Cleary Gottlieb Discusses Final CFIUS Regulations

On January 13, 2020, the U.S. Department of the Treasury (“Treasury”) released final regulations (the “Final Regulations”)[1] implementing the updates to the foreign investment review process of the Committee on Foreign Investment in the United States (“CFIUS”) contained in the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”).  The Final Regulations, effective February 13, 2020, largely track the September 2019 proposed regulations (the “Proposed Regulations”)[2] to implement FIRRMA’s expansion of CFIUS’s jurisdiction.  FIRRMA in turn codified existing CFIUS practice as it has evolved in recent years, particularly with respect to a focus on U.S. businesses involving critical technologies, critical infrastructure, and sensitive personal data, and added a limited mandatory filing regime.  The Final Regulations continue this incremental path by incorporating revisions to address issues arising from public comments on the Proposed Regulations and the sunset of the CFIUS pilot program rules (the “Pilot Program”).[3]

The Final Regulations apply to all transactions entered into (binding agreement signed, public offer launched, proxies solicited, or options exercised) after February 13, 2020.  An interim rule defining an entity’s “principal place of business” is concurrently effective and open for comment until February 18, 2020.  Treasury further delayed implementation of the filing fees called for by FIRRMA, which will be separately addressed in a future rulemaking.  Treasury also indicated that future rules will narrow the scope of the critical technologies filing requirements.

We first summarize the principal changes to the Proposed Regulations and then provide an overview of the Final Regulations as a whole.

I. Summary of Changes

The Final Regulations make the following principal revisions to the Proposed Regulations:

  • Make permanent the mandatory filing requirement for acquisitions of critical technology businesses. The Final Regulations make permanent the Pilot Program’s mandatory filing requirement for all foreign acquirors of U.S. businesses that produce, develop, or test certain “critical technologies.”  However, the Final Regulations anticipate additional regulations, not yet released, that will shift the focus from whether the specified technologies are developed for use in listed industries to exclusively focus on export licensing requirements.  They also modestly expand the available exemptions.
  • Name Australia, Canada, and the United Kingdom as initial “excepted foreign states.” Although not named in the Final Regulations, the introduction notes that CFIUS selected these three jurisdictions as “excepted foreign states” from which investors may be exempted from mandatory filings for a potentially renewable period of two years from the effective date.  Additional countries may be added at any time.  After February 13, 2022, all countries (including any already on the “white list”) must receive a favorable foreign investment review determination from CFIUS to remain excepted.
  • Expand the availability and benefits of being an “excepted investor.” The Final Regulations modestly loosen the restrictions on shareholders and directors from non-excepted countries for a company to qualify as an “excepted investor.”  Additionally, “excepted investors” are now exempt from all mandatory filing requirements arising from foreign government control of investors in U.S. businesses involved in critical technologies, critical infrastructure, or sensitive personal data (“TID U.S. Businesses”).
  • Hint at a possible expansion of CFIUS jurisdiction to activities outside the United States. The Final Regulations contain indications, though not clearly spelled out, that CFIUS may consider FIRRMA’s definition of the term “U.S. Business” to reach at least some non-U.S. operations.
  • Modify treatment of investment funds. The Final Regulations attempt to provide a “nerve center” test to allow offshore funds managed in the United States (or an exempted foreign state) to qualify as having their principal place of business in the managing jurisdiction, but they exclude any entity claiming a principal place of business elsewhere for any purpose (effectively excluding all vehicles used for tax purposes).  The Final Regulations also clarify that limited partnerships do not trigger the “substantial interest” mandatory filings for investments in TID U.S. Businesses by government-linked entities if the government-linked investor is only a limited partner.
  • Narrow the scope of genetic data considered to be “sensitive personal data.” The Final Regulations narrow this prong of “sensitive personal data” to include only “identifiable” genetic tests and to exclude any data derived from U.S. government databases and given to third parties for research purposes.
  • Impose additional information requirements for filings. The Final Regulations require parties to include substantial additional information on all U.S. products produced, tested, manufactured, or designed by the relevant U.S. business, including any relevant export classifications and a statement regarding how the U.S. business determined those classifications.

II. Impact of the Final Regulations

Mandatory Filings

Mandatory Filings Relating to “Critical Technologies”

As noted above, the most significant change in the Final Regulations is the integration of permanent mandatory filing rules for investments in U.S. businesses involving “critical technologies” by any foreign investor (although the businesses subject to this requirement will be refined in the near future).  Parties must submit a short-form declaration (or, at their option, a long-form filing) notifying CFIUS of any transaction that is a “covered investment” (see below) or that could result in foreign control of a U.S. business that produces, designs, tests, manufactures, fabricates, or develops one or more “critical technologies” that is:

  • used in connection with the U.S. business’s own activity in an industry identified in Appendix B to part 800 (the “NAICS Appendix,” attached as Attachment 1); or
  • designed by the U.S. business specifically for use in one of the industries in the NAICS Appendix, even where the technology is also used in other industries.

