Most deals are approved, but the landscape is becoming increasingly complex, as more types of transactions are subject to review and some filings are mandatory.

The Committee on Foreign Investment in the United States (CFIUS), which is led by the US Department of the Treasury and made up of US national security and economic agencies—including Defense, State, Justice, Commerce, Energy and Homeland Security—reviews certain transactions for national security concerns.

The Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) significantly overhauled the CFIUS process, including by adding new types of transactions subject to CFIUS review and, for the first time ever, mandating submissions to CFIUS in certain cases.

Although many of FIRRMA’s reforms have not yet been implemented pending the promulgation of new regulations, draft regulations were issued in September 2019.

Although many of FIRRMA's reforms have not yet been implemented pending the promulgation of new regulations, draft regulations were issued in September 2019 and, once finalized, will take effect in February 2020. The key provisions and implications of FIRRMA, including the proposed regulations and a pilot program that CFIUS commenced in November 2018 to test some of FIRRMA's new authorities, are discussed below.

TYPES OF DEALS REVIEWED

Historically, CFIUS has had jurisdiction to review any "transaction" that could result in "control" of a "US business" by a foreign person. "Control" is defined—and interpreted by CFIUS—broadly as the power to determine, direct or decide important matters affecting an entity. "Control" can be present even in minority investments. A "US business" is similarly defined and interpreted broadly to include US legal entities or other organizations, as well as assets operated as a business undertaking in a particular location or for particular products or services.

The types of "transactions" that CFIUS can review are also quite varied, including deals structured as stock or asset purchases, debt-to-equity conversions, foreign-foreign transactions where the target has US assets, private equity investments (in some cases even where the general partner is US-owned) and joint ventures into which a US business has been contributed.

Despite CFIUS's ability to broadly interpret its historical jurisdiction, in recent years, the shifting national security landscape in the US, particularly with respect to Chinese investment, exposed gaps between the transactions that CFIUS has historically been able to review and transactions it could not review but that nonetheless presented potential national security concerns. FIRRMA closed many of these gaps by expanding CFIUS's jurisdiction to allow for review of the following additional types of transactions:

• The purchase or lease by, or a concession to, a foreign person of private or public real estate in the US that (1) is located within, or will function as part of, an air or maritime port; or (2) is in close proximity to a US military installation or to another facility or property of the US government that is sensitive for reasons relating to national security; could reasonably provide the foreign person the ability to collect intelligence on activities being conducted at such an installation, facility or property; or could otherwise expose national security activities at such an installation, facility or property to the risk of foreign surveillance
• Any "other investment" (i.e., qualifying non-passive non-controlling deals) by a foreign person in any unaffiliated "TID US business," i.e., a US business that (1) produces, designs, tests, manufactures, fabricates or develops one or more "critical technologies"; (2) owns, operates, manufactures, supplies or services "critical infrastructure"; or (3) maintains or collects "sensitive personal data" of US citizens that may be exploited in a manner that threatens national security
• Any change in the rights that a foreign person has with respect to a US business in which the foreign person has an investment, if that change could result in foreign control of the US business or in an "other investment" involving a TID US business
• Any other transaction, transfer, agreement or arrangement designed or intended to evade or circumvent the CFIUS process

Most of these new bases for jurisdiction are not yet in effect, pending promulgation of final implementing regulations (expected by February 2020). However, CFIUS's new jurisdiction to review certain "other investments" in US businesses involved with "critical technology" has been in effect since November 2018 on a trial basis under the FIRRMA pilot program.

Specifically, CFIUS currently has jurisdiction to review certain non-controlling but non-passive investments in US businesses involved with critical technologies in relation to 27 enumerated industries, which are known as "pilot program US businesses." Pilot program jurisdiction is triggered if the foreign investor gains any of the following non-passive non-controlling rights with respect to the pilot program US business: a) board membership or observer rights, b) access to material nonpublic technical information, or c) any involvement (other than through voting shares) in substantive decision making relative to critical technologies.

These new bases for jurisdiction are subject to important limitations and caveats. First, as noted above, other than the critical technologies-focused pilot program, the full expansion of CFIUS jurisdiction will not become effective until final implementing regulations take effect in February 2020. Second, FIRRMA requires CFIUS to further limit the term "foreign person" for purposes of the "other investments" and real estate categories, though the draft regulations issued in September 2019 indicated that this exemption is likely to be quite narrow. Third, FIRRMA requires the regulations to define "critical infrastructure" and "sensitive personal data," and the draft regulations indicate that CFIUS intends to utilize highly specific, bright-line criteria to define them, including via a detailed annex of what constitutes "covered critical infrastructure." This detailed approach was also taken in the proposed regulations for CFIUS's new real estate authorities.

