The interagency Committee on Foreign Investment in the United States (CFIUS or the Committee) hosted its 2022 Inaugural Conference on June 16, 2022. In its capacity as chair of CFIUS, the U.S. Department of the Treasury spearheaded the conference, with speakers from several CFIUS member agencies1, including the U.S. Departments of Commerce, Justice, Defense, Homeland Security, State and the Office of the Director of National Intelligence. The conference provided a rare glimpse into key areas of concern in the recent work of the Committee. It also served as a platform to express the U.S. government's commitment to an open and strong investment environment welcoming to foreign investors.
Commentary focused on a variety of topics pertaining to the Committee's review processes, CFIUS monitoring and enforcement, and the emerging national security risk landscape. Additionally, speakers offered advice and recommendations to attendees on best practices for cooperating with CFIUS to achieve mutually desired outcomes.
Holland & Knight has identified five key takeaways from the CFIUS Conference, discussed in detail below. Decision-makers should consider these takeaways when pursuing transactions involving foreign investment in the U.S.
1. National Security Is a Shared Responsibility
The conference reaffirmed the role of CFIUS in the U.S. national security landscape: CFIUS aims to strengthen the U.S. market and make it attractive for foreign investment. Thus, protecting U.S. national security, and by extension the operations of CFIUS, is meant to be a shared responsibility between the U.S. government and the private sector. The cooperative nature of the Committee was likewise highlighted by speakers across various other panels.
Consistent with a shared responsibility to protect national security, several speakers emphasized that the CFIUS review process is not meant to be adversarial. Instead, they recommend that parties engage with CFIUS early and actively. This includes communicating with relevant agencies at the onset of a transaction to determine whether CFIUS has jurisdiction and to outline what potential national security risks may exist. By operating as active participants and providing the Committee with comprehensive and timely responses to inquiries, businesses and the CFIUS bar can avoid unnecessary complications in the review process.
2. Big Data Is a Critical Element of the Evolving Risk Landscape
With the enactment of the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA),2 CFIUS jurisdiction was expanded to review certain non-controlling foreign investments in U.S. businesses involved in critical technologies, critical infrastructure or sensitive personal data (TID U.S. businesses). This codified a developing concern that CFIUS has had in recent years with respect to sensitive personal data as an area of heightened national security risk, particularly in transactions that involve historically "high-risk" countries such as China. Though the CFIUS regulations contain a defined list of "sensitive personal data" categories subject to non-controlling investment review, speakers at the conference also focused more broadly on controlling investments in companies that collect other types of personal data, such as e-commerce spending habits.
Speakers remarked that big data is becoming a major driver of the global economy and international security, and is, thus, of growing concern to CFIUS. Notably, CFIUS officials shared that more types of data are now considered high-risk. In particular, there is an increased focus on genetic and medical data that both are and are not protected under the Health Insurance Portability and Accountability Act (HIPAA). New research was cited suggesting that de-identified or anonymized data may no longer be viewed as a sufficient data security measure, especially as anonymized data becomes less and less secure. It seems likely that "sensitive personal data" categories will serve as a floor and not a ceiling when it comes to areas of regulatory scrutiny, and that any U.S. business that collects or stores personal data of U.S. nationals – including software and software as a service (SaaS) companies, media and digital advertising companies, fintech, health and biotech companies, and a diverse variety of other technology companies – will need to closely review the nature and scope of data practices when considering foreign investors or foreign acquirers.
3. CFIUS Continues to Expand Review of Non-Notified Transactions
The conference also focused on the exponential increase in the resources dedicated to the identification of non-notified transactions. Speakers emphasized that, since the enactment of FIRRMA, the Committee has continued to expand resources to identify and review non-notified transactions. At the same time, CFIUS officials did note that typically non-notified transactions are referred to CFIUS by other agencies. CFIUS also learns of transactions through the media, SEC filings and tips from the public. Requests for information from CFIUS regarding non-notified transactions are not meant to be antagonistic, speakers said. As a first step, they aim to confirm whether the Committee has jurisdiction. Even though not required, parties are encouraged to provide relevant information for the CFIUS risk assessment analysis. Speakers emphasized that the majority of non-notified inquiries do not result in a request for a formal filing and that it is key to provide CFIUS with prompt responses for the benefit of the business and the Committee.