The definition of “critical technologies” is unchanged from the Pilot Program.  It includes a wide range of export-controlled technologies, as well as “emerging and foundational technologies” to be controlled pursuant to the Export Control Reform Act of 2018.[4]  However, the Final Regulations indicate that, in response to comments regarding the difficulty in applying the NAICS codes (which are self-classified and may result in more than one potentially applicable code) analysis, the “critical technologies” definition will be replaced by one based on export licensing requirements in the near term.

The Final Regulations exempt the following transactions from this mandatory filing requirement:

  • Transactions involving an “excepted investor” (see below);
  • Covered transactions where a foreign person’s indirect investment in the U.S. business is held solely and directly by an entity that (as of the completion date of the transaction) both holds a valid facility security clearance and is subject to an agreement to mitigate foreign ownership, control, or influence (FOCI);
  • Covered transactions by an “investment fund”[5] that (1) is managed exclusively by either a U.S. general partner (or equivalent) or a general partner ultimately solely controlled by U.S. nationals and (2) does not provide limited partners with significant governance rights[6];
  • Transactions that are covered investments solely by virtue of the disqualification of the relevant foreign investor from being an “excepted investor” (see below) within a three-year period following the completion date;
  • Transactions by certified[7] air carriers[8]; and
  • Transactions where the sole critical technology involved is encryption technology eligible for license exception ENC under the Export Administration Regulations.

Mandatory filings for Foreign Governments Acquiring a “Substantial Interest” in a “TID U.S. Business”

The Final Regulations also expand mandatory filings to transactions involving “covered investments” or “covered control transactions” (see below) in which an entity or entities controlled by the national or subnational governments of a single foreign state (other than an “excepted foreign state,” defined below) are acquiring a “substantial interest” in an unaffiliated TID U.S. Business.[9]

The determination of “substantial interest” is a two-step test.  First, entities controlled by the national or subnational governments of a single foreign state (taken as a whole, whether or not managed independently) must hold a 49% or greater voting interest in the acquiror, directly or indirectly.  In the case of entities with a general partner or equivalent, only interests in the general partner are considered, as long as any limited partnership interests do not confer control.[10]  Second, the acquisition must involve the acquisition of a 25% or greater direct or indirect voting interest in a TID U.S. Business.[11]

Excepted investors

The Final Regulations set forth guidance for excluding certain “excepted investors” from the expanded jurisdiction mandatory filing requirements relating to government-linked acquisitions of a “substantial interest” in TID U.S. Businesses and from the mandatory filing requirements relating to critical technology businesses.  To qualify, a foreign investor must be closely and nearly exclusively connected to one or more “excepted foreign states.”  A foreign investor and each of its parent entities must meet all of the following conditions to be an excepted investor:

  • Incorporation under the laws of an excepted foreign state (or, if an individual, citizenship solely of an excepted foreign state) or the United States;
  • Principal place of business in an excepted foreign state or the United States;
  • 75% or more of the members and observers of the board of directors are citizens solely of an excepted foreign state or the United States;
  • All shareholders holding 10% or more of (or otherwise controlling) the entity are solely citizens of, a governmental entity of, or entities organized under the laws of and having their principal place of business in an excepted foreign state or the United States (aggregating the holdings of shareholders acting in concert or controlled by a single foreign state); and
  • In the case of publicly traded entities listed primarily in an excepted foreign state or in the United States, a majority (and in the case of all other entities, 80%) of shareholders must be solely citizens of, a governmental entity of, or entities organized under the laws of and having their principal place of business in an excepted foreign state or the United States.

Given that these requirements apply to all parent entities of a foreign investor, use of any offshore special purpose vehicles (for tax or other reasons) in the ownership chain would preclude excepted investor status for an acquiror.  It is also unclear whether a public company could establish satisfaction of the minimum excepted ownership requirement.

A foreign person is also disqualified from being an excepted investor if it, or any of its parents or subsidiaries, has been found to violate CFIUS’s regulations, U.S. sanctions, or U.S. export controls, or has been convicted of any felony or entered into a deferred prosecution agreement or non-prosecution agreement with the Department of Justice with respect to any felony.  Finally, if at any point during the three years following the transaction, an excepted investor no longer meets the location, jurisdiction of organization, or board member requirements (or an individual owner acquires a non-excepted nationality), the transaction is retroactively disqualified as from the completion date.  (However the mandatory notification requirement would not then retroactively apply.)

