Gibson Dunn Discusses CFIUS Reform and Final FIRRMA Rules

On February 13, 2020, final regulations went into effect to expand the scope of inbound foreign investment subject to review by the Committee on Foreign Investment in the United States (“CFIUS” or the “Committee”).

CFIUS is an inter-agency federal government group authorized to review the national security implications associated with foreign acquisitions of or investments in U.S. businesses and to block transactions or impose measures to mitigate any threats to U.S. national security. Until last year, the Committee’s jurisdiction was limited to transactions that could result in the control of a U.S. business by a foreign person. As we described here, the 2018 Foreign Investment Risk Review and Modernization Act (“FIRRMA”) expanded the scope of transactions subject to the Committee’s review to include certain non-controlling but non-passive foreign investments in U.S. businesses involved in critical technologies, critical infrastructure, or sensitive personal data of U.S. citizens (abbreviated as “TID” businesses for technology, investment, and data) as well as real estate transactions—including leases, sales, and concessions—involving air or maritime ports or in close proximity to sensitive U.S. government facilities.[1] Many of the critical issues set forth in FIRRMA were clarified by proposed regulations published by the U.S. Department of the Treasury on September 17, 2019, described here, and further refined in the final regulations published on January 13, 2020.

In a city that is rarely praised for efficiency or collaboration, the deliberative process that shaped these new rules merits some discussion. At the earliest stages of the legislative process, proposed CFIUS reform bills would have required scrutiny of innumerable transactions with no ostensible national security risk—including passive foreign investments through investment funds in ostensibly low risk industries and joint ventures with a foreign company partner. After months of negotiations, the House and Senate agreed upon legislation that expanded the scope of transactions subject to the Committee’s review, but punted key details to subsequent implementing regulations. Since proposing such regulations last year, the Committee sought and reviewed numerous written comments and requests for clarifications regarding the regulations in a transparent and public process. The final regulations reflect several changes made in response to such feedback, as well as lessons learned during the pilot program for mandatory filings involving certain types of critical technologies (the “Pilot Program”). The result is a smarter set of regulations designed to target real risks, as well as commentary that reflects the effort being made by the intelligence community to assess and adapt to increasingly complex investment structures.

Our top ten observations regarding these new regulations are set forth below.

1. Mandatory Filings for Critical Technology U.S. Business Transactions

The final regulations retain—with relatively minor changes—the Pilot Program’s mandatory fling requirement for certain transactions involving investments by foreign persons in U.S. businesses that deal in one or more “critical technologies.” The Pilot Program had served for the last year as a laboratory for the Committee to test out certain aspects of its newly expanded authorities—including mandatory pre-transaction filings for transactions involving critical technology U.S. businesses. These high-risk technologies include items subject to existing U.S. export controls, including emerging and foundational technologies to be identified pursuant to the Export Control Reform Act of 2018 (“ECRA”).

Under the new rules, transactions triggering mandatory CFIUS review will continue to include any investment by which a foreign person acquires material nonpublic technical information about the target critical technology U.S. business, membership or observer rights on the target’s board, or the right to participate in substantive decision-making, as well as transactions in which foreign persons acquire control of a critical technology U.S. business. Such businesses include those companies that produce, design, test, manufacture, fabricate, or develop certain items subject to the Export Administration Regulations (“EAR”), defense articles or defense services subject to the International Traffic in Arms Regulations (“ITAR”), “emerging and foundational technologies” that are to be identified through an interagency process chaired by the Department of Commerce going forward, as well as items subject to several other U.S. export control regimes.

To trigger the mandatory filing requirement under current regulations, the critical technology U.S. business in which the foreign person plans to invest must also operate in one of 27 high-risk industries identified by their five-digit North American Industry Classification System (“NAICS”) codes in Appendix B to Part 800.  Notably, the Pilot Program illustrated that there is no definitive means for establishing the NAICS code applicable to a particular U.S. business, that a company’s “primary” NAICS code—which CFIUS often requests—may not capture the full scope of its business operations, and that companies also often have limited experience with evaluating the applicable NAICS codes or establishing a process for doing so.  Rather than depend on this uncertain, unfamiliar metric for determining its jurisdiction, the Committee has indicated that it will eventually propose a new rule to replace the use of NAICS codes with a requirement based on export control licensing requirements.  This change will likely make jurisdictional determinations more efficient and certain.  The jurisdictional assessment for critical technology transactions already requires an evaluation of the target’s exposure to U.S. export controls.  Additionally, determining export controls classifications and applicable license requirements is a common component of compliance for many companies dealing in critical technologies.

