On October 15, 2020, the final rule implementing the baseline requirements of the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) took effect. This final rule altered the mandatory filing rules of the Committee on Foreign Investment in the United States (CFIUS or the Committee). The most important change in the new rule replaces an old piece of the mandatory filing tests—i.e., are "critical technologies" used in or designed for use in "sensitive industries"—with a new test that asks instead whether a U.S. regulatory authorization (e.g., a license) would be required for the export or transfer of such technologies to the investing entity or certain affiliated parties. With this rule, a cycle of more than two years of CFIUS rulemaking came to a close.

While the Committee has indicated that its rules are likely to continue to evolve in the future, the end of the initial round of FIRRMA rulemaking marks a moment for investors, companies, and decisionmakers to take stock of the new CFIUS. Earlier incremental variants of the CFIUS rules will continue to apply to transactions finalized before October 15, 2020—and, as discussed below, the CFIUS enforcement team is actively looking at many such transactions—but today's rules will govern transactions going forward. Accordingly, companies and investors should understand when filings are required, when they are elective, and what the risks are of forgoing a filing under the completed first-generation FIRRMA rules.

The bottom line, up front, is that for any investment or acquisition involving a U.S. business and a foreign person, parties should assess CFIUS considerations as early as possible. In this client advisory, we provide a dealmaker's crash course on CFIUS. We discuss at a high level what investors and investments may be covered, how to assess CFIUS risk, and the considerations associated with filing vs. not filing. Issued alongside this advisory is a flowchart explaining how to assess whether the Committee's rules apply.

CFIUS 101: Answering Basic Questions on CFIUS

What is CFIUS? CFIUS is an interagency committee responsible for reviewing foreign investment into the United States. The Committee has broad discretionary power to determine whether those investments pose national security risks, and the CFIUS process can impact the timing and likelihood of closing. Many transactions can be reviewed by CFIUS—i.e., the Committee has authority to review a broad range of "covered transactions"—but only some covered transactions are filed with CFIUS.

What transactions can it review? The Committee has jurisdiction over many foreign acquisitions of and investments into U.S. businesses. Many joint ventures and most convertible notes, licensing agreements, debt issuances, and the like fall outside of the set of covered transactions. However, the rules are complex; depending on the specific rights acquired, CFIUS has jurisdiction over some transactions in each of those categories. Moreover, the Committee has jurisdiction over any transaction that, in its opinion, has been entered into to evade its review, so caution is always warranted.

Do we have to file with CFIUS? Parties to a covered transaction may i) be obliged to file with the Committee before closing pursuant to mandatory filing rules, ii) file covered transactions voluntarily before closing in order to gain a 'safe harbor' against a CFIUS-requested filing, or iii) be requested or compelled to file by the Committee either before or after closing of a covered transaction. Failure to make a mandatory filing of type (i) can result in financial penalties up to the amount of the investment that was unfiled for the buyer, the seller, or both parties.

We understand that some filings are required, but if a filing is not mandatory, why would we make it? CFIUS employs a team of investigators charged with going to find unfiled covered transactions that the Committee is interested in reviewing under either its mandatory or elective jurisdiction ("non-notified" transactions). There is no statute of limitations on this enforcement team's ability to bring in a non-notified covered transaction—assuming that case is not filed and cleared—so filings may be compelled years after an investment is made. Clearance through the filing process provides safe harbor against this kind of compelled review.

What are the potential negative consequences of a CFIUS review? The majority of transactions reviewed by CFIUS are cleared without incident. However, when the Committee believes an investment does present national security risk, it has the right to negotiate with the parties over a set of conditions, or "mitigation measures," that may address those risks. In the event the parties do not come to an agreement, CFIUS can impose mitigation measures with respect to the investment, block it, or force a post-closing divestiture. When reviewing a non-notified transaction that has already closed, CFIUS is likelier to seek more drastic measures (e.g., divestiture).