Until February 13, 2022, any country included in a list of “eligible foreign states” to be published on the Treasury website is an “excepted foreign state.”  CFIUS announced in the introduction to the Final Regulations that the initial list of eligible foreign states (and, therefore, excepted foreign states) is Australia, Canada, and the United Kingdom; additional states could be added at any time, but CFIUS’s intention appears to be to keep the list narrow.  After February 13, 2022, to qualify a foreign state must be both identified by CFIUS as an eligible foreign state and CFIUS must certify that the eligible foreign state “has established and is effectively utilizing a robust process to analyze foreign investments for national security risks and to facilitate coordination with the United States on matters relating to investment security” (with relevant determinations to be published in the Federal Register).

Although the use of a “white list” of countries subject to lessened scrutiny is a significant departure from prior CFIUS practice, the exception has been narrowly drawn.  No entity is exempt from the traditional CFIUS process; instead, only the mandatory filing requirements are affected, and only for entities from the closest U.S. allies meeting stringent conditions.  That said, exemption from the critical technology mandatory filing requirements could be a significant commercial advantage for excepted foreign investors as compared to other investors.  The availability of exceptions may also serve as a “carrot” to induce allied jurisdictions to introduce and enforce security-related foreign investment controls and to cooperate with the United States.

“TID U.S. Business”

The definition of “TID U.S. Business” (Technology, Infrastructure, Data) is central to many provisions of the Final Regulations.  A TID U.S. Business is, as noted, any U.S. business that develops critical technology, performs specified functions with respect to critical infrastructure, or handles sensitive personal data of specified types and volumes.

“Critical technology U.S. businesses” are businesses that produce, design, test, manufacture, fabricate, or develop one or more “critical technologies.”  Note that a target does not have to operate in one of the 27 sensitive industries listed in the NAICS Appendix in order to be a “critical technology U.S. business.”  The critical technologies mandatory filing requirement discussed above covers a subset of those businesses, but the “TID U.S. Business” definition is broader, covering all companies making or developing controlled critical technologies.  Thus, the Final Regulations both require mandatory filings by any foreign acquiror for covered investments in critical technology U.S. businesses that develop or make the technologies in connection with one of 27 sensitive industries and separately expand CFIUS’s jurisdiction over non-controlling investments in critical technology U.S. businesses and require acquirors in which the national or subnational governments of a single foreign state have a “substantial interest” to make a mandatory filing, in each case across all industries.

As noted, the Final Regulations indicate that CFIUS intends to abandon the NAICS Appendix and shift to a mandatory filing regime linked solely to export control licensing requirements.

Critical Infrastructure

The definition of “TID U.S. Business” contains a two-step test for transactions relating to critical infrastructure: first, the transaction must relate to particular types of infrastructure, and second, the target must perform specified functions corresponding to the type of infrastructure.  The types and functions are set out in Appendix A to part 800 of the Final Regulations (the “Infrastructure Appendix,” attached as Attachment 2).  The types of critical infrastructure include the following:

  • Telecommunication and information services, fiber optic cables serving a military installation, IP networks with access to other IP networks via settlement-free peering, or internet exchange points supporting public peering;
  • Certain submarine cables and co-located data centers or facilities;
  • Satellites or satellite systems providing services directly to the Defense Department or a component thereof;
  • S. facilities manufacturing certain “specialty metal,” “covered material,” or carbon, alloy, and armor steel plate;
  • Certain electric energy systems, or facilities providing electric power to or located near military installations;
  • Petroleum and crude facilities above certain barrel-per-day capacities, certain liquefied natural gas terminals or storage facilities, or interstate petroleum and liquefied natural gas pipelines above certain barrel-per-day capacities;
  • Systemically-important financial market utilities, securities exchanges, or certain technology service providers;
  • Defense Department Strategic Rail Corridor Network rail lines; certain air and maritime ports and related marine terminals; and
  • Public water systems serving a certain population size or military installation, as well as industrial control systems used by a public water system or treatment works.

The Infrastructure Appendix is a complex but critical tool for determining whether a particular transaction falls within the expanded jurisdiction and mandatory filing requirements of the Final Regulations.  An example illustrates the contours of this analysis.  Assume that a proposed transaction involves a U.S. business that deals with interstate natural gas pipelines with outside diameters of 20 or more inches (Column 1, part xxiii).  If the target owns or operates the pipelines, then it is a TID U.S. Business subject to expanded jurisdiction and potential mandatory filing; if the U.S. business manufactures or services the pipelines, then it is not (Column 2, part xxiii), but the acquisition may still be subject to CFIUS’s jurisdiction and voluntary notification if control rights are acquired.  Treasury noted in the introduction that it may, in the future, update the Infrastructure Appendix in consultation with other federal agencies.

