Skip to content

Treasury Proposes Regulations to Implement CFIUS Reform Law: 10 Things You Need to Know

National Security Reviews (CFIUS) Background Decorative Image

By Damara Chambers, Adrianne Goins, and Ryan Stalnaker

On Tuesday, September 17, 2019, the U.S. Department of the Treasury, which chairs the Committee on Foreign Investment in the United States (“CFIUS”), released long-anticipated proposed regulations to implement key elements of the CFIUS reform law, the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”). While certain aspects of FIRRMA were implemented upon its passage, and in November 2018 CFIUS exercised authorities granted in FIRRMA to issue a Pilot Program mandating reviews of certain transactions involving critical technologies, much of FIRRMA requires implementing regulations. Our prior alerts discussing FIRRMA and the CFIUS Pilot Program are here and here.

The proposed regulations will implement FIRRMA’s sweeping reforms, including the expansion of CFIUS jurisdiction to cover certain non-controlling transactions in U.S. businesses engaged in certain activities involving critical technologies, critical infrastructure, and sensitive personal data as well as over certain real estate transactions that do not involve a U.S. business. These are significant departures from the historical scope of CFIUS jurisdiction, which before FIRRMA had been limited to the review of transactions in which a “foreign person” could acquire “control” of a “U.S. business.” The proposed regulations also will mandate CFIUS filings for certain investments involving substantial foreign government interest in U.S. businesses involved in critical technology, critical infrastructure, and sensitive personal data.

The proposed regulations create a structure to except qualifying investors from certain countries from filings for covered non-controlling investments and real estate transactions. However, the initial list of countries that will be eligible for this exception has yet to be identified.

Comments on the new proposed regulations are due on October 17, 2019, and Treasury also welcomes further comments on the Pilot Program. The deadline set in FIRRMA for implementing the new regulations is February 13, 2020.

Vinson & Elkins will offer webinars over the next few weeks to review the proposed regulations in greater detail. If interested, click here.

Below are ten important takeaways from the proposed regulations.

1. CFIUS jurisdiction will expand to certain non-controlling investments in Technology, Infrastructure, and Data companies.

The proposed regulations would expand the jurisdiction of CFIUS to cover non-controlling equity investments and even contingent equity investments in certain critical technology, critical infrastructure or sensitive personal data companies (now called “TID U.S. Businesses”), if the transaction involves:

  • Access to material nonpublic technical information in the possession of the U.S. business;
  • Board member or observer rights; or
  • Involvement, other than through voting of shares, in substantive decisionmaking pertaining to the critical technologies, critical infrastructure, or sensitive personal data of the business.

2. Which critical infrastructure companies are TID U.S. Businesses?*

There’s a list! FIRRMA expands CFIUS authority to include a non-controlling investment by a foreign person in a U.S. business that “owns, operates, manufactures, supplies, or services critical infrastructure” and requires the Treasury Department to identify the subset of critical infrastructure that triggers CFIUS non-controlling investment authority and mandatory filing requirements for substantial foreign government investments. Treasury identifies this subset of critical infrastructure in an appendix and creates the new term, “covered investment critical infrastructure.” Appendix A is divided into two columns. The first column lists covered investment critical infrastructure, while the second lists the specific functions (i.e., own, operate, manufacture, supply, or service) that the U.S. business must undertake in connection with the identified infrastructure. One example from Appendix A is below:

Column 1 – Covered investment critical infrastructure  Column 2 – Functions related to covered investment critical infrastructure 
(xvi) Any crude oil storage facility with the capacity to hold 30 million barrels or more of crude oil. (xvi) Own or operate any crude oil storage facility with the capacity to hold 30 million barrels or more of crude oil.

To be a TID U.S. Business, both columns must be satisfied. Therefore, under this example, the crude oil storage facility must be able to hold 30 million barrels or more and the U.S. business must own or operate the facility. This menu-based approach is a substantial departure from pre-FIRRMA practice where “critical infrastructure” was determined on a case-by-case basis without clear guidance from CFIUS regarding the scope of infrastructure that did, or did not, meet the threshold.

A wide array of infrastructure is identified in Appendix A, including internet technology, energy infrastructure, transportation infrastructure, financial systems, and specialty manufacturing. The energy infrastructure in Appendix A includes pipelines, refineries, crude oil storage facilities, and LNG terminals. The list is subject to future revisions.

The critical infrastructure appendix applies to non-controlling investments and mandatory filings. CFIUS still has the authority to review any transaction that could result in control by a foreign person of a U.S. business regardless of Appendix A, and CFIUS may consider other infrastructure important in connection with those transactions.

*Critical technology companies were explained in the CFIUS Pilot Program regulations in 2018. They are U.S. businesses that “produce, design, test, manufacture, fabricate or develop” a critical technology. Critical technologies are defined in FIRRMA and again in the Pilot Program as certain technologies that are controlled for export, e.g., under the International Traffic in Arms Regulations, or are controlled under certain other identified regulations.

