Skip to content

Treasury Releases Final CFIUS Reform Regulations: Seven Changes To The Proposed Regulations You Need To Know

National Security Reviews (CFIUS) Background Decorative Image

On January 13, 2020, the U.S. Department of the Treasury (“Treasury”), which chairs the Committee on Foreign Investment in the United States (“CFIUS”), released final regulations implementing the 2018 CFIUS reform law, the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”).1 The regulations become effective on February 13, 2020. The final regulations adhere closely to the proposed rules released by Treasury in September 2019 and the CFIUS pilot program (“Pilot Program”) regulations implemented in November 2018, with some notable changes. We have previously written about Treasury’s proposed regulations and the Pilot Program for critical technologies (see here and here).

On February 11, 2020, Vinson & Elkins will offer a lunch seminar in our Houston office to review the new CFIUS regulations in greater detail. The program will be broadcast to our other domestic offices and also will be available via teleconference/webcast. Interested parties should click here.

Summary of Key Takeaways

As described in our prior alert on the proposed rules, the final regulations expand CFIUS jurisdiction in two significant ways. First, they expand CFIUS jurisdiction to cover certain non-controlling, non-passive investments in U.S. businesses engaged in certain activities involving critical technologies, critical infrastructure or sensitive personal data (“TID U.S. businesses”):

  • Technology – produces, designs, tests, manufactures, fabricates or develops one or more critical technologies;
  • Infrastructure – performs certain functions such as owning or operating covered investment critical infrastructure listed in Appendix A to Part 800; and
  • Data – maintains or collects, directly or indirectly, sensitive personal data of U.S. citizens.

Although CFIUS has exercised jurisdiction over certain non-controlling investments in U.S. businesses related to critical technologies since November 2018, the final regulations significantly expand the scope of that jurisdiction to include non-controlling investments in infrastructure and personal data.

Second, the regulations expand CFIUS jurisdiction to cover certain real estate transactions that do not involve an investment in a U.S. business. These changes depart from CFIUS’s historical jurisdiction, which limited CFIUS review to transactions in which a foreign person or entity could acquire control of a U.S. business—meaning that CFIUS did not traditionally have jurisdiction to review “pure” real estate transactions.

The final regulations also alter CFIUS’s historical focus on voluntary filings. While parties may still voluntarily file with CFIUS in order to receive a “safe harbor” from subsequent CFIUS review, the final regulations include two areas of mandatory filings. First, they mandate filings for certain transactions involving the acquisition of substantial interest in a TID U.S. business by a foreign government or state-owned entity. Second, they incorporate and continue the mandatory filings for certain transactions involving critical technologies that became a requirement under the Pilot Program.

Another key element of the regulations that we previously described in greater detail is the new option for parties to submit voluntary “declarations.” Compared to the traditional “notice” process, voluntary declarations will allow parties to take advantage of the simpler filing requirements and shorter, 30-day assessment period that until now has only been available for mandatory filings under the Pilot Program.

Noteworthy Changes from Proposed Regulations

The final regulations include notable changes from the proposed regulations in a variety of areas, some of which clearly took into account public comments on the proposed rules. In addition, CFIUS has not yet issued a proposed rule for the filing fees authorized under FIRRMA, but indicated that it will do so at a later date.

1. CFIUS identifies the initial “White List” (Australia, Canada and the United Kingdom) and slightly relaxes the requirements to qualify as an excepted investor.

CFIUS maintains the same jurisdiction it has always had over control transactions (i.e., those transactions in which a foreign person obtains control of a U.S. business), but the new rules limit the application of CFIUS’s expanded jurisdiction for certain investors. In particular, a new class of excepted investors is not subject to CFIUS’s expanded jurisdiction for non-controlling investments or covered real estate transactions, or for the mandatory filing requirements. The excepted investor definition focuses on the investor’s connection to an excepted foreign state (currently limited to Australia, Canada and the United Kingdom). In tying the concept to specific foreign states, CFIUS evidently believed the rules would provide the greatest clarity to the business community and further CFIUS’s efforts to encourage other countries to establish rigorous processes to review foreign investments, thereby enhancing cooperation and U.S. national security while meeting the requirement in FIRRMA to limit the application of CFIUS’s expanded jurisdiction. So, who is an excepted investor?