Fair enough; then why not file any investment subject to CFIUS jurisdiction? Primarily timing and cost. The CFIUS process can take anywhere from 30 days to many months, or even longer, depending on both the form of filing the parties elect to make and on the Committee's level of interest in that filing. While parties can theoretically close and then file—unless the filing is mandatory—in practice it usually makes sense to seek CFIUS approval before closing because of CFIUS's less friendly treatment of transactions post-closing. Both short and long-form filings are available. The CFIUS short-form filing is faster and cheaper but may not result in a full clearance. It can also result in wasted effort if the Committee requests a follow-on, long-form filing. The CFIUS long-form filing requires more effort and payment of a filing fee but guarantees a definitive yes or no answer from the Committee. The filing fee for a long-form filing varies according the size of the transaction filed. At the low end, for transactions under $500,000, there is no fee, while at the high end, for transactions above $750 million, the fee is $300,000.

CFIUS 201: Elective and Mandatory Filings

Let's get specific; what investments can CFIUS review? A covered transaction historically was one in which a "foreign person" acquired "control" over a "U.S. business." These terms are still important to understanding the extent of CFIUS's authorities today. A foreign person is a non-U.S. national or non-U.S. entity, or an entity over which control can be exercised by a non-U.S. national or entity. For example, if a U.S.-based investment fund is under the control of one or more foreign general partners, that fund may be a foreign person. Control includes the power to impact decision-making with respect to important matters related to the U.S. business. CFIUS has broad leeway to determine what constitutes a controlling investment—for example, investor vetoes with respect to certain corporate decisions are often considered to grant control, and CFIUS may also base a "control" finding on a voting stake of more than 10 percent or a board seat. A U.S. business can be any entity engaged in commerce within the U.S. For example, a foreign company with U.S. operations can also be a U.S. business.

CFIUS's old "control" jurisdiction seems broad; what additional transactions can it now review? CFIUS retains the right to request or require a filing for any historically covered transaction of the type outlined above, and its enforcement team can still review these "covered control transactions." In addition, since February 13, 2020, CFIUS has had extended jurisdiction over certain non-controlling investments ("covered investments") into companies that:

• Work with particularly sensitive technologies ("critical technologies");
• Own, operate, or support U.S. critical infrastructure like financial services or transportation providers ("critical infrastructure"); or
• Have access to certain sensitive personal data belonging to U.S. citizens ("sensitive personal data").

Collectively, these categories are known as "TID U.S. businesses"—for critical Technologies, critical Infrastructure, and sensitive personal Data. In order for CFIUS to have jurisdiction over investments into these TID U.S. businesses, the foreign investor must still receive either control or one of the following covered investment rights:

• Access to material non-public technical information regarding the target's products or critical infrastructure;
• Board membership, observer rights, or the right to appoint a board member; or
• Involvement in decision-making regarding sensitive aspects of the company.

In addition, CFIUS has jurisdiction over certain foreign investments in real estate, even if no full operating business is involved. Together, "covered control transactions," "covered investments" into TID U.S. businesses (those first two categories collectively, "covered transactions"), and "covered real estate transactions" represent the universe of investments that CFIUS can elect to review.

When must transactions be filed with CFIUS? Covered transactions involving TID U.S. businesses are subject to mandatory filing under two rules—the "critical technology" and "substantial interest" mandatory filing rules.