Forthcoming Commerce Department regulations to implement ECRA’s mandate will further clarify the range of companies that will be impacted by the Committee’s jurisdiction over critical technology business transactions.  Under the Pilot Program and continuing under the new CFIUS regulations, “critical technologies” include items to be controlled as “emerging and foundational technologies” under new regulations the Commerce Department is required to promulgate.  Observers have been expecting new regulations on emerging technologies—which will purportedly include new controls on particular kinds of artificial intelligence and quantum computing technology, among several other areas of emerging technology—to be published for months.  (The Commerce Department has yet to publish a companion Advanced Notice of Proposed Rulemaking to solicit input on how to define and identify foundational technologies.)  Commerce Department officials have repeatedly stated that publication of the new rules and controls on emerging technologies is imminent, but deliberations within the Trump administration appear to be delaying their publication.  Depending on the schedule for publishing these rules and how the Commerce Department follows through on ECRA’s expressed preference for building international support to impose multilateral controls on specific technologies, it could be many months or even years before any specific definitions of emerging or foundational technologies are adopted.

For transactions subject to the CFIUS mandatory filing requirement, parties will continue to have the option of either filing a short-form declaration available on the Committee’s website or filing a fulllength notice.  In many cases, given the close scrutiny to which transactions involving critical technologies have recently been subject, a full-length notice may be advisable in order to reduce the total amount of time required for the Committee to complete its review, as described further below.

2. Mandatory Filings for Substantial Foreign Government Investments

In addition to the mandatory filing requirement for non-passive, non-controlling investments in a U.S. business dealing in critical technologies in connection with certain high-risk industries, filings are now also required for all transactions by which a foreign government obtains a “substantial interest” in a TID U.S. business.  Specifically, a CFIUS filing is now required when a foreign government holds a 49 percent or greater voting interest in a foreign person that would obtain a 25 percent or greater voting interest in the target U.S. business.  In the case of an entity with a general partner, managing member, or equivalent, the Committee will consider a foreign government to have a “substantial interest” if the foreign government holds 49 percent or more of the interest in the general partner, managing member, or equivalent.  The new regulations further clarify that a “substantial interest” applies to a single foreign government, including both national and subnational governments, and their respective departments, agencies, and instrumentalities.  In this regard, the Committee does not aggregate foreign governments’ interests when determining whether they are “substantial.”

3. New Exceptions to Mandatory Filings Requirements

In response to public comments, the final CFIUS regulations incorporate several new exceptions to mandatory filing requirements:

  • Foreign Ownership, Control, or Influence (“FOCI”) Mitigated Entities. The final CFIUS regulations incorporate an exception for investments by foreign investors operating under a valid facility security clearance and subject to an agreement to mitigate FOCI pursuant to the National Industrial Security Program regulations. Such FOCI mitigation agreements require the foreign entity holding a facility security clearance to implement an action plan to mitigate the security risk that the foreign ownership, control, or influence poses.
  • Exception for Investments Involving License Exception ENC. The regulations include a narrow exception for foreign investments in a U.S. business that would otherwise trigger a mandatory filing solely because the business produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies that are eligible for License Exception ENC under the EAR, which authorizes the export of encryption commodities, software, and technology without a specific government-issued license. Helpfully, this exception will apply to many software and technology companies that include different kinds of encryption functionality in their products.

As described further below, the final CFIUS regulations retain exceptions from the mandatory filing requirement for passive and indirect foreign investment made through investment funds, as well as covered investments by certain “excepted” investors from exempted foreign states.

4. Declarations for All Transactions—Still No Filing Fees

In order to help CFIUS and the regulated public manage the burden of CFIUS’s expanded remit, FIRRMA provided a new-short form filing—the “declaration.” These declarations are built from a standard five-page form, available on CFIUS’s website. They require similar, but less extensive, information about the proposed transaction than the standard notice and are subject to an abbreviated 30-day review period.