  • A foreign national who is a national of one or more excepted foreign states;
  • A foreign government of an excepted foreign state; or
  • A foreign entity established in an excepted foreign state that meets a number of criteria, including (i) not having foreign representation (on a Board of Directors or among managing members) from non-excepted foreign states of 25 percent or more and (ii) ensuring that investors from non-excepted foreign states do not hold 10 percent or more of the entity.

These requirements are somewhat relaxed from the proposed rules, which would have required all directors and each person holding five percent or more of the voting interest to be from excepted foreign states or the United States. The final regulations also relax (from 90 to 80 percent) the minimum ownership requirement for publicly-traded companies whose shares are traded on a foreign exchange of a non-excepted state to demonstrate the percentage of shares held by investors from the United States or an excepted foreign state. For entities whose shares are traded on an exchange of the United States or an excepted foreign state, the minimum excepted ownership requirement is a simple majority (i.e., more than 50%) of the shares.

Additional conditions also apply to qualify as an excepted investor. The final rules include a list of “bad acts” that disqualify an investor from claiming “excepted investor” status. These acts include having received a notice from CFIUS that the investor made a false statement to CFIUS or violated a material provision of a CFIUS mitigation agreement, having been penalized for a violation of U.S. sanctions laws or export control laws, or having been convicted of a felony or agreed to a deferred prosecution agreement with the U.S. Department of Justice related to a felony. Given the small group of excepted foreign states at this time and certain other constraints in the new rules, the excepted investor concept may have limited impact on transactions for the foreseeable future.

2. CFIUS will maintain the Pilot Program’s mandatory filing requirement for transactions involving critical technology, with several noteworthy exemptions.

The final regulations incorporate the mandatory filing requirement for certain non-controlling, non-passive investments involving critical technologies, as previously contained in the “Pilot Program.” Under the final rule, the mandatory filing requirement applies to any transaction in which a foreign person (1) obtains control of, or (2) makes a non-controlling investment that includes certain governance, access or decision-making rights in, a U.S. business that operates in certain specified sectors and produces, designs, tests, manufactures, fabricates, or develops certain critical technologies. As under the Pilot Program, parties to such a transaction must file a short-form declaration 30 days before closing the transaction.2

Unlike the Pilot Program, the final regulations incorporate several important exemptions to the critical technology mandatory filing requirement, including for excepted investors, foreign-owned or controlled U.S. entities subject to certain existing arrangements to mitigate foreign ownership, control, or influence (“FOCI”) who hold a facility security clearance, and investments by certain qualifying investment funds managed and ultimately controlled by U.S. nationals. The critical technology mandatory filing requirement will be governed by the existing Pilot Program regulations until the final regulations take effect on February 13, 2020.

The final regulations also clarify the meaning of the term “test” in the definition of a TID U.S. business, explaining that “mere verification of the fit and form of a relevant critical technology” does not constitute testing for purposes of the definition. The final regulations further clarify that a U.S. business that ceases the relevant activity—e.g., producing a critical technology for a relevant industry—but retains the ability to do so, is a TID U.S. business.

The final rule retains the Pilot Program’s basic scope, applying only to investments in companies that operate in certain specified sectors identified using North American Industry Classification System (“NAICS”) codes. However, in the preamble to the final rule, CFIUS indicates that it intends to undertake a further rulemaking to replace the requirement related to NAICS codes with one based on export control licensing requirements. In addition, although CFIUS declined to include a mechanism for granting waivers from the critical technology mandatory filing requirement for certain “trusted investors,” it indicated openness to instituting a waiver process in a future rulemaking.

3. CFIUS defines an entity’s “principal place of business” as its nerve center.

The final CFIUS rules include a definition of “principal place of business” as an interim final rule. This term is important for determining whether a transaction is subject to CFIUS jurisdiction, as it is part of the definitions of the terms “foreign entity” and “excepted investor.” Consistent with regulations that have been in place since 2008, the proposed rule retained the term “principal place of business” within the definition of “foreign entity” but did not define it. CFIUS has now defined the term “principal place of business” to mean:

the primary location where an entity’s management directs, controls, or coordinates the entity’s activities, or, in the case of an investment fund, where the fund’s activities and investments are primarily directed, controlled, or coordinated by or on behalf of the general partner, managing member, or equivalent.

This definition aligns with the U.S. Supreme Court’s definition of “principal place of business” in Hertz Corp. v. Friend, 559 U.S. 77, 92-93 (2010) (“the place where a corporation’s officers direct, control, and coordinate the corporation’s activities”). Courts have labeled this the “nerve center” of a corporation, a phrase that CFIUS uses in the preamble to the final rule.