Sensitive Personal Data

Businesses that collect certain categories of “sensitive personal data” deemed to pose a risk to national security would also be TID U.S. Businesses subject to expanded jurisdiction and mandatory filing.  The Final Regulations apply a three-part test.

First, in most cases the requirements apply only to transactions involving a U.S. business that:

  • “targets or tailors” its products or services to any agency or military department with intelligence, national security, or homeland security responsibilities, or their personnel and contractors (broadly defined to include not just differentiated offerings but also discounting, marketing, or retail arrangements specific to those populations, such as a military discount or a retail outlet on a military post);
  • has maintained or collected covered data on greater than one million individuals at any point over the 12 months preceding the earliest of the completion date, execution of a binding agreement, launch of a public tender offer, solicitation of proxies for a board election, or request for conversion of a contingent equity interest (unless the entity proves that as of the completion date the U.S. business no longer can collect or maintain such a volume of identifiable covered data); or
  • has a demonstrated business objective to maintain or collect covered data on greater than one million individuals, where covered data is an integrated part of the U.S. business’s primary products or services.

Notably, a company does not need to retain covered data on one million or more individuals within the defined time period (or intend to do so); it only has to “maintain” or “collect” such data (or intend to do so, even if it will not be able to do so for some time).  Additionally, a company should count all individuals from whom covered data is collected under any category, regardless of location, so long as at least some covered data on U.S. citizens is collected.

Genetic data (specifically the results of individual genetic tests, including any related genetic sequencing data, but excluding anonymized data and data derived from U.S. government databases and provided to third parties for research) is covered regardless of the nature of the business.

Second, the following types of data are covered:

  • Genetic data;
  • Financial data that could be used to identify an individual’s financial distress or hardship;
  • Data in a consumer credit report, unless obtained from a credit reporting agency for a statutorily permitted purpose;
  • Data relating to the physical, mental, or psychological health of an individual;
  • Non-public electronic communications between or among users of the business’s products or services (if a primary purpose of the product/service is to facilitate third-party user communications), such as e-mails or chat messages;
  • Geolocation data;
  • Biometric data;
  • Data stored/processed for generating state or federal government ID cards;
  • Data concerning U.S. government personnel security clearance or security clearance status; or
  • Data in an application for employment in a position of public trust.

Third, the data must be “identifiable.”  Data is identifiable if it is linked to any of the following (non-exclusive) list of personal identifiers:

  • Name;
  • Physical address;
  • Email address;
  • Social security number;
  • Phone number; or
  • Other information that identifies a specific individual.

Data is not “identifiable” if it is aggregated, anonymized, or encrypted to government standards, but only if no party to the transaction has or will have after the transaction the ability to disaggregate, deanonymize, or decrypt the data.  “Sensitive personal data” also excludes data about a company’s own employees, except with respect to security clearance-related data held by U.S. government contractors (meaning as a practical matter that any entity holding classified contracts will become a TID U.S. Business subject to the expanded jurisdiction and mandatory filing rules, as it is likely to target government agencies with a national security function and hold data about its own employees’ security clearances).

Given the integral nature of subscriber data in many technology offerings (including most mobile device applications) and ease of entering U.S. interstate commerce in the technology sector, investors must be alert to this part of the TID U.S. Business definition.  A provided example explores its reach: a start-up mobile mapping venture that has maintained or collected geolocation data on far fewer than one million individual subscribers at the time of a transaction with a foreign person but has prepared pitch materials for investors stating such geolocation data is an integral part of its primary product and projecting that it will have greater than one million active subscribers within two years is a TID U.S. Business.

Expansion of Jurisdiction

“Control” and Covered Investments in TID U.S. Businesses

Even where the mandatory filing regime for investors in which a foreign government has a substantial interest does not apply, CFIUS has expanded jurisdiction over transactions involving TID U.S. Businesses, reaching both “covered control transactions” and a nominally broader group of “covered investments.”

Both before and after FIRRMA, CFIUS has jurisdiction involving the acquisition of “control” over a U.S. business, where “control” is defined as:

“the power, direct or indirect, whether or not exercised, through the ownership of a majority or a dominant minority of the total outstanding voting interest in an entity, board representation, proxy voting, a special share, contractual arrangements, formal or informal arrangements to act in concert, or other means, to determine, direct, or decide important matters affecting an entity.”

