New Foreign Investment Restriction Regulations Cement CFIUS Reform
One of the emerging focal points of the U.S.-China trade war involves the implementation of updated foreign investment restrictions in key U.S. industries.
On September 17, 2019, the Department of the Treasury issued proposed regulations to implement the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), legislation that sought to reform and expand the scope of foreign investment reviews conducted by the Committee on Foreign Investment in the United States (CFIUS). CFIUS, an inter-agency committee chaired by the Treasury Department with the authority to review, modify and potentially reject certain types of foreign investment that could adversely affect U.S. national security, has undergone a significant overhaul during the past year in the wake of FIRRMA becoming law in August 2018. It is now more vital than ever that companies understand how their business can be affected by the updated CFIUS regulations when they are seeking or negotiating a merger, acquisition, real estate investment or even a non-controlling investment from a foreign investor.
Typically, CFIUS reviews are voluntary and are conducted for merger or acquisition transactions where a non-U.S. company or a foreign government-controlled entity obtain a controlling interest in a U.S. company. If CFIUS determines that a covered transaction presents a national security risk, it has the authority to impose certain mitigating conditions before allowing the deal to proceed and can refer the transaction to the President for an ultimate decision.
However, FIRRMA updated and expanded the scope of CFIUS jurisdiction to authorize reviews of additional types of non-controlling foreign investments based on the type of U.S. company involved. The implementing regulations proposed in September 2019 are set to take effect February 13, 2020, and while the CFIUS reform regulations are motivated by concerns directly related to China, the impact of FIRRMA will be felt globally and the new rules will not be tied to or affected by impending trade negotiations. U.S. businesses, particularly those involved in critical technologies, real estate, infrastructure and data collection or maintenance, must take heed of how the updated rules will affect their global business decisions moving forward.
New Regulations for TID Companies Effective February 2020
Effective February 13, 2020, CFIUS will be authorized to review “covered control transactions,” (all foreign acquisitions resulting in direct control in a U.S. business, which CFIUS already had jurisdiction over), as well as non-controlling “covered investments” by a foreign person in a U.S. critical technology, critical infrastructure or sensitive personal data company. The new rules refer to these as “TID U.S. Businesses” (Technology, Infrastructure and Data), or to be more specific, a company that engages in one of the following categories of activity:
-produces, designs, tests, manufactures, fabricates or develops one or more critical technologies;
-owns, operates, manufactures, supplies or services critical infrastructure; or
-maintains or collects sensitive personal data of U.S. citizens that may be exploited in a manner that threatens national security.
“Critical technologies” include defense articles or defense services under the International Traffic in Arms Regulations, certain nuclear-related products regulated by the Nuclear Regulatory Commission Controls and certain technologies on the Commerce Control List under the Export Administration Regulations. In addition, “critical technologies” will include certain “emerging technologies” that are yet to be defined, and the Commerce Department’s Bureau of Industry and Security is currently reviewing at least 17 technology areas that are anticipated to result in new controls (including bio-tech, artificial intelligence, microprocessors, positional navigation and timing technology, quantum computing and additive manufacturing (3D printing)).
“Critical infrastructure” includes key industry subsectors such as telecommunications, utilities, energy and transportation. “Sensitive personal data” is defined to include ten categories of data maintained or collected by U.S. businesses that (i) target products or services to sensitive populations (including U.S. military members and federal national security employees); (ii) collect or maintain such data on at least one million individuals; or (iii) have a business objective to collect such data on greater than 1 million individuals and such data is an integrated part of the U.S. business’s primary product or service. The categories of data include types of financial, geolocation and health data.
Non-Controlling Covered Investments
Under the new regulations, CFIUS will be authorized to review non-controlling covered investment in TID U.S. Businesses. A “covered investment” includes scenarios where a foreign investor obtains:
-access to material non-public technical information;
-membership or observer rights on the board of directors or an equivalent governing body of the business or the right to nominate an individual to a position on that body; or
-any involvement, other than through voting of shares, in substantive decision making regarding sensitive personal data of U.S. citizens, critical technologies, or critical infrastructure.
Filing a CFIUS declaration for a non-controlling covered investment will remain a largely voluntary process, and parties will be able to file a notice or submit a short-form declaration notifying CFIUS of a covered investment in order to receive a potential “safe harbor” letter (after which CFIUS in most scenarios will not initiate a review of a transaction).
However, if a foreign government holds a “substantial interest” in the foreign investor that obtains a “substantial interest” in a TID U.S. Business, a CFIUS filing will be mandatory. The updated regulations provide that a foreign government is considered to have a substantial interest in the foreign investor if it holds a 49% direct or indirect interest, whereas a foreign person will obtain a substantial interest in a TID U.S. Business if it obtains at least a 25% direct or indirect interest. CFIUS is also authorized to mandate declarations for transactions involving certain types of critical technology companies.
The proposed rules also include a “white list” provision providing CFIUS the authority to designate certain “excepted investors” and “excepted foreign states” that may be eligible for an exclusion in connection with non-controlling covered investments.
Global Impact: How Does This Affect My Business?
The most important practical effect of the updated regulations is the breadth of U.S. companies standing to be impacted or affected by new foreign investment restrictions. U.S. businesses and industries that have previously never had to consider filing a CFIUS declaration, including healthcare companies, tech start-ups, related infrastructure industries, venture capital funds, emerging technology companies and manufacturers, and any company with access to sensitive consumer data, will now have to contemplate the implications of a CFIUS review when considering even passive foreign investment. Robust due diligence on potential investors will be more important than ever to ensure compliance with both mandatory and voluntary CFIUS declaration filings. Cross-border deals will be a costlier and more time-consuming process that will require acute attention to detail when drafting the contractual rights afforded to foreign investors.
If you have any questions about the impact of the updated CFIUS regulations or how they may affect your company, please contact a member of Baker Donelson’s Global Business Team for additional information.
Joe D. Whitley is a shareholder at Baker Donelson, chair of the Firm’s Government Enforcement and Investigations Group and former General Counsel at the Department of Homeland Security. He can be reached at email@example.com.
Alan Enslen is a shareholder with Baker Donelson and leads the International Trade and National Security Practice and is a member of the Global Business Team. He can be reached at firstname.lastname@example.org.
Julius Bodie is an associate with Baker Donelson who assists U.S. and foreign companies across multiple industries with international trade regulatory issues. He can be reached at email@example.com.