3. What is sensitive personal data and which companies are TID U.S. Businesses for data?

FIRRMA expands the authority of CFIUS to cover a non-controlling investment by a foreign person in a U.S. business that “maintains or collects sensitive personal data of United States citizens that may be exploited in a manner that threatens national security.” Covered investments include those affording a foreign investor involvement in “the use, development, acquisition, safekeeping, or release of sensitive personal data” of U.S. citizens maintained or collected by the U.S. business. The proposed regulations focus both on “the sensitivity of the data” and “the sensitivity of the population about whom the data is maintained or collected.” To this end, the proposed regulations identify specific categories of data that constitute sensitive personal data, but only apply covered investment status if the U.S. business:

  • targets or tailors its products or services to sensitive U.S. Government personnel or contractors,
  • maintains or collects such data on greater than one million individuals, or
  • has a demonstrated business objective to maintain or collect such data on greater than one million individuals and such data is an integrated part of the U.S. business’s primary products or services.

The categories of sensitive personal data generally are:

  1. Data that could be used to analyze or determine an individual’s financial distress or hardship;
  2. The set of data in a consumer report, as defined pursuant to 15 U.S.C. 1681a;
  3. Data in an application for health insurance, long-term care insurance, professional liability insurance, mortgage insurance, or life insurance;
  4. Data relating to the health of an individual;
  5. Non-public electronic communications between or among users of a U.S. business’s products or services if a primary purpose of such product or service is to facilitate third-party user communications;
  6. Geolocation data collected using positioning systems, cell phone towers, or WiFi access;
  7. Biometric data including facial, voice, retina/iris, and palm/fingerprint templates;
  8. Data for generating a state or federal government identification card;
  9. Data concerning U.S. Government personnel security clearance status; or
  10. Data in an application for a U.S. Government personnel security clearance or an application for employment in a position of public trust.

Under the proposed regulations, data in the categories above must be “identifiable” (i.e., attributable to a specific individual). For example, a U.S. business in possession of data that is encrypted, but that only a third party can decrypt, is not considered to be maintaining or collecting data.

The proposed regulations apply to all genetic information (identifiable or not) as sensitive personal data but carve out data pertaining to a U.S. business’s own employees and data that is a matter of public record.

4. Filings for “substantial” foreign government investments in TID U.S. Businesses will be mandatory.

The proposed regulations mandate filings for investments that result in a foreign government having a “substantial interest” in a TID U.S. Business. The term “substantial interest” is defined as a voting interest by a foreign person of 25% or more in a U.S. business where a foreign government has a voting interest of 49% or more in that foreign person. These voting interests can be direct or indirect.

The filing can take the form of a short-form “declaration,” approximately five pages in length, or the parties can submit a traditional, more comprehensive “notice” to CFIUS. The mandatory CFIUS filing must be made at least 30 days prior to closing the proposed transaction.

5. The proposed regulations include specific clarifications for investment fund transactions.

Consistent with FIRRMA and the Pilot Program, the proposed regulations clarify that indirect, non-controlling investments in TID U.S. Businesses by foreign persons investing as limited partners in investment funds controlled by U.S. general partners will not be subject to CFIUS if the foreign person is given a role on an advisory board or committee of the fund, so long as certain criteria are satisfied:

  • The fund is managed by a general partner or equivalent;
  • The general partner is not the foreign person;
  • The advisory board and foreign person do not have the ability to approve or control the investment decisions of the fund or general partner; and
  • The foreign person does not have the rights that trigger jurisdiction over non-controlling investments (i.e., access to material nonpublic technical information, a board position, or involvement in certain substantive decision making).

Such investment fund transactions also are excluded from the mandatory filing requirements where there is substantial, but indirect, foreign government investment in the form of a limited partner.

6. Anyone will be permitted to submit a short-form “declaration,” but do you want to?

Under the proposed regulations, CFIUS will permit parties to submit a declaration for any transaction, not just mandatory filings. CFIUS first implemented the use of declarations in the Pilot Program on critical technologies. Declarations offered the promise of a shorter CFIUS process, but in most cases have failed to deliver on that promise. The declaration form itself is short and requires less time to prepare than a full notice. Moreover, CFIUS is required to assess a declaration in 30 days, as opposed to 45 days for a CFIUS review, which often is followed by an investigation of up to 45 more days.

The problem is that, in the ten months since it began accepting declarations, CFIUS has only approved the transaction on the basis of a declaration in only a very small percentage of cases (perhaps as low as 10 to 15%). In many cases, following the declaration phase, the transactions had to be filed as full CFIUS notices with the additional required information. Then those cases plodded their way through the lengthier 90-day review and investigation process. In other words, cases that attempted the declaration route often actually took longer to clear CFIUS. That said, there will be cases that CFIUS can dispatch quickly that will be good candidates for a voluntary declaration.

