The US Department of Treasury ("Treasury") has issued final regulations to implement changes — required by the Foreign Investment Risk Review Modernization Act ("FIRRMA") — that significantly expand the jurisdiction of the Committee on Foreign Investment in the United States ("CFIUS"). The proposed regulations were formally published on September 24, 2019 (as we previously reported), and the final regulations, issued January 13, 2020, will take effect February 13, 2020.
The now-final regulations retain many features of the proposed rules, insofar as they:
- Define CFIUS jurisdiction over certain "non-controlling" covered investments by foreign persons in US businesses that deal in critical technology, critical infrastructure, or sensitive personal data;
- Implement mandatory, as well as voluntary short-form, declarations for certain transactions;
- Set parameters around the increased CFIUS authority to review real estate transactions for potential national security implications; and
- Avoid, for now, imposing filing fees for CFIUS review.
The final rules also depart from the draft regulations in several key ways, including insofar as they:
- Exempt certain investors from Australia, Canada and the United Kingdom — newly designated as "excepted foreign states" — from CFIUS filing requirements relating to non-controlling covered investments (though CFIUS retains jurisdiction over controlling investments or acquisitions made by investors from these countries);
- Incorporate many of the Pilot Program Regulations' mandatory declaration requirements for transactions involving certain US businesses that produce, design, test, manufacture, fabricate, or develop critical technologies; and
- Refine CFIUS regulations relating to investment funds, including by amending the definition of "substantial interest."
Additionally, the US Department of Commerce's Bureau of Industry and Security ("BIS") issued on January 6, 2020 an interim rule (now in effect) that imposes export licensing requirements on software designed to automate the analysis of geospatial imagery. The rule was issued pursuant to the Export Control Reform Act of 2018 ("ECRA"), which required BIS to identify "emerging and foundational technologies." Because emerging and foundational technologies are included in CFIUS' definition of "critical technology," this rule presumably will subject more transactions to CFIUS review.
A summary of the key provisions of the final regulations, and the BIS interim rule, is set forth below.
Final CFIUS Regulations
Non-controlling investments in "TID" US businesses
Before FIRMMA, CFIUS could only review transactions in which a foreign investor could obtain "control" over a US business. (Our previous overview of the FIRRMA legislation is available here.) FIRRMA, enacted in August 2018, expanded CFIUS' jurisdiction, authorizing it to issue regulations to review certain "non-controlling investments" (under the final regulations, "covered investments") in US businesses that: (i) produce, design, test, manufacture, fabricate or develop critical technology; (ii) perform enumerated functions with respect to "covered investment critical infrastructure"; or (iii) maintain or collect sensitive personal data of US citizens that, if exploited, could threaten US national security.
The final regulations (available here), as to covered investments, refer to these businesses as "TID" ("technology, infrastructure, and data") US businesses.
Under the final regulations:
- "Critical technology" includes certain items subject to US export controls and other regulations, such as items on the US Munitions List (which includes a wide array of firearms, ammunition, air and ground vehicles, and toxicological agents). This definition is consistent with the Pilot Program regulations and prior CFIUS practice. What is quite significant, however, is that "critical technology," after FIRRMA, also includes "emerging and foundational technologies," which may cut across a wide range of technologies that currently do not fall within the CFIUS review process, depending upon how broadly such technologies are defined by BIS regulations. BIS has already identified one set of technologies, as discussed below, and is expected to identify more.
- "Covered investment critical infrastructure" are systems or assets, whether physical or virtual, in a variety of sectors including telecommunications services, submarine cables and related systems, utilities, energy, internet protocol networks and transport-related systems, which are identified in the regulations.
- "Sensitive personal data" includes various data categories, including financial, geolocation and health data. The provisions specify that data, to be considered "sensitive," must be "identifiable data," that is:
- Maintained or collected by a US business that:
- Targets or tailors products or services to any US executive branch agency or military department with intelligence, national security, or homeland security responsibilities, or to personnel and contractors thereof;
- Has maintained or collected any identifiable data within one or more enumerated categories (described below) on greater than one million individuals at any point over 12 months preceding the earliest of the transaction closing date or other significant dates (e.g., the execution of a binding written agreement establishing the material terms of the transaction), or the date of filing a CFIUS notice or declaration, unless the US business can demonstrate that at the time of closing it will have neither the capability to maintain nor the capability to collect any identifiable data within the enumerated categories on greater than one million individuals; or
- Has a "demonstrated business objective" to maintain or collect any identifiable data within the enumerated categories on greater than one million individuals and such data is an integrated part of the US business' primary products or services; and
- Within one of several enumerated categories, including financial data that could be used to determine an individual's financial distress or hardship, consumer report data, health insurance data, and others. The final regulations carve out certain categories of data, such as a genetic testing data derived from US government databases that is routinely provided to private parties for research.