The definition of principal place of business will help to clarify which transactions are subject to CFIUS jurisdiction, and in particular serves as a helpful clarification for investment fund transactions. CFIUS defines the term “foreign entity” to mean any entity “organized under the laws of a foreign state if either its principal place of business is outside the United States or its equity securities are primarily traded on one or more foreign exchanges.” Thus, if an entity located outside the United States has its nerve center in the United States (and its securities are not traded on foreign exchange), it will not be considered a foreign person under the regulations. Its investments and real estate transactions will not trigger CFIUS jurisdiction (assuming no other basis for CFIUS review). Many private equity funds and venture capital firms use offshore corporate structures that are managed from within the United States. While investments by such funds historically have not been subject to CFIUS review, clarification of “principal place of business” is valuable given the expansion of CFIUS jurisdiction to cover minority, non-controlling investments and the new mandatory filing requirements.

The term “principal place of business” is also used in the definition of “excepted investor” in the final regulations. One of many criteria for an excepted investor is that it has its principal place of business in an excepted foreign state or in the United States.

The regulations contain an important constraint on an entity’s ability to designate its principal place of business: If an entity has represented that its principal place of business is outside the United States in its most recent government filing, then the non-U.S. location will be deemed the entity’s principal place of business. The entity can overcome this presumption by demonstrating that its principal place of business has moved to the U.S. subsequent to that filing.

The definition of “principal place of business” is introduced as an interim final rule because the proposed rules did not include the definition and CFIUS believes it will benefit the public and the Committee if comments are received on the definition. Although it will take effect on February 13, 2020 with the rest of the final regulations, CFIUS has invited public comment on the definition by February 18, 2020.

4. The final regulations expand the “incremental acquisition rule” to give safe harbor to control transactions approved by CFIUS on the basis of a declaration.

The “incremental acquisition rule” provides that if CFIUS approves a control transaction on the basis of a notice, subsequent transactions involving additional rights or equity for the same foreign investor are not subject to CFIUS jurisdiction. In the final regulations, the “incremental acquisition rule” is expanded to cover control transactions that are submitted using declarations (mandatory or voluntary) in addition to notices. This makes the new “voluntary declaration” an even more attractive filing option for parties with straightforward transactions who do not anticipate a need for CFIUS mitigation.

CFIUS also clarifies that the incremental acquisition rule will apply even if the parties do not provide any indication to CFIUS during the initial review that the foreign person’s interest or rights may change at a later date. However, the incremental acquisition rule does not apply where the initial CFIUS review was based on a non-controlling investment. Such non-controlling investments (i.e., “covered investments”) include the acquisition of even small minority equity interests, including contingent equity interests, that also include certain governance, access or decision-making rights in a TID U.S. business. Even if CFIUS clears an initial covered investment, a subsequent investment by the same foreign investor that affords new rights or equity interest may be subject to another review by CFIUS.

5. The final regulations narrow the scope of “sensitive personal data” by excluding certain kinds of genetic information.

Under the final rule, non-controlling investments by foreign persons in U.S. businesses that collect or maintain certain “sensitive personal data” of U.S. citizens can trigger CFIUS jurisdiction. Investments in this category include those affording a foreign investor involvement in “[t]he use, development, acquisition, safekeeping, or release of sensitive personal data” of U.S. citizens maintained or collected by the U.S. business. Data covered in this category includes a range of information, including financial, health, communications, geolocation, biometric, and genetic data.

As compared to the proposed rule, the final rule limits the types of genetic information that qualify as “sensitive personal data,” to include only “[t]he results of an individual’s genetic tests, including any related genetic sequencing data, whenever such results constitute identifiable data.” The regulations adopt the definition of “genetic tests” from 42 U.S.C. § 300gg-91(d)(17), which means “an analysis of human DNA, RNA, chromosomes, proteins, or metabolites, that detects genotypes, mutations, or chromosomal changes,” with some limited exceptions. The final regulations also exclude “data derived from databases maintained by the U.S. Government and routinely provided to private parties for purposes of research.” Previously, the proposed rules had included all types of genetic information by adopting the definition used by the Department of Health and Human Services in 45 C.F.R. § 160.103, which did not require that the genetic information be identifiable.

The change to the definition of genetic information appears to be in response to comments submitted by various biotechnology and life sciences organizations, many of which expressed concerns about including non-identifiable information and genetic information in the broad definition of “sensitive personal data.”

