For many years, the Committee on Foreign Investment in the United States (“CFIUS”) has had the authority to review non-notified transactions – deals which have not been submitted to CFIUS for review and approval – but until recently, resources for such efforts were limited. That changed in 2018, when the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”) significantly bolstered resources for CFIUS oversight and enforcement activities.
In particular, FIRRMA granted CFIUS the authority to increase hiring of personnel and to establish a formal process to identify non-notified transactions through the establishment of the Office of Investment Security Monitoring and Enforcement, dedicated to: 1) monitoring transactions that have not been reported to CFIUS; 2) enforcing CFIUS’s mandatory declaration regulations (e.g., imposing penalties for failing to make mandatory filings); 3) overseeing compliance with CFIUS mitigation agreements, conditions, and orders; and 4) administering and enforcing civil monetary penalties for violations.
As a reminder, CFIUS has the authority to review foreign investment transactions in U.S. businesses for national security risks. FIRRMA expanded CFIUS’s jurisdiction to review and take action to address national security concerns arising from certain non-controlling investments and real estate transactions involving foreign persons. Importantly, unless CFIUS clears a transaction, CFIUS retains jurisdiction indefinitely to review any covered transaction or covered real estate transaction, before or after completion.
Recently, there has been a rise in CFIUS reviewing non-notified/non-declared transactions when such transactions raise national security concerns, including deals that have closed recently, have closed years ago, or have not yet closed. This article will discuss the non-notified/non-declared transaction review process, examine recent deals scrutinized by CFIUS, and provide key takeaways for navigating the CFIUS regime for non-cleared transactions subject to CFIUS review.
Overview of Non-Notified/Non-Declared Transactions
In brief, non-notified and non-declared transactions are those where voluntary notice was not submitted to CFIUS, or when no “safe harbor” has been granted by CFIUS pursuant to section 721 of the Defense Production Act of 1950. A “non-notified” transaction refers to a covered deal or real estate transaction where no voluntary notice was filed with CFIUS. A “non-declared” transaction results when no mandatory declaration was filed with CFIUS for a covered transaction that has triggered a mandatory filing.
CFIUS can determine that a non-notified transaction may be subject to its jurisdiction (e.g., a “covered transaction” or “covered real estate transaction”) and may give rise to national security concerns, and subsequently contact the parties involved and inquire about the transaction. CFIUS has many avenues to identify unfiled transactions, including public and non-public forums such as press releases, security filings, news media reports, executive agency communications, and deal databases tracking private deals, etc. In addition, CFIUS has a formal process on its website where the public can submit tips and referrals to an email tip line (CFIUS.firstname.lastname@example.org) regarding non-notified deals, violations of CFIUS mitigation measures, and other related matters.
CFIUS Process for Reviewing Non-Notified/Non-Declared Transactions
Currently, CFIUS’s initial outreach involves an official from the Office of Investment Security sending an email to senior personnel of the U.S. business and requesting additional correspondence (e.g., email or phone call) to discuss a confidential business matter. The presence of the company’s counsel in the call is usually recommended. The initial inquiry call mainly involves CFIUS introducing itself to the U.S. business, describing CFIUS’s role, and outlining the next steps. The regulations give CFIUS broad authority to request information about non-notified/non-declared transactions. Parties to the transaction are required to respond.
It is important to note that CFIUS’s initial outreach email may be disregarded because it is mistakenly believed to be spam. It is critical for the email inquiry to be properly identified and directed to the right contact(s) at the company: if CFIUS does not receive a response to its email inquiry, CFIUS may unilaterally investigate the transaction and reach its own conclusions. This scenario is likely to lead to an unfavorable result and should be prevented.
Next, CFIUS will send the parties a list of questions to determine if the non-notified/non-declared transaction is subject to CFIUS jurisdiction by qualifying as a “covered transaction” or “covered real estate transaction.” Responding to these questions will require the coordination and participation of personnel from the U.S. business and the foreign investor.
After CFIUS reviews the submitted responses for its initial assessment questions, CFIUS can take one or more of the following actions: 1) request the submission of additional information (typically related to the threat and vulnerability assessment, corporate structure and governance, etc.); 2) close out the matter; 3) request the submission of a declaration or voluntary notice; or 4) unilaterally initiate a notice and draw its own conclusions. Most CFIUS outreach actions result in the parties filing a voluntary notice.
Once CFIUS requests a notice, the process is similar to the standard process for a voluntary notice and similar CFIUS outcomes are expected (imposing mitigation measures and requiring divestiture, among other actions). There is no set timeline for when CFIUS will require the parties to submit a notice.