Over the last year, CFIUS has test-driven this new filing tool in its Pilot Program. Parties to a Pilot Program covered transaction—including covered investments in and acquisitions of critical technology U.S. businesses—were required to file with the Committee in advance of closing the transaction and could choose to submit either a short-form declaration or the traditional long-format notice. But the Pilot Program proved a poor testing ground for the new tool. Perhaps because of the national security concerns inherent in Pilot Program covered transactions—which dealt exclusively with companies handling export controlled technology for sensitive industries—or because of the Committee’s expanded case load, CFIUS was frequently unable to clear declaration cases within the shortened 30-day review period. As a result, CFIUS would often request parties subsequently file a notice—increasing the amount of work required of the parties and dramatically extending the total CFIUS review timeline. By some estimates, only 10 percent of cases filed with CFIUS using the new short-form declaration were cleared in the shortened review period.

Now the declaration is getting a wider release. Under the new regulations, parties to any transaction subject to CFIUS review are permitted to submit a short-form declaration as an alternative to the lengthier voluntary notice procedure that is subject to an expedited review process. The declaration may become more useful as parties to relatively low-risk transactions can now opt for the short-form filing and shorter review timeline. The Committee itself has cautioned that parties should consider the likelihood that CFIUS will be able to conclude action in the 30 days allotted for reviewing a declaration when determining which format to file, suggesting that the long-form notice may be more appropriate for more complex transactions bearing indicia of national security risk. Interestingly, neither submission format is yet subject to a filing fee, although fees will likely be proposed pursuant to forthcoming regulations.

5. Preliminary List of Excepted Foreign States

The new CFIUS regulations create an exception from certain real estate transactions and non-controlling TID investments (but not transactions that could result in control) for investors based on their ties to certain countries identified as “excepted foreign states,” and their compliance with certain laws, orders, and regulations (including U.S. sanctions and export controls).[2] Although CFIUS initially suggested that it would be several years before such excepted foreign states were named, the Committee’s final regulations defied observers’ expectations by exempting investors from three named countries— Australia, Canada, and the United Kingdom—from CFIUS scrutiny in certain circumstances. Although the timing of the announcement surprised observers, the countries it selected were of no surprise. Australia, Canada, and the United Kingdom are all members of the multilateral UKUSA Agreement under which the so-called “Five Eyes”—the United States, Australia, Canada, New Zealand, and the United Kingdom—share intelligence data. According to the Committee these countries were selected due to aspects of their robust intelligence-sharing and defense industrial base integration mechanisms with the United States.

A country’s status as an excepted foreign state is conditioned upon the implementation of their own process to analyze foreign investments for national security risks and to facilitate coordination with the United States on matters relating to investment security, by February 13, 2022. This two-year grace period will provide the Committee with time to develop processes and procedures to determine whether the standard has been met with respect to other jurisdictions. Although the Committee, indicated that it takes no current position as to whether these foreign states currently meet the review process requirement, all three named countries either have or are formalizing investment review processes.

Although CFIUS could expand the list of “excepted foreign states” in advance of 2022, few other allies are as closely interwoven with the United States as Australia, Canada or the United Kingdom.  Moreover, the new regulations eliminate language in the proposed rules that would have allowed an eligible country to be selected with a consensus of two-thirds of CFIUS’s voting members.  As a result, selection of an additional eligible country likely would require consensus among the entire Committee.  Furthermore, the final regulations warn that an expansive application carries potentially significant implications for the national security of the United States, suggesting that a “go-slow” approach to expanding the list of excepted foreign states is likely to prevail.

6. Clarifying the Excepted Investor Provision

The excepted investor provision was designed to accommodate increasingly complex ownership structures in the application of the Committee’s jurisdiction, and generally exempts persons, governments, and entities from excepted foreign states from certain types of CFIUS scrutiny. As mandated by FIRRMA, this exception was intended to limit the expansion of CFIUS jurisdiction. Notably, the final regulations revised the earlier proposed definition of excepted investor in response to numerous comments which suggested relaxing the criteria with respect to the nationality of board members and observers, the percentage ownership limits for individual investors, and the minimum excepted ownership.