Treasury declined to amend this “well-established control standard” and did not revise a number of examples in its regulations indicating that the acquisition of a modest non-passive stake does not ipso facto create control (to take one example, a 13% stake and one of seven directors does not alone create control).  In our experience, however, the definition of “control” has been read extremely broadly (and somewhat unpredictably) in practice by CFIUS, and acquisitions of any significant governance rights (in one case, 15% of voting shares and proportional representation on the board of directors in a public company) may be deemed “control.”  Moreover, the Final Regulations further narrow the definition of “solely for the purposes of passive investment” (a presumptive safe harbor from a finding of control in acquisitions of 10% or less of a U.S. business) to exclude the rights below, raising a question as to how large the gap between a “covered control transaction” and a “covered investment” really will be in practice.

Nevertheless, for investments in TID U.S. Businesses, FIRRMA and the Final Regulations create a new category of “covered investment” reaching non-controlling governance rights.  An investment is a covered investment if it does not confer “control” but affords the foreign investor:

  • Access to any material non-public technical information (for example, in a joint venture in which each party takes a stake in the other);[12]
  • Any membership or observer rights on the board of the TID U.S. Business; or
  • Any involvement, other than through the voting of shares, in substantive decisionmaking regarding critical technologies, critical infrastructure, or sensitive personal data.
    • “Involvement” is defined very broadly as the right or ability, whether or not exercised, to provide input, consult or advise, exercise approval or veto rights, participate on a committee with authority over the relevant decision, or advise on appointing officers or selecting appointees to make the relevant decision.
    • “Substantive decisionmaking” is defined equally broadly to include pricing, transaction terms, supply arrangements, corporate strategy and business development, R&D (including locations and budget), manufacturing locations, access to critical technologies, security protocols, data privacy practices, IT systems used for personal data, and strategic partnerships.

Any investment in a TID U.S. Business conferring any of these rights is a “covered investment,” no matter how small.  If the investor is an “excepted foreign investor” (see above), neither the expansion of CFIUS’s jurisdiction nor mandatory filing requirements apply.

Real Estate

The Final Regulations also implement FIRRMA’s expansion of CFIUS jurisdiction over the purchase or lease by, or concession to, a foreign person (other than an “excepted investor,” as defined above) of certain real estate in the United States that is not operated as a business (e.g., raw land or leasing of empty facilities, as opposed to the sale of an occupied office building with assignment of the relevant agreements, which would be an acquisition of control over a U.S. business without regard to the criteria below).[13]  A real estate transaction is covered if the foreign person acquires at least three of the four following rights: (1) physical access; (2) excluding others from physical access; (3) developing or improving the real estate; and (4) attaching fixtures or structures to the real estate.  Mortgages and other secured lending activities are not themselves covered real estate transactions (even where the lending transaction creates a secured interest in covered real estate in favor of a foreign person), but foreclosure on a mortgage related to relevant real estate may be.

The Final Regulations define “covered real estate” to include a number of categories, keyed to Appendix A to Part 802 of the Final Regulations (the “Real Estate Appendix,” attached as Attachment 3):

  • Property within one mile of the military and government facilities listed in Part 1 or Part 2 of the Real Estate Appendix;
  • Property within 100 miles of a facility listed in Part 2 of the Real Estate Appendix;
  • Property in any county listed in Part 3 of the Real Estate Appendix (a list of counties in which missile bases are located);
  • Property within the boundaries of a military range identified in Part 4 of the Real Estate Appendix and within the limits of the U.S. territorial sea; and
  • Property that is in, on, or functions as part of a “covered port” (a list of seaports and airports defined by reference to Department of Transportation sources).

The Final Regulations carve out from CFIUS’s jurisdiction property in an “urbanized cluster” or “urbanized area” as defined by the Census Bureau,[14] unless it is within one mile of a facility listed in Part 1 or Part 2 of the Real Estate Appendix or functions as part of a covered port; “single housing units” as defined by the Census Bureau; leases or concessions of real estate that will be used only for the purpose of engaging in the retail sale of consumer goods or services to the public; leases or concessions of real estate to foreign air carriers that have security programs accepted by the Transportation Security Administration; and commercial office space in buildings in which the relevant foreign person occupies no more than 10% of the square footage of the building and shares the building with at least nine other tenants.  The Final Regulations also carve out real estate investments by excepted investors.

CFIUS plans to develop an online tool to help the public understand the geographic coverage of “covered real estate” under the Final Regulations.