Recent CFIUS Scrutiny of Non-Notified Transactions
CFIUS is aggressively identifying and investigating transactions that were not previously cleared under the voluntary review regime. Notable public examples of CFIUS’s recent actions involving post-closing transactions include:
- Byte Dance and TikTok: In November 2019, CFIUS began reviewing Chinese company ByteDance’s November 2017 acquisition of TikTok, a social media application. As of our publication date, this transaction is undergoing CFIUS review.
- Beijing Shiji and StayNTouch: In March 2020, an executive order required Beijing Shiji Information Technology Co. (China) to divest its 2018 acquisition of StayNTouch, a U.S. hotel-software company.
- iCarbonX and PatientsLikeMe: In April 2019, iCarbonX (China) was ordered to divest its majority ownership acquired in 2017 in PatientsLikeMe, an online network for discussing health conditions.
- Beijing Kunlun Tech and Grindr: In February 2019, Beijing Kunlun Tech (China) was ordered to divest its acquisition of Grindr (dating application company), which it acquired in two separate transactions in 2016 and 2018.
- Cofense and Pamplona: In April 2019, Pamplona Capital Management and BlackRock (Russian-backed investment) were ordered to divest their minority stake in Cofense Inc., a U.S. cybersecurity firm.
Key Takeaways About the Heightened Review of Non-Notified/Non-Declared Transactions
In the past few years, CFIUS has significantly increased the volume of non-notified/non-declared transactions it has reviewed. No deal is too small nor too old to raise concerns about national security implications, triggering CFIUS’s initial outreach. Below are some key takeaways to consider regarding CFIUS’s review of unfiled transactions.
- CFIUS will reach out to non-notified/non-declared transactions that pose national security considerations. But national security risks are continuously changing: a foreign investment in a U.S. business five years ago that might have not presented a national security risk at the time might now lead CFIUS to conclude that the transaction raises important national security concerns.
- Industry should take CFIUS’s initial outreach very seriously because CFIUS is not simply sending out form letters to all non-notified/non-declared transactions that it finds. Before CFIUS conducts the initial outreach, CFIUS has researched the transaction and preliminary determined that the transaction raises national security concerns, and its outreach is deliberate.
- It is vital that parties immediately demonstrate to CFIUS that they are willing to cooperate and to build trust.
- Companies should engage experienced CFIUS counsel right away and begin developing a strategy, including assessing the vulnerabilities and options to mitigate potential national security risks.
- Parties need to carefully consider the gravity of the risk when deciding to not file a voluntary notice. The risk is the same as it always has been – CFIUS can learn about the transaction and request a filing at any time – but now there is a greater likelihood that such risk will mature. This will result in the parties having limited options once CFIUS determines that the transaction raises national security risks and potentially requires mitigation measures, which can include a recommendation that the transaction be divested or blocked entirely.
- Parties to a transaction that poses low national security risks can avail themselves of the short-form declaration and can potentially obtain clearance without the full CFIUS review and investigation process.
- Currently, CFIUS’s focus is on Chinese (and some Russian) investments in U.S. businesses involved in certain sectors, including sensitive technology, critical infrastructure, data, semiconductor, etc. But that does not mean that CFIUS will not review other deals.
In sum, investors of transactions subject to CFIUS jurisdiction should carefully evaluate the new risk dynamic of not voluntarily having CFIUS review a transaction prior to closing. For closed transactions, investors should assess how CFIUS will view the transaction considering present national security concerns and be prepared to promptly and effectively respond if CFIUS contacts the parties about the non-cleared transaction.
As demonstrated by the deals recently scrutinized, CFIUS’s substantial interest and actions to identify and assess non-notified/non-declared transactions for national security risks, including in some cases mandatory divestiture, is expected to continue. The risk of CFIUS outreach for closed transactions is substantially higher now for all new and old deals (large and small), especially those involving Chinese investment and sensitive sectors.
CFIUS’s willingness to force divestiture of closed transactions is a real threat to foreign investment. Companies are advised to carefully weigh the risks of such outcomes when deciding whether to file a voluntary notice, even when a mandatory filing is not triggered. Overall, in most circumstances, submitting a CFIUS notice and obtaining the legal safe harbor is the only way for companies to mitigate the risk of the government later unilaterally deciding to investigate the transaction.
 In short, “safe harbor” is when CFIUS has reviewed the transaction and issues an official letter notifying the parties that the transaction has been cleared.
 Generally, there are two types of transactions that trigger the mandatory filing requirement (subject to certain exemptions): 1) covered control transactions or covered investments in certain U.S. businesses involved with critical technologies; and 2) covered transactions where a foreign government has a substantial interest in a critical technology, critical infrastructure, or sensitive personal data (“TID”) U.S. business.
 See 31 C.F.R. § 800.801(a) (2021).