Introduction
On January 13, 2020, the Office of Investment Security of the U.S. Department of the Treasury issued two final regulations to fully implement certain provisions of the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”). FIRRMA was enacted to expand the jurisdiction of the Committee on Foreign Investment in the United States (“CFIUS” or “Committee”) and modernize its procedures and was the most significant reform legislation affecting the CFIUS review process in more than a decade. With the passage of FIRRMA, the definition of “covered transaction” was expanded to include non-controlling “other investments” in U.S. businesses involving critical technologies, critical infrastructure, or sensitive personal data on U.S. citizens. Additionally, FIRRMA brought transactions involving real estate (but no U.S. business) in close physical proximity to sensitive U.S. government or military facilities and other locations within CFIUS’s jurisdiction.
CFIUS previously published proposed regulations in September 2019, but those rules remained subject to public comment and additional revisions. CFIUS responded to the public comments on the proposed regulations and made certain changes and revisions, some of which are significant, as described in greater detail below. The final regulations largely maintain the original construct and key aspects of the earlier proposed regulations. In particular, the regulations continue to expand the Committee’s jurisdiction to review non-controlling foreign investments in “TID” U.S. businesses—those that are involved in certain critical Technologies, critical Infrastructure, and sensitive personal Data. However, several updates incorporated by the Committee into the final regulations will have a marked impact on how these new jurisdictional authorities will apply to investors and transactions. The final regulations will become effective, in their current form, on February 13, 2020.
The most significant update include a new interim rule defining, for the first time, “principal place of business” for the purposes of determining whether an entity is a foreign entity under CFIUS’s jurisdiction. The final regulations also contemplate that the existing “Pilot Program” obligating mandatory declarations for certain investments in critical technology industries will remain until February 13, 2020, when the new regulations are effective. Importantly, CFIUS has advised that it anticipates a new round of rulemaking to amend the mandatory declaration requirement to focus on export control licensing requirements rather than particular industries.
While we expect the Committee to continue to refine its new jurisdictional authorities through incremental rulemakings in the future, the publication of these final regulations represents a major step towards fully implementing its expanded jurisdiction pursuant to FIRRMA, and will usher in a new era of governmental oversight of foreign investments in U.S. businesses.
Principal Place of Business
The most significant updates include a new interim rule defining, for the first time, “principal place of business” for the purposes of determining whether an entity is a foreign entity under CFIUS’s jurisdiction. According to this newly published definition, an entity’s principal place of business is initially determined as follows: “the primary location where an entity’s management directs, controls, or coordinates the entity’s activities, or, in the case of an investment fund, where the fund’s activities and investments are primarily directed, controlled, or coordinated by or on behalf of the general partner, managing member, or equivalent.” If an entity’s principal place of business would be the U.S. based upon this first part of the definition, however, the entity must then look to the second overriding part of the definition, which explains that the entity’s principal place of business will nevertheless be deemed to be the location that entity “has identified its principal place of business, principal office and place of business, address of principal executive offices, address of headquarters, or equivalent” in its most recent submission or filing to any U.S. or foreign government.
The most direct implication of this new definition is that any entity that identifies its principal place of business as outside the U.S. for taxation purposes, will be considered to have its principal place of business in that foreign jurisdiction for purposes of CFIUS jurisdiction. This definition will be effective on February 13, 2020, but this definition is also subject to a 30-day public comment period that started immediately upon publication of the final rules on January 13, 2020.
Non-Controlling Investments in a “TID” U.S. Business
Pursuant to the authorizations set forth in FIRRMA, the final regulations expand CFIUS jurisdiction to include certain non-controlling “covered investments” by foreign persons in U.S. businesses that are involved in critical Technologies, critical Infrastructure, and sensitive personal Data, referred to in the regulations by the new defined term “TID U.S. business.”[1] Under FIRRMA, a non-controlling “covered investment” is any investment that permits a foreign person to appoint a director or observer, to access material non-public technical information of the target, or to be involved (indeed even consulted) regarding the target’s substantive decision making. Filings with respect to “covered investments” will still be voluntary unless the transaction is subject to the mandatory declaration requirement either because it involves a critical technology company or because, as discussed below, it involves the acquisition by a foreign government owned or controlled investor of a “substantial interest” in a TID U.S. business.
