Committee on Foreign Investment in The United States
On October 15, 2020, the Office of Investment Security, Department of the Treasury (“Department of the Treasury”) issued a final rule which significantly modifies the requirements for making mandatory disclosures with CFIUS.
These changes will require U.S. businesses to conduct more intensive due diligence regarding their foreign transactions and the type of technology used within the transaction.
Failure to perform the proper due diligence and make a mandatory disclosure with CFIUS can result in civil fines amounting to the transaction’s total.
The Committee on Foreign Investment in the United States
The Committee on Foreign Investment in the United States (“CFIUS”) was created in 1975 and charged with reviewing foreign investments in U.S. business for national security issues. CFIUS has the authority to review “any merger, acquisition, or takeover…by or with any foreign persons which could result in foreign control of any person engaged in interstate commerce in the United States,” which broadly includes equity-like investments by foreign persons.
CFIUS’ is comprised of nine voting members, two non-voting members, and five observers. The Department of the Treasury chairs the Committee. The remaining voting and non-voting members come from various other Executive Branch departments and subagencies.
Scope of CFIUS’ Jurisdiction
Originally the scope of CFIUS’ jurisdiction was limited to the review of “Covered Transactions” or a proposed or pending transaction with any foreign person, which could result in control of a U.S. business by a foreign person. In 2018 FIRRMA extended this jurisdiction as discussed below.
Control: Control is defined as the ability to direct or decide important matters affecting an entity, as shown by ownership of voting interest, broad representation, proxy voting, special shares, contractual agreements, formal or informal agreements to act in concert, or other means.
Foreign Person: A foreign person is any foreign national, government, or entity; or any entity over which control is exercised or exercisable by a foreign national government or entity.
What does CFIUS do?
Where CFIUS identifies a transaction within its jurisdiction that represents a risk to the U.S.’ national security, CFIUS has the broad authority to suspend, modify, or prohibit the transaction from closing in order to address the concern. If the transaction has already closed, CFIUS has the authority to unwind the transaction through a forced divestiture.
CFIUS assess the potential national security risks of Covered Transactions by considering the following elements:
The type of threat that the Covered Transaction poses to U.S. national security;
The vulnerabilities that are seen and potentially exploited due to the Covered Transaction; and
The consequences which may occur and affect national security as a result of the vulnerabilities being exploited.
FOREIGN INVESTMENT RISK REVIEW MODERNIZATION ACT OF 2018
The Foreign Investment Risk Review Modernization Act (“FIRRMA”) was signed into law in August 2018, extending CFIUS’ jurisdiction to include non-controlling and real estate transactions. The new authority only applies to non-controlling investments (collectively known as “TID Businesses”) that:
produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies;
owns, operates, manufactures, supplies, or services critical infrastructure; or
maintains or collects sensitive personal data of U.S. citizens that may be exploited in a manner that threatens national security.
Critical technologies are defined to include certain items subject to export controls and other existing regulatory schemes and emerging and foundational technologies controlled pursuant to the Export Control Reform Act of 2018. This definition (as discussed below) has been significant modified by the final rule implemented on October 15, 2020.
CFIUS may review transactions related to U.S. businesses that perform specified functions concerning critical infrastructure across sub-sectors such as telecommunications, utilities, energy, and transportation. Specified Functions, according to FIRRMA, are: owning, operating, manufacturing, supplying, or servicing.
Sensitive Personal Data
Sensitive Personal Data was updated by a final rule implemented on February 13, 2020. The final rule states that a company maintains “sensitive personal data” if it either targets executive branch personnel or contractors; or maintains or intends to maintain this data concerning one million or more US citizens. In addition, the type of data must fall within one of the following categories:
Financial data that might indicate “financial distress or hardship;”
Credit report information;
Insurance application data for health, professional liability, mortgage, or life insurance;
Information relating to a person’s “physical, mental, or psychological health condition;”
Private emails or other electronic communications;
Geolocation data including data derived from cell towers, WiFi access points, and wearable electronic devices;
Biometric identifiers such as fingerprints and face scans;
Data used for generating government identification;
Data concerning security clearance status;
Data in security clearance application forms; or
Genetic test results.