Under the critical technology filing requirement, businesses should ask five questions to determine whether they are required to make a filing. The test is conjunctive—the answer to all five questions must be "yes" for there to be a mandatory CFIUS filing obligation:

1. First, is there a U.S. business? Is the target engaged in commerce within the U.S.?
2. Second, is the investor foreign? Is the investor a foreign natural person, foreign entity, foreign government, or U.S. entity under control of any foreign person?
3. Third, is the investment one of the types covered by the program? Will the investor receive "control" (as defined by CFIUS), a board seat/observer/nomination right, access to nonpublic information on "critical technologies," or decision-making rights over the disposition of such technologies?
4. Fourth, does the target work with "critical technologies" in certain ways? Are the target's technologies controlled under particular U.S. legal regimes? Most notably, would target products or services be controlled for export under certain sections of the export control laws?
5. Fifth, would the investor need a permit or license to access the target's technologies under the applicable controlling regime? Under the new rules that took effect on October 15, this prong of the test replaced a prior test regarding whether the critical technologies were in any of 27 "sensitive industries." Those sensitive industries are now irrelevant for purposes of assessing whether there is a mandatory filing, and investors must ask instead whether a U.S. regulatory authorization (e.g., a license) would be required for the export or transfer of those technologies to the investing entity or to certain controlling entities or ultimate owners in the chain of ownership over that investor.

Meanwhile, under the substantial interest rule, a filing is required whenever the following three conditions are satisfied (again, this is a conjunctive test):

1. Is there a "TID U.S. business"? Does the U.S. business fall into any of the categories described above regarding "critical technology," "critical infrastructure," or "sensitive personal data"?
2. Will the foreign investor obtain a 25 percent or greater interest in the TID U.S. business? That 25 percent interest can be a direct or indirect interest, but it must be a voting interest.
3. Does a foreign government hold a 49 percent or greater interest in the foreign investing entity or its controlling party? Again, that 49 percent interest can be direct or indirect, but it must be a voting interest.

This "substantial interest" rule is most often relevant when seeking investment from sovereign wealth funds, state-owned entities, or substantially state-backed investment funds.

CFIUS 301: Making Decisions About Filing

How do we decide if CFIUS really cares about our transaction? In practice, there are far more transactions each year that satisfy the covered transaction definition than the Committee could ever review. Accordingly, CFIUS focuses its attention on transactions that present particular national security concerns. When assessing risk, the Committee looks at both the vulnerabilities associated with the U.S. business (e.g., potential to use the business for espionage, as just one example) and the threat posed by the foreign investor (e.g., likelihood to engage in espionage). Parties decide whether or not to file voluntarily based on their assessment of the level of concern presented by their deal and the likelihood that the Committee will intervene in their transaction, either before or after closing. There is no formal list of criteria for filing; parties make their decision by reviewing the national security considerations associated with a given transaction alongside experienced counsel familiar with the types of buyers, industries, and issues that raise CFIUS concerns.

What does CFIUS consider when assessing the vulnerability associated with a U.S. business? The Committee defines transactions that are relevant to national security by reference to a number of factors established in FIRRMA. In practice, CFIUS often focuses on businesses that develop novel technologies, have access to sensitive facilities or data, provide critical services to significant portions of the U.S. population, or work with the U.S. government. TID U.S. business status is at best a mediocre proxy for the set of U.S. businesses of interest to CFIUS, but that status also provides CFIUS broader authority to exercise jurisdiction, particularly for non-controlling investments, as described above. By contrast, CFIUS can exercise jurisdiction over a non-TID U.S. business only when a foreign person will obtain "control" over that business.

What about the threat posed by a foreign investor? Most CFIUS rules regarding investors are country-neutral, but the Committee's understanding of national security considerations is emphatically not. The Committee looks most aggressively at foreign investors from nations it views as geopolitical adversaries—most notably, China and Russia. In addition, investors from other nations that have strong ties to geopolitical adversaries—either at the individual investor or national level—may be viewed with suspicion. Investors with histories of violating U.S. law or engaging in other malfeasance may also have a more difficult time at CFIUS. By contrast, investors from NATO allied nations usually have a relatively easy time clearing the CFIUS process unless the U.S. business is highly sensitive.