A TID U.S. business is one that falls within one or more of the following categories:
- Critical Technology: The U.S. business produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies. The regulations define critical technologies to include those that are controlled by the International Traffic in Arms Regulations, certain items controlled on the Commerce Control List of the Export Administration Regulations, nuclear-related controls administered by the Nuclear Regulatory Commission and Department of Energy, select agents and toxins, and emerging and foundational technologies controlled pursuant to the Export Control Reform Act of 2018. Emerging and foundational technologies is a term that will be defined by a separate rulemaking process undertaken by the U.S. Department of Commerce Bureau of Industry and Security.
The scope of the definition for Critical Technologies is not surprising—it tracks the definition used in both FIRRMA as well as the Pilot Program enacted in 2018. This list of products is particularly broad, and any items or technologies that are the subject of any meaningful export controls are usually covered as a Critical Technology. S. companies are in practice often surprised that items they consider ordinary course products are in fact considered a critical technology under the applicable regulations.
- Critical Infrastructure: This is a U.S. business that performs certain functions with respect to critical infrastructure. Critical infrastructure is defined to mean systems and assets, whether physical or virtual, so vital to the U.S. that the incapacity or destruction of such systems or assets would have a debilitating impact on national security—a definition that was previously set forth under FIRRMA. However, the regulations also offer a great deal of granularity on the types of assets that will trigger the Committee’s expanded jurisdiction over non-controlling “covered investments” in critical infrastructure businesses through an Appendix that lists a variety of specific infrastructure assets considered critical, as well as the particular functions for each type of asset that will cause it to be identified as a TID U.S. business. The list of infrastructure assets includes certain internet protocol networks, internet exchange points, submarine cable systems, electric generation and transmission assets, oil refineries and pipelines, LNG terminals, exchanges registered under the Securities Exchange Act, air and maritime ports, and public water systems, among many others. The complete Appendix of critical infrastructure assets and corresponding functions that trigger jurisdiction is reproduced in an Appendix to this report. While the list of critical infrastructure is very broad, the final regulations make clear that this list is the product of extensive consultation with experts from CFIUS member agencies. Furthermore, the specificity provided by the Committee is welcome news—particularly given the FIRMMA requirement of mandatory declarations by foreign government investors acquiring a “substantial interest” in a TID U.S. business.
- Sensitive Personal Data: The U.S. business maintains or collects, directly or indirectly, sensitive personal data of U.S. citizens that could be exploited in a manner threating U.S. national security. Because most U.S. businesses collect and store some personal data of U.S. citizens, the drafters of the regulations have sought to limit the definition of Sensitive Personal Data. It is “identifiable” data (that is, data that can be used to distinguish or trace an individual’s identity) that is “genetic information” or data maintained or collected by a U.S. business that (i) targets or tailors products or services to certain national security-focused agencies or military departments of the U.S. government, (ii) maintains or collects data on greater than one million individuals in the past twelve months, or (iii) has a demonstrated business objective of maintaining or collecting such data on greater than one million individuals and such data is an integrated part of the U.S. business’s primary products or services.
As to such U.S. businesses, the definition of Sensitive Personal Data requires that it fall within one of several categories of data such as data that “could be used to analyze or determine an individual’s financial distress or hardship,” data contained in an application for health, long-term care, life, mortgage or professional liability insurance, non-public electronic communications (such as email, messaging or chat communications) between or among users of a U.S. business’s products or services (think “WhatsApp”), geolocation data, biometric enrollment data, data stored and processed for generating a state or federal government identification card, non-public electronic communications, geolocation data, and biometric enrollment data, among others. The definition would carve out publicly available data as well as data on the employees of the U.S. business unless it pertained to employees of U.S. government contractors who hold personal security clearances. Again, the effort by the Committee to provide some parameters and limitations around the data to be protected from a national security standpoint is to be welcomed and appears intended to ward off the possibility of a large number of filings on investments in retail and other businesses that do not present material national security concerns.