Parties to a foreign investment transaction should be aware of CFIUS efforts to identify non-notified transactions. There is no statute of limitations for CFIUS jurisdiction over non-notified transactions. CFIUS officials confirmed Holland & Knight's recommended best practice: conducting a CFIUS analysis and risk assessment is now a de facto requirement in every foreign investment transaction.
4. Mitigation and Enforcement Remain a High Priority
It was reported that approximately 10 percent of CFIUS-notified transactions result in mitigation measures.3 Importantly, the Committee made clear that declarations (the shorter form of filing) cannot be used as a vehicle for mitigation. If the transaction is proceeding to mitigation, the parties will be required to file a notice.
Notably, the majority of mitigation agreements are open ended in terms of timing. However, CFIUS periodically reevaluates mitigation measures to ensure that mitigation agreements reflect the current national security risk environment. The Committee stressed that operational personnel of the U.S. business should be involved in the negotiation of mitigation measures to ensure that the company is able to implement and comply with the restrictions and reporting requirements.
Speakers emphasized that, for the most part, enforcement actions are not intended to be punitive, and that any penalties are 1) proportionate to the violation and 2) aimed at incentivizing prospective compliance – both for the violator and for other companies subject to mitigation. When determining what penalties are appropriate for violations, the Committee will consider several factors, including but not limited to: the timing and persistence of the violation, the nature and intent of the misconduct, and the violator's history of compliance. (These factors are quite similar to those used in enforcement actions with respect to U.S. export controls and sanctions laws.) Consistent with wider messaging at the Conference, CFIUS officials highlighted the importance of open communication with the Committee, particularly as it pertains to self-reporting any breaches to mitigation agreements.
5. Strategic Filing Decisions Should Be Made in Light of Timeline Constraints in the Declaration Process
Although the use of the short-form declaration process has increased (CFIUS reported that the declaration clearance rate for 2021 was approximately 73 percent), several factors should be considered when deciding whether to file a declaration or a traditional, full voluntary notice with CFIUS, including the complexity of the transaction, any U.S. government contracts held by the U.S. business and prior CFIUS clearance of the foreign acquirer/investor. Speakers cautioned against the overuse of the declaration process and recommended that conference attendees be mindful of the strategic advantages and disadvantages of filing a declaration. Though the declaration process offers benefits for seemingly low-risk transactions (e.g., speed, cost), it can often be difficult to successfully address national security concerns within the 30-day review timeline for declarations, and the transaction could end up with a full notice, eliminating many of the perceived benefits of pursuing a declaration. In light of these constraints, conference speakers advised parties to consider potential risks posed by the transaction – namely the home country of the investor, the sector and operations of the U.S. target business, and the complexity of the transaction.
The Inaugural CFIUS Conference reaffirmed the evolving nature of national security concerns in foreign investment transactions but also the U.S. commitment to an open investment environment. FIRRMA has brought CFIUS to the forefront of any cross-border transaction and is now a de facto requirement in the due diligence process. Determining CFIUS jurisdiction and risk factors and engaging the Committee early on are best practices for protecting the investment.
The Inaugural Conference was a statement that CFIUS is open and willing to work with the parties and the CFIUS bar on protecting U.S. national security while ensuring an open and stable investment environment.
1 CFIUS includes nine active members (the U.S. Departments of the Treasury (chair), Justice, Homeland Security, Commerce, Defense, State, Energy, Office of the U.S. Trade Representative, and Office of Science and Technology Policy) and six observers (Office of Management and Budget, Council Economic Advisors, National Security Council, National Economic Council and Homeland Security Council). Additionally, the Office of the Director of National Intelligence and the U.S. Department of Labor are non-voting, ex-officio members.
2 For more information on the passing and subsequent enactment of FIRRMA see previous Holland & Knight alerts: "FIRRMA Expands CFIUS Jurisdiction in 2 Major Ways" (Aug. 16, 2018) and "New CFIUS Regulations Finally Take Effect" (Feb. 13, 2020).
3 There are currently less than 200 mitigation agreements.