Definition of U.S. Business

Treasury explicitly chose to change the definition of “U.S. business” in pre-FIRRMA regulations that limited the definition to entities’ activities within U.S. interstate commerce.  Treasury noted that the revised definition tracks FIRRMA (though that language paralleled language contained in the pre-FIRRMA statute) and “is not intended to suggest the extent of a business’s activities in interstate commerce in the United States is irrelevant to the Committee’s analysis of national security risk,” suggesting a possible assertion of jurisdiction over activities outside the United States of entities engaged in U.S. interstate commerce.  However, the Final Regulations also retained examples of the application of the rule that seem to indicate a narrower construction, including:  (i) where a foreign entity engages in U.S. interstate commerce through a branch or subsidiary, only that branch or subsidiary is a U.S. business, (ii) a foreign entity without any U.S. presence that sells licenses and technology into the United States is not a U.S. business, and (iii) a foreign entity without any U.S. presence that is a wholly owned subsidiary of a U.S. entity is not a U.S. business.  Treasury may have in mind operations and sales of U.S. entities outside of the United States, but no further clarification was provided.

Guidance for Future Transactions

Although as a formal matter the definitions of “TID U.S. Business” and “covered real estate” apply to a fairly narrow set of circumstances, they also provide valuable guidance as to the types of transactions that may be likely to raise CFIUS concerns as a general matter.  For example, it has long been known to CFIUS practitioners that the Committee scrutinizes acquisitions based on their physical proximity to sensitive facilities, and, even though the Final Regulations regarding acquisitions of real estate are technically not relevant to acquisitions of control of a U.S. business, they provide a helpful (though non-exclusive) articulation of criteria to help assess the sensitivity of a location.  These criteria provide useful guidance when, for example, examining the location of an acquisition target’s facilities.  Similarly, CFIUS’s interest in the issues underlying the definition of “TID U.S. Business” has long been known, but the Final Regulations provide a useful elaboration of those issues that can be applied to all transactions.  These categories are by no means exhaustive—CFIUS retains broad jurisdiction and discretion to review transactions it believes to be of concern—but they help assess the likely level of interest in a transaction.  This is especially relevant given the marked increase in post-closing review of transactions; CFIUS’s public statements indicate (and our experience corroborates) that the CFIUS staff is devoting significant resources to identifying transactions that were not originally notified and seeking information from the parties.

Short-Form Declarations

The Final Regulations expand the availability of short-form declarations, first proposed in the Pilot Program, to all covered transactions.  Short-form declarations will be available both for mandatory and voluntary filings.  Following the approach set forth in the Pilot Program, the Final Regulations provide for a short-form declaration as an alternative to the standard notice submitted to the Committee.  The declaration is intended to be an abbreviated filing that allows parties to submit basic information using a standard form not exceeding five pages in length (though it bears noting that the instructions alone in the Final Regulations run to seven and a half pages in word processing format).  The Final Regulations stipulate that parties may submit a declaration instead of a full notice for any transaction subject to CFIUS jurisdiction, regardless of whether the filing is mandatory.

It remains to be seen whether the short-form declaration will be a useful tool for parties notifying CFIUS of a transaction.  Anecdotal evidence from the Pilot Program casts some doubt on its effectiveness.  To date, CFIUS has rarely definitively cleared transactions on the basis of a declaration; more often, CFIUS reaches no conclusion (effectively denying the parties a safe harbor and subjecting the transaction to the risk of future review) or requests a full notice, effectively delaying the ordinary CFIUS review process by 30 days.  However, given that CFIUS must respond to a valid declaration within 30 days of receipt (in contrast to a full notice, for which CFIUS concludes the first-stage review within 45 days of CFIUS’s review and acceptance of the notice), it is possible that at least some substantive feedback may be received more quickly via a declaration—although should there be any substantive issue at all, starting with a declaration rather than a filing may delay the overall process.  For transactions subject to mandatory filing, the parties may close 30 days after the submission of either a declaration or a full notice.

Miscellaneous Changes

The Final Regulations implement a number of additional procedural changes:

The “completion date” of a transaction is defined as “the earliest date upon which any ownership interest, including a contingent equity interest, is conveyed, assigned, delivered, or otherwise transferred, or a change in rights that could result in a covered transaction or covered investment occurs.”  It has been increasingly common in recent years, and especially after the adoption of FIRRMA, for parties to close an investment prior to the completion of CFIUS review, with the acquisition of governance rights contingent upon CFIUS approval.  Because the “completion date” is defined as the first date upon which any equity interest, including a contingent interest, is transferred, it appears that this tactic may be restricted in transactions subject to mandatory notification, in which the parties must file at least 30 days before completion (or, in the event of a rejection or withdrawal of the declaration or filing, cannot close earlier than 30 days after resubmission).