THE OCTOBER RULE
On October 15, 2020, The U.S Treasury Department issued a final rule (the “October Rule”) that significantly modified the requirements surrounding CFIUS mandatory disclosures. CFIUS mandatory disclosures now rely entirely on whether a U.S. export authorization would be required to export the “critical technology” to certain foreign persons involved in the transaction, regardless of whether an actual export of the technology has or is intended to occur.
Prior to the October Rule, mandatory CFIUS filings were assessed using an industry test, which asked whether the U.S. business was receiving an investment, being acquired, or using or designing critical technology in certain industries listed in the CFIUS regulation. Now mandatory CFIUS disclosures are based on whether:
Critical Technology: A TID Business produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies;
Regulatory Authorization: A US regulatory authorization would be required for the export, re-export, transfer (in-country), or retransfer of such critical technology; or
Foreign Investors: A U.S. regulatory authorization would be required for the hypothetical export activity of the U.S. business’s critical technology to the direct acquirer or to a foreign investor with 25% or more voting interest, direct or indirect in the direct acquirer.
Unlike the industry test used before the October Rule, this new regulatory authorization test is more complex. It focuses on the export classification of a TID business’s product and technologies and the principal place of business (for entities) or nationality (for individuals) of the foreign parties involved within the transaction.
The October Rule modified the definition of critical technologies, and U.S. businesses will need to assess the product that it sells, the technologies related to the development, and any technologies that are developed and tested for the U.S. businesses’ internal use only. CFIUS states that any U.S. business that produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies must make a mandatory disclosure. For purposes of the CFIUS regulations, “critical technologies” generally include:
Military Technologies: military technologies subject to the International Traffic in Arms Regulations (“ITAR”), as classified by reference to the U.S. Munitions List;
Dual-Use Technology Subject to EAR: civilian/military dual-use technologies subject to the Export Administration Regulations (“EAR”) that are described within Export Control Classification Numbers enumerated on the Commerce Control List
pursuant to multilateral export control regimes relating to national security, chemical and biological weapons proliferation, nuclear nonproliferation or missile technology, or
for reasons relating to regional stability or surreptitious listening;
Nuclear Technologies: nuclear technologies covered by rules relating to foreign atomic energy activities and export and import of nuclear equipment and materials;
Agents and Toxins: select agents and toxins; and
ECRA Emerging and Foundational Technologies: emerging and foundational technologies controlled pursuant to FIRRMA’s companion legislation, the Export Control Reform Act (“ECRA”).
As of August 27, 2020, BIS issued an advance notice of rule making requesting public comment on the definition of and criteria for identifying foundational technology essential to U.S. national security and should be subject to more stringent controls. Technologies identified through this interagency process as emerging and foundational will be added to the CCL and controlled under the EAR. As a result, foreign investments in U.S. businesses that engage in activities involving those technologies could require mandatory disclosures to CFIUS.
For purposes of mandatory declarations, the transaction parties must evaluate whether a U.S. regulatory authorization would be required for the hypothetical export activity of the U.S. business’s critical technology to the direct acquirer or to a foreign investor with 25% or more voting interest, direct or indirect, in the direct acquirer. This 25% threshold also applies to an interest in the general partner, managing member, or equivalent if the entity is primarily directed by or on behalf of a managing partner, managing member, or equivalent. Notably, to determine the percentage of voting interest for purposes of mandatory declarations, any interest of a parent will be deemed to be a 100% interest in any entity of which it is a parent.
DETERMINING IF YOU NEED TO MAKE A MANDATORY FILING
The tests listed below are comprehensive and can be used to determine if a CFIUS filing may be mandatory for your transaction. These are general tests and do not take into account the specifics of your transaction. Failure to make a mandatory filing with CFIUS can lead to civil fines that can total the transaction amount, which is why it is imperative that you contact counsel, such as the experts at Sequoia Legal, to determine if your specific transaction falls within CFIUS’ jurisdiction.
Critical Technology Test
The test is conjunctive—the answer to all five questions must be “yes” for there to be a mandatory CFIUS filing obligation:
Is the target engaged in commerce within the U.S.?