WHO FILES

Historically, the CFIUS process was primarily voluntary, and parties could only seek CFIUS review by submitting a "notice." A notice is typically submitted jointly by the parties to the transaction; provides specific information about the foreign investor, the US business and the transaction; and includes attachments such as annual reports, the deal document, certain personal identifier information for directors, officers and key shareholders of the foreign investor, as well as information about the target's US government contracts (if any). While in most cases the process was voluntary, CFIUS had the ability to request, or even self-initiate, a notice for any transaction that falls within its jurisdiction that may raise national security considerations.

The CFIUS process will be mandatory for certain transactions, but any mandatory filings (as well as any voluntary filings) can be made by way of a short-form “declaration.”

Under FIRRMA, the CFIUS process will be mandatory for certain transactions; but any mandatory filings (as well as any voluntary filings) can be made by way of a short-form "declaration" (described in more detail below).

Once FIRRMA goes fully into effect by February 2020, there will be at least one, and potentially two, types of mandatory filings.

Filings will generally be required for an investment that results in the acquisition, directly or indirectly, of a "substantial interest" (defined in the proposed FIRRMA regulations as a voting interest, direct or indirect, of 25 percent or more) in a TID US business by a foreign person in which a foreign government has, directly or indirectly, a "substantial interest" (defined in the proposed regulations as a voting interest, direct or indirect, of 49 percent or more).

FIRRMA also authorizes CFIUS to require filings for transactions involving critical technology companies. The pilot program has mandated declarations for both controlling and qualifying non-passive non-controlling foreign investments in "pilot program US businesses." The pilot program will end when the final FIRRMA regulations take effect, and it is not yet known whether CFIUS will continue to mandate filings for certain transactions involving critical technologies.

Under the proposed regulations, a mandatory filing for a "substantial interest" transaction must be made at least 30 days prior to closing; and under the pilot program, a mandatory filing must be made at least 45 days prior to closing. For either type of mandatory filing, the parties may be subject to penalties up to the value of the transaction if they fail to submit a declaration (or notice in lieu of a declaration).

SCOPE OF THE REVIEW

CFIUS reviews focus solely on national security concerns—this did not change under FIRRMA. CFIUS conducts a risk-based analysis based on the threat posed by the foreign investor, the vulnerabilities exposed by the target, and the consequences to US national security if the threat were to exploit the vulnerabilities.

CFIUS conducts its analysis based in part on the information in the parties' filing and follow-up Q&A with the parties during the course of the review. In some cases, the parties will also meet with CFIUS at the parties' or CFIUS's request. CFIUS considers the information provided by the parties together with other publicly available information and its own internal sources of information.

Based on its risk assessment, CFIUS determines whether the transaction presents any national security concerns. If CFIUS identifies such concerns, it first determines whether other provisions of US law can address the concerns. If no other provisions of US law adequately address the concerns, CFIUS next determines whether any mitigation measures that CFIUS might agree with, or impose upon, the parties could resolve the concerns.

If mitigation cannot adequately resolve the concerns, CFIUS will recommend to the president that the transaction be blocked or suspended. Only the president can block or suspend the transaction.

REVIEW PROCESS AND TIMELINE

Notice

The CFIUS process based on a "notice" typically takes at least three months to complete, beginning from the time the parties submit their notice and its attachments to CFIUS in draft (called a pre-filing). Often, the process takes at least four to five months. In the past few years, a surge in the number and complexity of transactions filed with CFIUS caused the process to become notably slower. Recently, however, given an increase in resources and staffing under FIRRMA, there has been a clear effort by CFIUS to resolve reviews more quickly when possible.

The US Department of the Treasury, as chair of CFIUS, typically takes about two to four weeks to provide comments on the pre-filing, though in some cases this process can take longer. Thereafter, once the parties incorporate any comments into the notice and formally file it, Treasury typically takes at least one to two weeks to accept the filing and start a 45-calendar-day review period. Pursuant to FIRRMA, the new regulations will require Treasury to respond to pre-filings and accept notices within ten business days each under certain circumstances, so starting in February 2020 there should be more certainty on the timing of the pre-filing and notice acceptance process.

