceed cautiously, as the U.S. government's strategic focus on this area, and the related national security weight it is given, could not be clearer. Consideration of alternate bases for CFIUS jurisdiction, and the advisability of filing a joint voluntary notice, would be worth analyzing carefully under such circumstances.
- Parties may impose limitations on foreign investments to remain outside of CFIUS jurisdiction. Any transaction, transfer, agreement, or arrangement, the structure of which is designed or intended to evade or circumvent CFIUS review is considered covered. However, parties remain free to arrange an investment in a way that does not implicate the evasion provisions and does not trigger CFIUS review, even for investments in TID U.S. businesses. For example, share purchase agreements, articles of incorporation, or board procedures may be drafted in such a way that foreign investors are not afforded access to material non-public technical information, but may continue to have access to business or financial information. Similarly, a foreign investor's role in certain "substantive decision-making" involving critical technologies or critical infrastructure can be restricted, even as the investor remains free to weigh in on other matters. Another category of investment that is not likely to be subject to CFIUS review is passive real estate investment that does not afford a foreign investor physical access, exclusion rights, improvement or development rights, or rights to attach fixed or immovable structures or objects to the property. Such restrictions can be written expressly into the operative contracts or other relevant agreements, clearly establishing that a transaction is not subject to CFIUS review from the outset.
- A whitelist for "excepted investors" from "excepted foreign states" may simplify CFIUS review of covered investments in the future. Finally, the new proposed regulations preserve for CFIUS the authority to except investors from certain foreign countries from national security reviews. Although there is currently no published list of excepted foreign states, we anticipate that it is likely to include a number of countries with which the United States has close national security relationships, such as, potentially, the members of the "Five Eyes" intelligence alliance (Australia, Canada, New Zealand, the United Kingdom), members of the North Atlantic Treaty Organization (NATO) international alliance, and members of bilateral U.S. alliances (e.g., Japan, South Korea). The U.S. may also use the carrot of "excepted investor" status as a strategy to negotiate investment security arrangements with foreign partners that align closely with U.S. policy priorities (e.g., a prohibition on use of telecommunications equipment that raises perceived national security threats) and encourage the adoption of more CFIUS-like foreign investment review protocols in those countries.
Miller & Chevalier will be tracking the implementation of the proposed CFIUS regulations closely and will provide further updates, as new developments arise.
For more information, please contact:
*Former Miller & Chevalier attorney
**Former Miller & Chevalier law clerk
This, and related communications, are protected by copyright laws and treaties. You may make a single copy for personal use. You may make copies for others, but not for commercial purposes. If you give a copy to anyone else, it must be in its original, unmodified form, and must include all attributions of authorship, copyright notices, and republication notices. Except as described above, it is unlawful to copy, republish, redistribute, and/or alter this presentation without prior written consent of the copyright holder.