Mandatory Declaration Requirements
As noted above, CFIUS previously implemented a Pilot Program that calls for mandatory filings for investments involving certain U.S. business engaged in activities that pertain to critical technologies. Upon taking effect on February 13, 2020, the regulations will expand on the universe of circumstances under which mandatory declarations are required. In particular, a covered transaction that involves the acquisition of a “substantial interest” in a TID U.S. business by a foreign person in which a foreign government (other than an excepted foreign state) has a “substantial interest” must be notified to the Committee either through a short-form declaration or a standard voluntary notice. The definition of “substantial interest” depends on the context as follows:
- A foreign person’s “substantial interest” in a TID U.S. business means a voting interest (whether direct or indirect) of 25% or more
- A foreign government’s (excluding the government of an excepted foreign state) “substantial interest” in a foreign person investing in a TID U.S. business means a voting interest (whether direct or indirect) of 49% or more. This 49 percent ownership interest refers to interests in the general partner or equivalent only, and disregards limited partner interests.
As with the carve out for the jurisdictional scope of non-controlling covered investments, transactions involving certain passive limited partner investments through an investment fund controlled by U.S. nationals are similarly exempted from the mandatory declaration requirements.
Failure to abide by the mandatory declaration requirements can be costly, and can result in civil penalties of up to $250,000 or the value of the transaction, whichever is greater.
Exceptions: Certain Passive Investments and Carve Out for U.S. Person Managed Investment Funds
Not all investments in TID U.S. businesses by foreign persons are necessarily subject to CFIUS jurisdiction. As noted, to be a non-controlling “covered investment,” the transaction must afford the foreign person access to material nonpublic technical information in the possession of the TID U.S. business; membership or observer rights on the board of directors; or certain other rights to be involved in the substantive decision making process of the TID U.S. business. The limitations in the regulations generally track the contours of what was established previously in the FIRRMA legislation although the Committee has clearly defined “involvement” in decision making to include not only consent rights but also consultation rights.
Another key feature from FIRRMA that has been reproduced in the regulations relates to U.S. person managed and controlled investment firms, including private equity firms, which secured a significant carve out from the expanded jurisdiction during the passing of the FIRRMA legislation. The regulations track the carve out set forth in FIRRMA, and generally exempt U.S. national managed investment funds from the expanded authority over covered investments in TID U.S. businesses. On the other hand, foreign person controlled investment funds will be subject to the Committee’s expanded jurisdiction over such investments and will need to assess the advisability of voluntary filings.
Exceptions: Excepted Investors From Specified Countries
One of the widely-anticipated provisions in the regulations relates to certain exemptions from the new jurisdictional authorities for foreign investors from close U.S. allies, colloquially referred to by CFIUS as a “white list” of exempted countries. The regulations currently designate Australia, Canada and the U.K. as excepted foreign states, and according to the regulations, it appears as though this list will not change until at least February 2022.
CFIUS explained in its overview of the final regulations that these three countries were selected due to “their robust intelligence-sharing and defense industrial base integration mechanisms with the United States.” The final regulations reiterate that the Committee purposefully selected a small number of eligible foreign states because of the potentially significant effect of this definition on the national security of the U.S.