The final regulations indicate that a foreign entity will qualify as an excepted investor if it meets each of the following conditions with respect to itself and each of its parents: (i) such entity must be organized under the laws of an excepted foreign state or the United States, (ii) such entity must have its principal place of business in an excepted foreign state or the United States, (iii) 75 percent or more of the members and 75 percent or more of the observers of the board of directors or the equivalent governing body of such entity are U.S. nationals or nationals of one or more excepted foreign states who are not also nationals of any non-excepted foreign state, (iv) any foreign person that individually, and each foreign person that is part of a group of foreign persons that in the aggregate holds 10 percent or more of the outstanding voting interest of such entity (or otherwise could control such entity) is a foreign national of one or more excepted foreign states who is not also a national of any non-excepted foreign state; a foreign government of an excepted foreign state; a foreign entity that is organized under the laws of an excepted foreign state and has its principal place of business in an excepted foreign state or in the United States; and (v) the minimum excepted ownership of such entity is held, individually or in the aggregate, by one or more persons each of whom is (A) not a foreign person; (B) a foreign national who is a national of one or more excepted foreign states and is not also a national of any foreign state that is not an excepted foreign state; (C) a foreign government of an excepted foreign state; or (D) a foreign entity that is organized under the laws of an excepted foreign state and has its principal place of business in an excepted foreign state or in the United States.

The final rules increased the number of foreign nationals that may be on an excepted company’s board, raised the percentage ownership limit for individual investors in an excepted investor entity, and allow investors to have more foreign ownership than under the earlier proposed rules and still qualify for excepted status. However, the exception remains significantly cabined by the multiple layers of criteria it includes, and it remains possible for investors to lose excepted investor status and for their investments to become subject to CFIUS review. Additionally, CFIUS rejected commenters’ requests for a separate exception for “repeat customers” of the Committee who have previously or routinely obtained clearance and remain in good stead.

Notably, an investor’s nationality is not dispositive—the regulations identify additional criteria that a foreign person must meet in order to qualify for excepted investor status. Among these, investors cannot qualify for and may lose their excepted status if they are parties to settlement agreements with the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) or the U.S. Department of Commerce Bureau of Industry and Security (“BIS”), or are debarred by the U.S. Department of State, for sanctions or export control violations.

7. Investment Fund Carve-Out

The new rules also place limitations on the Committee’s jurisdiction with respect to passive and indirect foreign investments made through investment funds in TID U.S. businesses. An indirect investment by a foreign person in a TID U.S. business through an investment fund that affords the foreign person membership as a limited partner on an advisory board of the fund will not be considered a covered investment if certain conditions are met. First, the fund must be managed exclusively by a general partner or equivalent that is not a foreign person. Further, the advisory board membership must not afford the foreign person the ability to control the fund, participate in substantive decision-making regarding the fund, or access material nonpublic technical information. In its discussion of the new regulations, CFIUS also makes clear that this exception is limited and is not intended to create a presumption that any indirect investment by a foreign person in a TID U.S. business through an investment fund is a covered transaction if these criteria are not met. Instead, TID business investments will need to be analyzed on a case-by-case basis.

In the preamble to the new regulations, CFIUS indicated that numerous commenters requested further clarification regarding the scope of the investment carve-out, recommending revisions to the definition of “foreign entity” to focus on control by foreign persons, requesting additional examples of the types of limited partner rights that would not give rise to control. Citing the limitations of its authority under FIRRMA, the Committee declined to make most of these suggestions, opting instead to set forth a new interim rule defining “principal place of business” for CFIUS purposes, a measure that will address investment funds managed and controlled by U.S. persons in the United States, among other issues. The Committee did not adopt suggestions to apply the minimum excepted ownership criteria only to the general partner in a fund setting, noting that investment fund structures can vary significantly and limited partners may have significant rights vis-à-vis their investment interests.

As described further below, the new regulations provide an exemption to the mandatory filing requirement for investment funds controlled and managed by U.S. nationals. The regulations clarify, however, that a limited partner in a fund could have a filing obligation separate and apart from that of the fund. If a limited partner, for example, is granted control rights or access to material nonpublic technical information of a TID U.S. business, the limited partner may be subject to its own mandatory filing even if the fund itself is not.