We have a U.S.-based investing team operating out of the U.S. using a Delaware entity—CFIUS doesn't apply to us, right? To reiterate part of the definition of foreign person, it includes any entity over which control can be exercised by a non-U.S. national or entity. For example, a U.S.-based fund or corporation may get all of its funding from a single foreign source—e.g., a foreign corporation. In such cases, CFIUS has historically suggested that entity is under the de facto control of its funders. Similarly, a fund that has one or more general partners who are foreign citizens will have to consider how much control those GPs can exercise. In other words, merely being a U.S.-based investor does not always indicate that CFIUS does not apply.

We're from Canada and we hear CFIUS doesn't apply to us—is that true? There are CFIUS rules that reduce CFIUS jurisdiction for investors from certain allied nations. However, the test to become a so-called "excepted investor" is quite complicated, and excepted investors are only partially exempted from the Committee's jurisdiction. First, the investing entity must be from an "excepted foreign state"—currently, only Canada, the UK, and Australia qualify. Seventy-five percent of the entity's board members and observers and all of its 10 percent or greater shareholders must also be a U.S. person or from an excepted foreign state, and it must satisfy additional criteria as well. Even if the entity can satisfy these tests, it can be removed from excepted investor status for violating any of several U.S. laws or regulations. Moreover, qualifying as an excepted investor only grants an investor a reprieve from CFIUS's jurisdiction over non-controlling investments and from mandatory filing obligations—such investors remain subject to CFIUS review for "controlling" investments.

We've heard CFIUS enforcement is becoming more active—what does that mean for our transaction? One of the signature developments of the passage of FIRRMA was to provide CFIUS significantly more resources; the new enforcement team is one of the results. Over the course of the last year or so, the enforcement team has asked questions on non-notified transactions at a rate an order of magnitude higher than in previous years. In addition, that team is still growing and expanding the scope of its review. Moreover, the team is encouraging businesses to let the Committee know about competitors' investments. In particular, the inclusion of an email tipline on the new enforcement website has the potential to ratchet up enforcement activity by giving commercial competitors a mechanism to create CFIUS troubles for their rivals seeking foreign investment.

However, early returns suggest that, for now, the enforcement team remains focused on investment from China and Russia, and by investors from other countries with strong Chinese and Russian relationships. Accordingly, enforcement risk for investors does appear to be growing, but unevenly. In addition, despite the uptick in monitoring activity, we are not yet aware of CFIUS having levied any enforcement penalties against parties for failure to make a mandatory filing.

What if we need the money on the company side and we can't wait for CFIUS approval? There are various ways to structure a transaction to permit the foreign investor to put money into the target U.S. business while waiting for the CFIUS review to complete.

If we choose not to file, can we allocate the risk to the other party in our deal? Yes; in fact, for many deals, this will make more sense than filing. Parties regularly allocate CFIUS risk through agreement terms that require a given party to represent that there's no mandatory filing (e.g., the investor is not foreign or the target is not a TID U.S. business), limit an investor's rights to ensure no "triggering rights" are granted, and/or spell out how CFIUS inquiries will be addressed after closing if the enforcement team has questions. Additional more aggressive risk allocation options can further reduce the potential for post-closing costs and losses.

What changes should we expect from CFIUS going forward? While the process for filing appears reasonably fixed in the near term, CFIUS has suggested a few times that rules related to the enforcement process may be forthcoming. In addition, the Department of Commerce will continue to designate new "emerging and foundational" technologies on an ongoing basis—technologies that will then become controlled at CFIUS as critical technologies and subject to the mandatory filing regime.

Should we avoid foreign investment altogether? While CFIUS has expanded its scope and is more closely monitoring non-notified transactions, FIRRMA still orders it to assume that foreign direct investment into the U.S. should be welcomed. And indeed, CFIUS continues to approve the vast majority of transactions that it sees—including some transactions involving parties from countries of notable concern, such as China and Russia. By taking CFIUS considerations into account early on, both companies and their investors can increase the chances of filing success, or alternatively can structure transactions in ways that can significantly reduce risk.