Specifically, under the regulations, foreign persons from designated excepted foreign states may be excepted from the scope of the new jurisdictional authorities relating to TID U.S. businesses and covered real estate transactions. Excepted investors include foreign nationals, governments, and certain entities of any country designated as an “excepted foreign state.” With some limitations, a foreign entity is considered a foreign national of a certain excepted foreign state if each of the following apply to it and each of its parent entities: (1) it is organized under the laws of an excepted foreign state, (2) it maintains its principal place of business in an excepted foreign state or the United States, (3) seventy-five percent or more of the members and seventy-five percent or more of the observers of the board of directors are either a U.S. national or a national of an excepted foreign state, (4) each foreign person that controls or holds ten percent or more of the outstanding voting or equity interests in the investor is a foreign national, government, or foreign entity of a foreign state, and (5) a “minimum excepted ownership” of the investor is held by U.S. nationals or persons, governments, or entities of excepted foreign states. Minimum excepted ownership is defined to mean a majority of any public company listed on an exchange in an excepted foreign state or the United States, or 80% of the voting or equity interests for any other entity not so listed on such an exchange.
Investors from an excepted foreign state are not automatically considered excepted investors. They must also be in good standing with the Committee and meet certain other requirements such as maintaining an absence of OFAC penalties, BIS violations, debarment actions and felony convictions within the five years prior to the completion date of the transaction.
Sensitive Real Estate
FIRRMA also expanded CFIUS’s jurisdiction to reach acquisitions and leaseholds by foreign persons of real estate in the United States if located in a port, or in “close proximity” to a U.S. military installation or other sensitive U.S. government facility, even if no U.S. business is conducted on the property in question.
To be a covered real estate transaction under the regulations, a foreign person must acquire at least three of the following four property rights: (1) physical access to the real estate; (2) ability to exclude others from physical access; (3) ability to improve or develop the real
estate; or (4) ability to attach fixed or immovable structures or objects to the real estate. A foreign person need not acquire the full ownership interests in the real estate in order for it to be covered if at least three of these property rights are acquired as part of the transaction.
The regulations also offer additional clarity on what real estate is covered by this jurisdictional authority, including surprisingly granular detail on facilities considered to be sensitive and an explanation of what is to be considered in “close proximity.” To be covered real estate, the property must be located: (1) within or function as an airport or maritime port, collectively referred to as a “covered port” in the regulations; (2) within one mile of 131 specified military and government installations; (3) within one hundred miles of 32 other specified military and government facilities identified in the regulations; (4) within any part of 23 specified coastal military installations to the extent located within the limits of the territorial sea of the U.S.; or (5) within 24 specific counties and other similar geographic areas that are near intercontinental ballistic missile sites of the U.S. Air Force. The regulations include a number of exemptions for certain transactions, including with some limitations, real estate in “urban clusters” or “urbanized areas,” housing units, retail establishments, certain commercial office space, and Native American and Alaskan lands.
Given the complexity of performing the searches required to complete this proximity analysis, the regulations contemplate the establishment of a tool administered by CFIUS that will assist in this process. The final regulations do not describe what this tool will look like, but the regulations do refer to currently available U.S. government resources with similar information such as TIGERweb maintained by the Department of Commerce with information about military installations, urbanized areas and urban clusters, as well as web-based resources provided by the National Oceanic and Atmospheric Administration and the Bureau of Ocean Energy Management with relevant geographic information.
Unlike transactions involving TID U.S. businesses, FIRRMA and the final regulations do not impose any form of mandatory filing requirements relating to covered real estate transactions. However, parties may elect to file a declaration with respect to a covered real estate transaction in lieu of a formal written notice if the parties determine that a filing is advisable.
Summary of Significant Changes in the Final Regulations
Arguably, the most significant change in the final regulations, is the inclusion of a new defined term for “principal place of business.” The new definition defines an entity’s principal place of business in certain instances to be the jurisdiction in which the entity has previously identified to other parts of the U.S. government or any foreign government its
principal place of business in other contexts, such as for tax purposes. This new definition could have a sweeping impact on investment funds and other entities that are registered in foreign jurisdictions such as the Cayman Islands for taxation purposes, but maintain their headquarters and management functions in the United States.