7. Will there be a White List?

CFIUS has introduced a structure that could allow that intrepid unicorn of a foreign investor who meets all of the requirements to be excepted from the expanded jurisdiction for non-controlling investments in TID U.S. Businesses and real estate transactions. Below is a quick summary of the requirements:

a. The investor’s country has to be identified as an “eligible foreign state.”

Eligible foreign states will be identified on the Treasury website. Treasury notes that the initial group of eligible foreign states will be small but that the list could be expanded in the future.

b. The investor’s country has to be designated an “excepted foreign state.”

In order to get on this list, which will be published in the Federal Register in addition to the Treasury website, the foreign state has to establish and use a robust foreign investment review process and coordinate with the United States on investment security matters. CFIUS is considering delaying these requirements for two years to allow eligible foreign states some time to improve on these fronts.

c. Finally, prospective investors with a “substantial connection” to an excepted foreign state (e.g., place of incorporation plus nationality of the beneficial owners) will be deemed excepted investors.

If the excepted investor fails to maintain the “substantial connection” for up to three years after closing a non-controlling investment in a TID U.S. Business (e.g., the investor adds a board director who is not a national of an “excepted foreign state”), then the transaction will convert to a “covered investment” subject to review by CFIUS.

Similar rules apply for “excepted real estate investors.” No investors will be excepted from covered control transactions.

8. CFIUS will have jurisdiction to review real estate transactions.

FIRRMA also authorizes CFIUS to assert jurisdiction over certain real estate transactions that do not involve a U.S. business. Under the proposed regulations CFIUS will have jurisdiction to review the purchase or lease by, or concession to, a foreign person of certain real estate located within, or part of an airport or maritime port, or that is located in proximity to any military installation or sensitive area identified in an appendix, if the transaction will afford the foreign person certain property rights, such as access to, or the right to develop, the property.

Depending on the particular sensitive site, CFIUS will assert jurisdiction over transactions in “close proximity” (involving real estate within one mile) or those within “extended range” (100 miles or, if applicable, 12 nautical miles seaward of off-shore ranges), or within the relevant county.

In the regulations the term “concession” is limited to arrangements to use real estate for developing or operating infrastructure at airports and maritime ports, but Treasury is considering whether to include concessions “relating to certain energy generation and oil and gas activities.” Treasury welcomes comments on this issue.

CFIUS released a separate proposed regulation devoted to real estate transactions – a new part 802 of the regulations. (Part 800 covers investments and part 801 is the Pilot Program on critical technologies.) Any transaction covered by part 802 that also is subject to CFIUS jurisdiction under part 800 should be filed under part 800 instead of the real estate provisions in part 802.

9. Key real estate exceptions: Your next home purchase is not subject to CFIUS review.

Treasury identifies a number of exceptions for real estate transactions over which CFIUS will not have jurisdiction. As required by FIRRMA, there is an exception for a single “housing unit,” a definition which includes both houses and residential apartment units. Treasury will even allow your garage to be excluded. But be careful if you have unusual structures in your yard. More generally, real estate in certain urban areas will be excluded except in certain cases where the real estate is in “close proximity” (i.e., one mile) to a sensitive facility identified in Appendix A to part 802 or is within, or will function as part of, an airport or maritime port.

As noted above, certain real estate investors from White List countries will be excepted. American Indian and Alaska Native lands also are excluded from review.

There also are provisions for exceptions to real estate transactions in the context of retail and food service establishments and commercial office space that may require an analysis of the space occupied and the ratio of foreign person tenants in the building.

10. There is still more to come.

The proposed regulations do not address filing fees. The proposed regulations state that a filing fee will be the subject of a separate Treasury rulemaking.

The proposed regulations also do not make any changes to the Pilot Program on critical technologies, and questions remain as to how the mandatory filings for transactions involving critical technologies may change. Treasury will accept comments on the Pilot Program in addition to the new proposed regulations.


The proposed regulations implementing FIRRMA are complex. It was clear from the statute that CFIUS jurisdiction would expand, and the proposed regulations help to clarify the contours of that expansion. Anyone contemplating a transaction of any size involving a non-U.S. investor and critical technology or infrastructure, sensitive personal data, real estate involving airports, maritime ports, or near military and other sensitive government facilities should seek CFIUS counsel.

V&E has extensive experience advising clients on the legal, policy, and practical dimensions of CFIUS reviews. We are well-positioned to assist clients in understanding how the proposed regulations may affect their mergers, acquisitions and investments. We would be glad to assist companies with the development of comments on the proposed regulations. Visit our website to learn more about V&E’s National Security Reviews (CFIUS) practice.

If you have any questions concerning CFIUS reform or reviews, please contact the following Vinson & Elkins lawyers: Damara Chambers, David Johnson, Jeremy Marwell, Hill Wellford, Adrianne Goins, Elizabeth Krabill McIntyre, Ryan Stalnaker, or John Satira.

This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.