6. The final regulations revise and clarify the application of the term “substantial interest” in the context of investment funds.

As noted above, the final regulations continue to mandate a filing for certain transactions involving substantial foreign government interest in a TID U.S. business. The term “substantial interest” is defined as a voting interest by a foreign person of 25 percent or more in a U.S. business where a foreign government has a voting interest of 49 percent or more in that foreign person. These voting interests can be direct or indirect.

The final regulations revise and clarify the application of the term “substantial interest” in the context of investment funds. In the case of an entity with a general partner or equivalent, the national or state governments of a single foreign state will be considered to have a substantial interest only if they hold 49 percent or more of the interest in the general partner. The proposed rule also clarifies that the government interest threshold can be met in the aggregate, by combing interests held by different agencies from a single foreign state.

7. CFIUS made useful clarifications to the rule establishing jurisdiction over real estate transactions.

FIRRMA authorizes CFIUS to assert jurisdiction over certain real estate transactions that do not involve a U.S. business. Under the final regulations, CFIUS will have jurisdiction to review the purchase or lease by, or concession to, a foreign person of certain real estate located within, or will function as part of a covered airport or maritime port, or located within certain distances from military installations and other sensitive areas identified in an appendix to the rule, if the transaction will afford the foreign person certain property rights, such as access to, or the right to develop, the property.

The final rule on real estate transactions includes a few changes and clarifications, including:

  • New defined terms:
    • “Covered port” – this term replaces and encompasses the terms “airport” and “maritime port,” and the final rule explains that lists of the covered ports are published on the Department of Transportation’s website.
    • “Transaction” – this term is defined in the real estate rule to mean “any purchase or lease by, or concession to, a person of real estate, whether proposed or completed.”
  • An expansion of the exceptions for a lease or concession within a covered port, providing exceptions (1) when the foreign person is a foreign air carrier for which the Transportation Security Administration has accepted a security program, so long as the concession is in furtherance of the carrier’s activities as a foreign air carrier; and (2) when the lease or concession is used only for retail sale of consumer goods or services, including car rental and parking.
  • A requirement to include additional information in CFIUS real estate filings, including addressing whether the transaction is part of a larger project undertaken by the foreign person; whether the foreign person is acquiring a collection of assets or interest in an entity; any U.S. government leases, licenses, permits, easements, encumbrances, or other grants or approvals associated with the real estate involved in the transaction; the term or length of the property interest acquired (e.g., for leases); any physical security measures currently on the premises and any plans to change the physical security measures; and the distance to covered real estate.
  • Revisions to Part 3 of Appendix A in the real estate rule, listing covered real estate around active ballistic missile fields, to provide more specificity for the geographic areas covered. The revised list includes specific references to lands by using the Bureau of Land Management’s Public Lands Survey System (“PLSS”). PLSS divides public lands into subdivisions and provides more specificity than the prior references to entire counties.

In addition, the final rule states that CFIUS anticipates developing an internet-based tool to help parties assess whether certain properties are covered by the rule. In the interim, the regulations direct parties to other U.S. government resources, such as the Census Bureau’s TIGERweb, for geographic data and maps of urban areas, the Department of Transportation’s lists of airports and maritime ports, and the Bureau of Ocean Energy Management’s maps and related data for offshore areas. These tools will assist exploration and production companies and others involved in real estate transactions to understand the scope of the real estate rule’s geographic coverage.

CFIUS’s new authority to review real estate transactions is a significant departure from the existing CFIUS process. Even parties who are CFIUS veterans should seek counsel to navigate the process.

The CFIUS regulations implementing FIRRMA are complex and include significant changes from the existing process. Anyone contemplating a transaction of any size involving a non-U.S. investor and critical technology or infrastructure, sensitive personal data, real estate involving airports, maritime ports, or near military and other sensitive government facilities should seek CFIUS counsel.

V&E has extensive experience advising clients on the legal, policy, and practical dimensions of CFIUS reviews. We are well-positioned to assist clients in understanding how the new regulations may affect their mergers, acquisitions and investments. Visit our website to learn more about V&E’s National Security Reviews (CFIUS) practice.

If you have any questions concerning CFIUS reform or reviews, please contact the following Vinson & Elkins lawyers: Damara Chambers, David Johnson, Jeremy Marwell, Hill Wellford, Adrianne Goins, Ryan Stalnaker, or John Satira.

This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.