As explained above, the final regulations include Australia, Canada, and the U.K. on the initial list of excepted foreign states. These three states will be considered excepted foreign states as of February 13, 2020. CFIUS will then have two years to make a determination as to whether these states will remain excepted foreign states or if any other states will be added to the list of excepted foreign states. During this two-year period, CFIUS intends to develop processes and procedures for determining which foreign states to designate as excepted foreign states.
The final regulations integrate the same pilot program mandatory filing requirements with regard to certain U.S. businesses with a nexus to specific industries identified by NAICS codes. While the mandatory declaration requirements under the Pilot Program largely remain unchanged in the final regulations, there are several new exemptions. These include new exemptions for excepted investors, FOCI-mitigated entities[2], certain encryption technology, and investment funds managed exclusively by, and ultimately controlled by, U.S. nationals. As described above, CFIUS anticipates publishing a new proposed rulemaking to amend the mandatory requirement to focus on export control licensing requirements rather than limiting it to certain industry NAICS codes. CFIUS also explained that it does not foresee any changes to these exemptions even if the scope of the mandatory declaration requirement is amended as anticipated. CFIUS also acknowledged that the definition of critical technology remains subject to a separate rulemaking process by the Department of Commerce pursuant to the Export Control Reform Act of 2018.[3]
Key Takeaways
The final regulations offer a significant level of detail on how CFIUS will implement its new jurisdictional authorities articulated in FIRRMA. In so doing, members of the business and investment communities can gain a much better understanding of the extent to which contemplated transactions may warrant CFIUS review in the future. That being said, some of the key aspects of FIRRMA’s implementation—notably, the definition of principal place of business, remains subject to public comment and potential revisions by the Committee. The investment community must also wait on proposed regulations that address filing fees,[4] as well as the anticipated changes to the mandatory declaration requirement of the final regulations with regard to a new focus on export control laws rather than NAICS codes, which will be subject to a new round of agency rulemaking.
One outcome is for sure: the decision to notify CFIUS of a transaction will be a much more labor intensive analysis once these final regulation officially take effect on February 13, 2020. Determining the extent to which an investment target falls within these new jurisdictional authorities, coupled with the increasingly complex review of the nature of the investor, will often require much more attention during transaction diligence from both buyer and seller, as well as a heightened level of cooperation in coordinating this analysis. Pursuant to the new authorities under FIRRMA, it is highly likely that the Committee’s case load will multiply, possibly exponentially, in the years to come. Simpson Thacher & Bartlett is experienced in navigating the complexities of the CFIUS review process and continues to monitor the relevant regulatory developments.
[1] This acronym is derived from the terms “technologies,” infrastructure,” and “data.”
[2] A FOCI-mitigated entity is an entity that operates pursuant to an agreement with the U.S. Government to mitigate any Foreign Ownership, Control, or Influence (“FOCI”). An entity is considered under FOCI whenever a non-U.S. interest has any direct or indirect power to direct or decide matters affecting the management or operations of the entity that could result in unauthorized access to classified information or the performance of classified contracts.
[3] The foregoing provides a summary of the most significant changes to the proposed regulations, but it does not provide a full list of all changes in the final regulations. For example, CFIUS also made a number of other technical revisions and changes for clarity. A full description of every change in the final regulations is beyond the scope of this memo. In addition to the technical changes and revisions to the regulations themselves, the final regulations also include a number of new examples that help provide additional insight and clarity on the nature and scope of CFIUS’s expanded jurisdiction.
[4] While filing fees are not addressed in the final regulations, the regulations do implement certain FIRRMA provisions relating to penalties. In particular, any person who submits a material misstatement or omission in a declaration or notice or makes a false certification faces a civil penalty of up to $250,000 under the final regulations. The final regulations specifically remove the pre-FIRRMA qualifier “intentionally or through gross negligence,” as called for in the legislation.