At the end of the 45-calendar-day review period, CFIUS either concludes its work on the basis of the review (giving the parties "safe harbor" for their transaction) or begins an investigation period. CFIUS officials have recently indicated that about half of transactions notified to CFIUS are moving to investigation, which is an improvement from recent years when substantially more required investigation.

Investigation can take up to 45 calendar days, and may be extended for one 15-calendar-day period in "extraordinary circumstances." CFIUS is usually able to conclude its work during the investigation period (with or without mitigation), giving the parties "safe harbor" for their transaction. On the rare occasions when national security concerns are identified that cannot be adequately resolved with mitigation, CFIUS sends the transaction to the president, who has 15 calendar days to decide on a course of action (e.g., block or suspend). More commonly, (i) if more time is needed to negotiate mitigation measures with CFIUS, the parties will request to withdraw and resubmit their notice to restart the 45-day review period; or (ii) if mitigation is unavailable or unacceptable to the parties, the parties will voluntarily abandon their transaction to avoid it being sent to the president. While the CFIUS process is generally confidential, any presidential decision must be made public.

Declaration

Declarations are currently permitted for transactions that fall within the pilot program and, once the final FIRRMA regulations go into effect, can be used for any transaction that falls within CFIUS's jurisdiction. Because declarations are intended to be shorter filings, the declaration form is only about five pages in length; requires less information on the transaction and parties, and fewer attachments, than a full notice; and is not pre-filed. CFIUS has 30 calendar days to assess a declaration after it is accepted.

At the end of the 30 days, CFIUS must take one of four actions: (i) conclude action on the basis of the declaration (giving the parties "safe harbor" for the transaction); (ii) inform the parties that CFIUS cannot conclude action on the basis of the declaration, but not request a full notice (now informally known as the CFIUS "shrug"); (iii) request that the parties file a full notice for the transaction (which would start the notice process described above); or (iv) self-initiate a full notice.

The benefits of a declaration are the abbreviated submission form and condensed time frame. Declarations will also offer parties that are unsure whether to file voluntarily an avenue to potentially gain some clarity from CFIUS without having to go through a full notice and review. The downside, however, is that—ultimately—the transaction may not receive "safe harbor" on the basis of the declaration alone; and if a subsequent notice is requested, the CFIUS process may end up taking more time than had the parties started with a full notice in the first instance.

TRENDS IN THE CFIUS PROCESS

Most recent trends in the CFIUS process, including the majority of the reforms to FIRRMA itself, have been motivated—in whole or in part—by increased scrutiny of China-based or -connected transactions. These trends include CFIUS's expanded jurisdiction and mandatory filing requirements, new types of national security "threats" and "vulnerabilities," an increase in the number of withdrawn and re-filed transactions, a more robust non-notified process, increased attention to mitigation monitoring, and increased scope for information sharing between the US and allied governments on investment security matters.

CFIUS’s expanded jurisdiction and mandatory filing requirements closed gaps that US officials were concerned could be exploited by Chinese investment.

Expanded jurisdiction, mandatory filings

As described above, CFIUS's expanded jurisdiction and mandatory filing requirements closed gaps that US officials were concerned could be exploited by Chinese investment. This included transactions that did not necessarily involve any "US business" (such as real estate transactions in sensitive areas) or that did not necessarily involve "control" (such as minority investments, including through private equity-type structures) but that nonetheless provide access to sensitive information or technology of the target US business, as well as concerns that—in the face of increased scrutiny by CFIUS—Chinese deals could be intentionally structured to circumvent CFIUS or simply not notified in the voluntary process.

New threats and vulnerabilities

CFIUS's risk-based analysis has also evolved to include new types of potential "threats" and "vulnerabilities." CFIUS now routinely reviews all transactions for "third-country threats"—that is, channels through which China and other deemed strategic competitors might cause harm through the foreign investor (even if the foreign investor itself is not from such country). On the vulnerability side, CFIUS increasingly assesses the target's access to sensitive personal data, involvement with "emerging technologies," and—even if the target's own technology or data are not sensitive—access to other third parties' sensitive technology or data.

Withdrawals and re-files

In the past few years, in response to the increased number and complexity of filings, the number of transactions that needed to be withdrawn and resubmitted for a second review cycle increased. Now, with the statutory time period for the "review" extended from 30 calendar days to 45 calendar days, an increase in CFIUS funding and staff, and (anecdotally—official statistics are not available) fewer China-connected filings due to the precipitous decrease in Chinese investment into the US in the past year, fewer cases may require additional review cycles.

