Given the political and trade tensions between the United States and China, businesses are facing many obstacles navigating the regulations and restrictions that are popping up. Earlier this year, the U.S. Department of Treasury issued two final regulations that would implement the 2018 Foreign Investment Risk Review Modernization Act (FIRRMA). The updates greatly broaden the jurisdiction of the Committee on Foreign Investment in the U.S. (CFIUS) to review foreign investment transactions that could have national security concerns. However, the new regulations also allow for some exemptions for certain investors, so that it doesn’t unduly impact all forms of investment.
For businesses that are working with foreign investors, understanding the latest changes to CFIUS is key to business continuity during the current global uncertainty. Below is a breakdown of the new CFIUS updates.
One of the biggest changes is the expansion of CFIUS’s jurisdiction to non-controlling foreign investments in U.S. businesses. Before, CFIUS was limited to deals that could result in foreign control of a U.S. business, but FIRRMA now gives CFIUS the ability to review non-controlling investments in critical TID (technology, infrastructure, data) U.S. businesses.
According to Anne Salladin, a partner at law firm Hogan Lovells, non-controlling foreign investments in TID U.S. businesses refers to any investment that could provide the foreign person with access to non-public technical information, membership or observer rights to a board of directors or the ability to nominate someone to the board, and any involvement in substantial decision-making related to personal data, critical technologies and/or critical infrastructure.BREX
Prior to FIRRMA, CFIUS reviews had largely been voluntary, although the committee always retained the right to review transactions that weren’t submitted for review. However, with the new regulations, there are now two types of mandatory declarations that apply to all three types of TID U.S. businesses.
The first mandatory declaration is for foreign government-backed investments. “Mandatory declarations are required for certain foreign investments in TID U.S. businesses, involving substantial interest,” states Salladin. “Basically, this means that if a foreign person is acquiring a 25 percent or greater voting interest in what we call a TID U.S. business, and there's a foreign government under this filing program that holds a 49 percent or greater voting interest in that acquirer, then you must file 30 days in advance.”
The second type of mandatory declaration is for controlling and non-controlling foreign investments in a TID U.S. business that produces, designs, tests, manufactures, fabricates or develops critical technologies “within one of 27 specific industries that are identified by NAICS (North American Industry Classification System) codes,” says Salladin.
Salladin does note that soon these “NAICS code prongs will be replaced eventually with a prong that will be based upon export control licensing requirements.” Under the proposed rule, a business will need to file with CFIUS if it would need a license or other regulatory authorization to export, re-export, transfer or re-transfer critical technology to any foreign person.
According to Salladin, the category of emerging and foundational technologies has not yet been defined, which means businesses should be on alert in the event that it affects them. Some affected technologies could include biotechnology, artificial intelligence and machine learning, data analytics, logistics, advanced surveillance, and more.
“Under a companion legislation that was passed in connection with FIRRMA called ECRA (Export Control Reform Act), the Commerce Department will be identifying and controlling certain types of emerging and foundational technologies,” she explains. “It’s very important to understand this because, as those technologies are defined by the Commerce Department, it will feed into this definition for CFIUS purposes, and may well get picked up as part of the mandatory regime.”
"The Commerce Department will be identifying and controlling certain types of emerging and foundational technologies…it will feed into this definition for CFIUS purposes, and may well get picked up as part of the mandatory regime."
In the final regulations, FIRRMA lists 28 types of infrastructure that CFIUS has jurisdiction to review, non-controlling investments that “represent a particularly sensitive subset of critical infrastructure,” says Salladin. These types of critical infrastructure that are subject to CFIUS scrutiny include telecommunications, oil and gas, power, water, finance and defense industrial bases.
The regulations also define the types of sensitive personal data that companies collect. That includes financial data, data used to apply for certain types of insurance, health-related data, and consumer report data, as well as what’s called “identifiable data” that can be used to distinguish or trade a person’s identity.
In Salladin’s opinion, CFIUS’s oversight of personal data has the most far-reaching consequences, since many businesses may be collecting consumer data that falls under one or more of these categories.
“I think this is going to be quite, quite impactful for companies that may not realize that they are collecting such data, but they're doing it,” she says. “As a matter of fact, they could be subject to CFIUS’s review as a result of that.”
FIRRMA has also extended CFIUS’s jurisdiction to include some standalone real estate transactions. “For the first time, CFIUS can review what people can reasonably think of as greenfield investments in certain real estate transactions,” says Salladin.
Previously, if a foreign entity purchased “unimproved land,” CFIUS would not have the power to review that purchase. Now, what FIRRMA defines as covered real estate transactions that would need CFIUS review include “purchases or leases by, or concessions to, a foreign person that afford a foreign person at least three property rights.”
“I would say this was felt necessary because there were a number of transactions that were located quite close to certain important military facilities,” explains Salladin. “We call it the ‘proximity issue.’”
In the new regulations, FIRRMA introduced some exclusions and exceptions to CFIUS jurisdiction, most notably over U.S.-controlled investment funds.
“If you're a foreign limited partner, and you meet some rules related to the passive nature of your investment—no ability to control the fund, no ability to control the fund’s general partner, no ability to control the portfolio investment decisions—then those limited partner investments through a U.S.-controlled fund wouldn't be subject to mandatory filings, in some cases not subject to CFIUS review at all,” says Brian Curran, a partner at Hogan Lovells.
Curran adds that this exemption is particularly useful for Chinese investors who don’t want to be strategic partners but simply want a return on their financial investment. “They can come in as limited partners and effectively not have their indirect investments be subject to CFIUS’s review,” he explains.
Additionally, investors from certain “excepted foreign states” (Australia, the United Kingdom and Canada) are also exempt from mandatory CFIUS review, as long as the investor is able to prove they are a national of one of those states.