Is the investor a foreign person, entity, government, or U.S. entity under foreign control?
Will the foreign investor receive control (as defined by CFIUS and discussed above) or decision-making rights over the target?
- If the foreign person will not control the target, will the foreign person have any of the following rights:
- access to any “material nonpublic technical information” in the possession of the company;
- membership or observer rights on the Board of Directors or equivalent governing body of the company or the right to nominate an individual to a position on the Board of Directors or equivalent governing body of the company;
- any involvement, other than through the voting of shares, in the substantive decision-making of the company, regarding; or
- any other special rights.
- If the foreign person will not control the target, will the foreign person have any of the following rights:
Is the technology controlled under particular U.S. legal regimes? Would the product or services be controlled under certain sections of the export control laws (for example, EAR)?
Would regulatory authorization (i.e., a permit or a license) normally be necessary to interact with the investor under the applicable controlling regime?
Foreign Investor Substantial Interest Test
If you have determined you are dealing with a foreign person, then use this test. This is a conjunctive test. The answer to all four questions must be “yes” for there to be a mandatory CFIUS filing obligation:
Are they a foreign person or entity?
Does the U.S. business fall into categories discussed above regarding critical technology, critical infrastructure, or sensitive personal data?
Will the foreign investor obtain a 25% or greater interest in the TID U.S. business?
Does a foreign government hold a 49% or greater interest in the foreign entity, or is it a controlling party?
This test is most relevant for real estate and sensitive personal data transactions.
A traditional CFIUS analysis relating to a voluntary CFIUS disclosure remains an important step in a transaction involving a foreign investor. This process requires input and cooperation from both the target company and the investor; there is no single test or set of concrete criteria that can be used to analyze a given transaction. However, some relevant considerations in determining whether a voluntary CFIUS disclosure is warranted include:
The likely impact of the investment on U.S. national security,
The foreign investor’s nationality and extent of ownership by foreign governments,
The target’s involvement in and ties to a national security-related activity or critical infrastructure in the U.S., and
The proximity of the target company’s assets to sensitive U.S. government locations.
CFIUS DISCLOSURE TIMELINES
If the parties decide to submit a CFIUS disclosure (either mandatory or voluntary), all parties will typically jointly prepare the filing. Preparing a filing is a substantial undertaking that requires disclosing a significant amount of information. Although the law accords all information filed with CFIUS confidential treatment, the parties may find the process of producing this information to be intrusive and burdensome.
Mandatory Disclosure Timeline
Voluntary Disclosure Timeline
- CFIUS was created in 1975 and charged with reviewing foreign investments in U.S. business for national security issues.
- FIRRMA expanded CFIUS’ jurisdiction to now include specific noncontrolling and real estate transactions.
- The only noncontrolling transactions within CFIUS’ jurisdiction are transactions involving critical technology, critical infrastructure, and sensitive personal data.
- The October Rule significantly modified the mandatory disclosure rule. CFIUS mandatory disclosures now depend on whether a U.S. export authorization would be required to export the “critical technology” to the foreign persons involved in the transaction, regardless of whether an actual export of the technology has or is intended to occur.
- Export Authorization is determined using the technologies ECCNs; therefore, the CCL should be reviewed carefully to ensure compliance with the appropriate regulatory agencies and CFIUS.
- A traditional CFIUS analysis relating to a voluntary CFIUS disclosure remains an important step in a transaction involving a foreign investor. This process needs to involve input and cooperation from both the target company and the investor; there is no single test or set of concrete criteria that can be used to analyze a given transaction.
This page is designed to help you better understand CFIUS and the new legislation as of December 14, 2020. If you or your company would like more information or assistance in your CFIUS transaction, please contact us. We at Sequoia Legal are here to assist you with your International Trade Law needs.
SEQUOIA LEGAL BLOG.
“What is an indemnification clause? Is this something I should include or care about in my contract?” We at Sequoia Legal encounter these types of
What type of legal counsel does your organization need? Figuring out what kind of legal counsel is right for your business can be overwhelming, but
On Monday, July 20, 2020, the Commerce Department announced that the Bureau of Industry and Security (BIS) added 11 Chinese companies to the Entity List.