The acquisition of a contingent equity interest (e.g., convertible preferred shares or an option to acquire additional shares) triggers the mandatory notification requirement and, while CFIUS has the discretion not to treat the acquisition of a contingent equity interest as an immediately effective covered transaction and has provided some guidance as to the factors that will be considered, the parties cannot be certain that the completion date will not be deemed to be the date of initial acquisition of the interest (and the penalty for failure to make a mandatory notification is up to the value of the transaction).  CFIUS has explicitly excluded secured loans from this analysis, although it remains unclear when a mandatory notification must be submitted in case of a likely default.  CFIUS has also provided a safe harbor for syndicated secured loans indicating that an acquisition upon default will not be deemed a covered transaction so long as any action by the syndicate with respect to the debtor requires a majority of U.S. participants or the financing documents exclude any foreign participation in control of the debtor and limit any access, rights, or other involvement related to the U.S. business that would constitute a “covered investment.”

In cases involving multiple acquisitions, the Final Regulations clarify that subsequent acquisitions of an additional interest in (or a change in rights in relation to) a U.S. business by a foreign company that has previously submitted a declaration or notification for their initial investment are subject to review (and any applicable mandatory notification requirements) unless CFIUS previously approved a transaction resulting in the acquisition of control.  To take an example from the Final Regulations, if Company A acquires a 5% non-controlling interest in Company B that includes rights triggering a mandatory declaration, even if CFIUS concludes action on the basis of that declaration, any subsequent covered investment by Company A in Company B remains subject to review.  Additionally, new examples clarify that changes in rights unaccompanied by additional investment may also be covered transactions subject to review.

The Final Regulations also clarify the timing of filings.  For full notifications, the Final Regulations clarify that CFIUS will return comments on a draft notification (or confirm that it is complete) within two weeks if the parties stipulate that the transaction is a “covered transaction” within CFIUS’s jurisdiction (and, if relevant, a foreign government-controlled transaction) and provide a basis for the stipulation.  As previously under FIRRMA, acceptance of a final filing following review begins the statutory review periods (45 days for a first-stage review, a further 45 days for a second-stage review, extendible by 15 days in extraordinary cases, and 15 days for presidential action, if any), and parties must respond to any question from CFIUS within 3 business days or risk having their filing rejected and the process restarted.  For the new short-form declarations, the review period is also 30 days and starts when the declaration is filed (but if the notice is rejected after filing, the 30-day period restarts), and the parties have only 2 business days to respond to any question.

Finally, the required content of CFIUS notifications has been expanded, particularly with respect to any TID U.S. Business included in the transaction and, regardless of whether the target includes a TID U.S. Business, detailed information on collection and use of personal data, including the scope and categories of any sensitive personal data of U.S. citizens collected.  Additionally, filings must now include a description of any U.S. products produced, designed, tested, manufactured, or developed by the U.S. business, including any relevant export classifications and an explanation of how the U.S. business determined those classifications.  Even though descriptions can be grouped by product category, this represents a substantial additional information burden. Finally, consistent with CFIUS’s recent informal practice, parties must provide expanded information on 5% or greater shareholders (by either vote or ownership) in the chain of ownership of the acquiror is now required, which can be quite difficult to calculate in the case of preferred shareholdings (where the percentage of beneficial ownership often depends upon the total enterprise value of the company).

III. Conclusion

The Final Regulations provide clarity as to the post-FIRRMA procedural reforms to CFIUS reviews, and as a substantive matter the provisions of the Final Regulations dealing with critical infrastructure, real estate, and sensitive personal data provide insight into the Committee’s thought processes regarding national security.  While many acquirors well-advised by experienced counsel would have identified these issues previously, the combination of expanded mandatory filings and expanded review of non-notified transactions underscores CFIUS’s broad national security remit.  The work done to articulate areas of potential concern provides useful guidance to the investor community and perhaps even useful structure to CFIUS’s own analysis.

At the same time, the Final Regulations are drawn so as to avoid radical change, balancing investment security and maintaining a liberal foreign investment regime.  There is an inevitable tension between the traditional voluntary CFIUS regime, which favored flexible rules providing CFIUS with maximum discretion in reviewing transactions of concern, and the new mandatory regime, which necessarily requires clear rules if consequences are to be imposed for failure to file.  Perhaps not surprisingly, the general structure of the Final Regulations seeks to provide additional guidance to implement the mandatory provisions while maintaining CFIUS’s broader freedom of action on discretionary reviews.  On balance, the Final Regulations appear to have met Treasury’s goal of modernizing and strengthening CFIUS while providing a more “effective and efficient process.”[15]

CFIUS review is no longer a niche issue affecting only the defense industry and acquirors from hostile nations; it is a part of the M&A landscape for the foreseeable future.  The Final Regulations, broadly speaking, are an aid to navigating that landscape.