8. New Principal Place of Business Interim Rule

In response to public comments seeking greater clarity about which entities are subject to CFIUS jurisdiction (including the aforementioned investment fund carve-out), the Treasury Department in January 2020 issued an interim rule defining an entity’s principal place of business as “the primary location where an entity’s management directs, controls, or coordinates the entity’s activities, or, in the case of an investment fund, where the fund’s activities and investments are primarily directed, controlled, or coordinated by or on behalf of the general partner, managing member, or equivalent.” Until now, the term principal place of business—which bears on whether an entity is “foreign” and thus subject to CFIUS jurisdiction—was undefined. The new definition, proposed in January 2020, was subject to a 30day public comment period that ended on February 18, 2020.

That definition broadly tracks the test used by U.S. federal courts for determining diversity jurisdiction, in which the court looks to where the corporate “nerve center” is located. The definition of principal place of business also includes a special rule designed to ensure “consistent treatment of an entity’s principal place of business in accordance with its own assertions to government entities, provided the facts have not changed since those assertions.” The new CFIUS definition of principal place of business therefore contains a second prong which provides that if an entity has represented to a U.S. federal, state, local or foreign government in its most recent submission or filing with that authority that its principal place of business is outside the United States, then that location will be deemed the entity’s principal place of business unless the entity can show that such location has since changed to the United States. From a policy standpoint, this carve-out appears designed to prevent entities from having their cake and eating it too—for example, by claiming to be based overseas for tax purposes, while also claiming to be U.S.-based for CFIUS purposes. This is an important clarification for foreign incorporated companies traded on U.S. exchanges, as the Committee continues to assert that U.S. shareholder addresses do not necessarily demonstrate that the owners of stock are U.S. nationals.

The final FIRRMA regulations were modified in several significant ways in response to comments that were received during the last comment period, and we expect a similarly robust dialogue between the Committee and the business community regarding this new proposed definition.

9. Personal Data Collections

The new rules also extended CFIUS jurisdiction to include review of certain investments in U.S. businesses that maintain or collect certain categories and quantities of sensitive data that may be exploited in a manner that threatens national security. This new category of jurisdiction covers U.S. businesses that (i) target or tailor products or services to sensitive populations, including U.S. military members and employees of federal agencies involved in national security; (ii) collect or maintain sensitive personal data on at least one million individuals; or (iii) have a “demonstrated business objective” to maintain or collect such data on greater than one million individuals with such data representing an integrated part of a U.S. business’s primary products or services. “Sensitive personal data” can include, among other types, financial data, geolocation data, U.S. government personnel clearance data, or biometric information that is maintained or collected by U.S. businesses described in (i)-(iii), above. Information derived from the results of genetic testing is considered “sensitive personal data” regardless of whether the business holding it is also described in (i)-(iii), above. Investments that provide a foreign person with certain information or governance rights with respect to such sensitive data U.S. businesses now trigger CFIUS jurisdiction.

In its final rules, the Treasury Department made few changes to this expanded jurisdiction in response to comments it received. Some commenters had expressed concern that the scope of information CFIUS considered to be sensitive personal data was too broad and would exceed what is necessary to protect national security. CFIUS refined the rule to clarify that data collected by U.S. businesses on their own employees, with certain exceptions for federal employees and contractors, and data that is a matter of public record does not quality for CFIUS review. A further clarification was made to narrow the scope of financial data covered by CFIUS to include only data that could be used to determine an individual’s financial distress or hardship.

There is still significant uncertainty regarding CFIUS’s potential use of this new rule, and it will likely be some time before its scope is fully understood. However, given the central and often commonplace role that data collection plays in many of today’s businesses, its application could be quite broad. What is clear from the promulgation of these new regulations is that any company with even moderate data collection practices will have to consider the potential impact of CFIUS on covered transactions. The threshold of collection or maintenance of data on at least one million individuals, or the demonstrated business objective to do so, is unlikely to provide a meaningful barrier to CFIUS review in many situations.