Non-notified transactions

Despite new types of mandatory filings under FIRRMA, the CFIUS process remains largely voluntary. To help ensure that those transactions potentially posing national security concerns are reviewed by CFIUS, FIRRMA provided CFIUS with increased funding to develop a more active and centralized system to identify and request filings of non-notified transactions of interest. As a result, going forward, parties to transactions raising national security considerations will be less able to take comfort from the historically low probability that CFIUS would proactively pursue a review of their transactions.

Mitigation monitoring

In addition to a more robust process to pursue non-notified transactions, CFIUS is also building a more robust process to monitor mitigation agreements. This includes increased funding and staff, further centralization of oversight within the Department of the Treasury, the development of compliance plans, increased remedial measures, and additional reporting to the US Congress. In 2018, CFIUS imposed its first monetary penalty for repeated breaches of a mitigation agreement. CFIUS is also increasingly reluctant to enter into complex mitigation (particularly when Chinese parties are involved), and will increasingly require the parties to complex mitigation to fund the use of an independent third-party monitor.

Information-sharing

Historically, CFIUS operated under restrictive confidentiality obligations that limited its ability to share and receive transaction-specific information with other allied governments. While the CFIUS process generally remains confidential vis-à-vis the public, FIRRMA now permits certain information sharing with foreign allied governments. This will enable greater sharing of information on transactions under CFIUS review, and the growing dialogue among governments on investment security matters will enable the US government to increasingly intervene in other countries' national security review processes on transactions of interest to CFIUS (even if not within CFIUS's jurisdiction).

HOW FOREIGN INVESTORS CAN PROTECT THEMSELVES

It is critical for foreign investors to consider CFIUS issues in planning and negotiating transactions involving foreign investment (direct or indirect) in a US business or US real estate, including with respect to allocation of CFIUS related risk, as early as possible in the deal timeline. The range of mitigation measures that can be imposed by CFIUS is quite wide (based on the risk profile of the deal), and it is important for investors in particular to have as clear an understanding as possible with respect to what mitigation measures would be acceptable to them.

For example, an investor would likely not want to buy an asset only to have CFIUS-imposed mitigation prevent the investor from achieving its deal objectives. It is also advisable for investors in potentially sensitive transactions to try to avoid owing reverse-breakup fees should the transaction fail due to CFIUS objections. Given the addition of mandatory filing requirements under FIRRMA and potentially substantial penalties for noncompliance, it is also important to assess whether a mandatory filing applies to the transaction.

2019 UPDATE HIGHLIGHTS

• The number of CFIUS reviews continues to remain high.
• It is important to analyze potential CFIUS issues early in the deal process—including assessing whether mandatory filing requirements apply—and, where relevant, incorporate extra time for CFIUS review into deal-planning timelines.
• FIRRMA will be fully implemented in February 2020, significantly expanding CFIUS's jurisdiction, mandating filings for certain transactions, adding a shortened declaration process and making other changes to the CFIUS process. The new law was largely an attempt to close gaps that US officials were concerned could be exploited by Chinese investment, but it will affect a wide range of transactions unrelated to China.
• Parties' links to China can raise substantial CFIUS concerns in non-Chinese deals.
• The FIRRMA pilot program introduced declarations, which are short-form filings subject to a 30-calendar-day assessment. Under the pilot program, CFIUS has cleared a relatively small number of transactions based on a declaration. The most common outcomes following the submission of a declaration appear to be CFIUS requesting a full notice or advising the parties that it cannot conclude its assessment of the transaction based on the declaration but is taking no further action (unless the parties elect to voluntarily submit a full notice).
• Declarations have been submitted at a steady pace under the pilot program of approximately ten per month, but the anticipated surge of declarations when the pilot program was announced did not materialize. Notably, some transactions for which filing is mandated under the pilot program have been filed via full notices rather than declarations.
• The same legislation that contained FIRRMA also included the Export Control Reform Act of 2018, which requires the Department of Commerce to establish export controls on "emerging and foundational technologies" (sensitive technologies not currently captured under the export control regime). These controls have not yet been released—even in draft—but will be directly relevant to the CFIUS process, including CFIUS's expanded critical technologies-related jurisdiction.

Click here to read the full magazine
Foreign direct investment reviews 2019: A global perspective

[View source.]