[1] 85 Fed. Reg. 3112 (Jan. 17, 2020); 85 Fed. Reg. 3158 (Jan. 17, 2020). The Final Regulations are available at:

[2] 84 Fed. Reg. 50174 (Sep. 24, 2019); 84 Fed. Reg. 50214 (Sep. 24, 2019).  See our summary at:

[3] 83 Fed. Reg. 51323 (Oct. 11, 2018).

[4] Specifically, “critical technologies” includes: (a) defense articles or defense services included on the United States Munitions List set forth in the International Traffic in Arms Regulations (ITAR) (22 C.F.R. parts 120-130); (b) items included on the Commerce Control List set forth in Supplement No. 1 to part 774 of the Export Administration Regulations (EAR) (15 C.F.R. parts 730-774) and controlled (1) pursuant to multilateral regimes, including for reasons relating to national security, chemical and biological weapons proliferation, nuclear nonproliferation, or missile technology; or (2) for reasons relating to regional stability or surreptitious listening; (c) specially designed and prepared nuclear equipment, parts and components, materials, software, and technology covered by 10 C.F.R. part 810 (relating to assistance to foreign atomic energy activities); (d) nuclear facilities, equipment, and material covered by 10 C.F.R. part 110 (relating to export and import of nuclear equipment and material); (e) select agents and toxins covered by 7 C.F.R. part 331, 9 C.F.R. part 121, or 42 C.F.R. part 73; and (f) emerging and foundational technologies controlled pursuant to section 1758 of the Export Control Reform Act of 2018.

[5] The Final Regulations define “investment fund” as any entity that is an “investment company,” as defined in section 3(a) of the Investment Company Act of 1940 (15 U.S.C. 80a-1 et seq.), or would be an “investment company” but for one or more of the exemptions provided in section 3(b) or 3(c) thereunder.

[6] To satisfy the passivity requirements, (a) any limited partner advisory committee (LPAC) or similar body may not control: (i) investment decisions of the investment fund, or (ii) decisions made by the general partner, managing member, or equivalent related to entities in which the investment fund is invested; and (b) no foreign investor may otherwise have the ability to control the investment fund, including the authority: (i) to approve, disapprove, or otherwise control investment decisions of the investment fund, (ii) to approve, disapprove, or otherwise control decisions made by the general partner, managing member, or equivalent related to entities in which the investment fund is invested, or (iii) to unilaterally dismiss, prevent the dismissal of, select, or determine the compensation of the general partner, managing member, or equivalent.  This list of prohibited rights is not exclusive and the definition of “control” is quite broad (including explicit or de facto blocking rights over significant decisions), but there is a short list of explicitly permissible minority protection rights (effectively, anti-dilution rights and the right to block dissolution, self-dealing, waivers of allocation limits, or alterations of the rights of a class of stock held by minority investors).

[7] Certified here indicates an air carrier holding a certificate issued under 49 U.S.C. § 41102.

[8] As defined in 49 U.S.C. § 40102(a)(2).

[9] “Unaffiliated” means that the “foreign person does not directly hold more than 50 percent of the outstanding voting interest or have the right to appoint more than half of the members of the board of directors or equivalent governing body.”

[10] See footnote 6.

[11] For purposes of calculating substantial interest, parent entities (holding more than half by vote or value, or general partner equivalent) are attributed 100% of interest held by their subsidiaries, and a pro rata interest held by any non-subsidiaries.  To illustrate, a 49.99% interest in a 60% shareholder of Company A is a 29.99% interest in Company A, whereas a 50.01% interest in a 60% shareholder of Company A is a 60% interest in Company A.

[12] “Material non-public technical information” is defined as information that “provides knowledge, know-how, or understanding, in each case not available in the public domain, of the design, location, or operation of covered investment critical infrastructure, including vulnerability information such as that related to physical security or cybersecurity” or “is not available in the public domain and is necessary to design, fabricate, develop, test, produce, or manufacture a critical technology, including processes, techniques, or methods.”

[13] Transactions involving real estate that also involve the acquisition of entities involved in interstate commerce or the acquisition of assets that could be operated as a business are reviewable for security issues under the Final Regulations’ non-real estate provisions.

[14] See U.S. Census Bureau, 2010 Census Summary File 1, available at:

[15] See U.S. Department of the Treasury, Fact Sheet: Final CFIUS Regulations Implementing FIRRMA (January 2020), available at:

This post comes to us from Cleary Gottlieb Steen & Hamilton LLP. It is based on the firm’s memorandum, “CFIUS Releases Final FIRRMA Regulations,” dated January 22, 2020, and available here.