There are some initial indications that CFIUS will broadly interpret its jurisdiction over transactions involving sensitive personal data in a way that could affect many companies that may be unaccustomed to the challenges of navigating U.S. trade controls. For example, in March 2019, the Committee ordered Beijing Kunlun Tech Co. Ltd. (“Kunlun”) to sell its interest in Grindr LLC, a popular dating application focused on the LGBTQ community. Kunlun, a Chinese technology firm, acquired an approximately 60 percent interest in Grindr in January 2015 and subsequently completed a full buyout of the company in January 2018. Although CFIUS did not comment publicly, observers have speculated that the action was prompted over the Chinese firm’s access to sensitive personal data from Grindr users—such as location, sexual preferences, HIV status, and messages exchanged via the app. The Committee similarly intervened with Shenzhen-based iCarbonX after it acquired a majority stake in PatientsLikeMe, an online service that helps patients find people with similar health conditions within a user-base of around 700,000 people. As these cases suggest, CFIUS’s new jurisdiction over sensitive data U.S. businesses could affect a wide range of technology companies and service providers that have not typically been subject to CFIUS review or particularly burdensome U.S. export controls and may not be adequately prepared for such scrutiny.

10. Real Estate Transactions

As expected, the newly promulgated rules also expand CFIUS jurisdiction into new territory, including real estate transactions. Specifically, the Committee now has jurisdiction over the purchase or lease by, or concessions to, a foreign person of U.S. real estate that is within a defined range of certain airports, maritime ports, U.S. military installations, and other sensitive government sites listed in Appendix A to Part 802.

In a departure from CFIUS jurisdiction under prior rules, the Committee has jurisdiction to review real estate transactions even when the transaction does not involve a “U.S. business.” Importantly, however, even if the real estate at issue is not covered under the Committee’s expanded jurisdiction or if the foreign person did not acquire sufficient property rights as described below, CFIUS could still have jurisdiction over the transaction if it involves the transfer of control over (or a qualifying investment in) a U.S. business.

Covered real estate transactions include property associated with maritime ports and major domestic airports, and property located within “close proximity” or the “extended range” of certain military installations and other sensitive government sites identified in an appendix to the regulations. “Close proximity” is defined as property within one mile of the boundary of such facilities; whereas “extended range” is generally defined as property within 99 miles of identified government locations. CFIUS anticipates making a web-based tool available to help the public understand the geographic coverage of the new rule.

Additional limitations narrow the scope of what real estate transactions are covered. For example, a foreign person must acquire specified property rights in “covered real estate” to trigger CFIUS scrutiny—namely, the foreign person must be afforded as a result of the transaction three or more of the following property rights: (i) to physically access; (ii) to exclude; (iii) to improve or develop; or (iv) to affix structures or objects. The regulations leave undefined lesser rights. Importantly, the right or ability to determine the type of development to occur on the property, or to participate in decisions regarding tenants or leases, or to monitor the property likely would not trigger CFIUS jurisdiction.

Furthermore, specific exceptions apply to certain properties in urban areas. Real estate in “urbanized areas” and “urban clusters” as defined by the Census Bureau in the most recent U.S. census are excluded from the Committee’s real estate jurisdiction. Urban clusters are those territories with between 2,500 and 50,000 individuals whereas urbanized areas are those with more than 50,000 people. The urbanized area exclusion applies to covered real estate everywhere except where it is in “close proximity” to a military installation or sensitive U.S. government facility or where it will function as part of an airport or maritime port. Real estate transactions regarding single housing units and certain commercial office space are also excepted under the new rules.


If past is prologue, the Committee’s enforcement efforts in the coming months will highlight the types of risks that these new regulations are designed to target. In 2019, CFIUS forced several foreign companies to divest from U.S. businesses involved in the collection of sensitive personal data or cybersecurity, two issues likely to remain in the Committee’s crosshairs. Buoyed by new funding and personnel, we expect the Committee to proactively monitor the market for similarly high-risk transactions in the coming year.


1. FIRRMA was incorporated into the John S. McCain National Defense Authorization Act for Fiscal Year 2019, which was signed into law by President Trump on August 13, 2018.

2. 800.219 (excepted foreign state); §800.220 (excepted investor); §802.215 (excepted real estate foreign state); §802.216 (excepted real estate investor).

This post comes to us from Gibson, Dunn & Crutcher LLP. It is based on the firm’s memorandum, “CFIUS Reform: Top Ten Takeaways from the Final FIRRMA Rules,” dated February 19, 2020, and available here.