Consistent with FIRRMA, the regulations make clear that a non-controlling investment will only be considered a covered investment, and thus within CFIUS jurisdiction, if it involves a TID US business and affords the non-US investor certain rights, including (i) access to "any material nonpublic technical information in the possession of the TID US business" (including technical know-how); (ii) membership or observer rights in the US business; or (iii) any involvement (other than voting shares) in the business's "substantive decision making" (which includes among other things pricing for the sale of sensitive personal data, supply arrangements, corporate strategy, R&D, and access to critical technologies).
Excepted foreign states
Because of the "potentially significant implications" for US national security, CFIUS has initially designated only three countries as "excepted foreign states": Australia, Canada, and the United Kingdom, each a long-time US ally that maintains, per CFIUS, "robust intelligence-sharing and defense industrial base integration mechanisms with the United States." CFIUS may expand this list in the future, but there is no timetable as to when or what countries may be designated.
Critically, investments from all foreign persons and entities, including investors from Australia, Canada, and the UK, remain subject to CFIUS jurisdiction when engaging in transactions that could result in foreign control of a US business. However, the final regulations exempt from CFIUS review any non-controlling investments in TID US business (or certain real estate transactions, addressed below) made by qualified "excepted investors" from these three countries.
This excepted foreign state status goes into effect February 13, 2020. In order for each country to retain its excepted foreign state status after February 13, 2022, however, CFIUS must make a determination regarding the foreign state's national security-based foreign investment review processes and bilateral cooperation with the US on national security investment reviews. This two-year period is intended to allow these initially eligible states to ensure that their foreign investment review processes and bilateral cooperation with the US meet the requirements of the regulations, and to allow CFIUS to develop procedures to make these determinations in the future. A list of factors that CFIUS will consider is expected to be posted on the CFIUS website in the near future.
The final regulations create filing exemptions for covered investments in TID US businesses by "excepted investors," defined as investors with substantial ties to "excepted foreign states."
Excepted investor status requires a finding that the foreign investor is:
- A national of an excepted foreign state (see below), and not also a national of a non-excepted foreign state;
- The government of an excepted foreign state; or
- A company that is organized in such excepted foreign state and that meets each of the following criteria:
- It has a principal place of business in such state;
- It has a board comprised of 75% or more members, and 75% or more observers, that are nationals of excepted foreign states (and not nationals of non-excepted foreign states) or US nationals. This provision was revised from the proposed regulations to allow up to 25% representation by foreign nationals or states that are not excepted;
- Any foreign person, and each foreign person that is part of a group of foreign persons that in the aggregate, holds 10% or more of the outstanding voting interests of such entities; holds the right to 10% or more of the profits of such entities; holds the right in the event of dissolution to 10% or more of the entities; or otherwise could exercise control over such entities, is a national of an excepted foreign state, the government of the same, or an entity incorporated there and with its principal place of business there or in the United States; and
- Its "minimum excepted ownership" is held by a US person, a national of an excepted foreign state, the government of the same, or an entity incorporated there and with its principal place of business there or in the United States. With respect to public companies, minimum excepted ownership means a majority of voting interests, a right to the majority of profits, and the right to a majority of assets in dissolution; with respect to private companies, it means 80% or more of the same criteria.
- All of the conditions for companies, including the minimum excepted ownership conditions, apply to each parent of the foreign person.
Foreign individuals or entities that have violated (or whose corporate parent or subsidiaries have violated) certain US laws or regulations, made material misstatements in a CFIUS filing or breached a CFIUS-related undertaking, will not be considered excepted investors.
Traditionally, the CFIUS filing process has been a voluntary one, meaning no laws were violated if parties elected not to notify CFIUS of a transaction (though CFIUS was, and remains, empowered to initiate its own investigations, even after closing). The final regulations, however, change this approach, by requiring mandatory declarations for covered transactions in which a foreign government directly or indirectly obtains a "substantial interest" in a TID US business (i.e., a 25% voting interest in the US business, and a 49% interest of the foreign government in the foreign person).
Per the final regulations, where an entity has a general partner or equivalent, the foreign government must hold its "substantial interest" in the general partner (its interests in limited partners will be disregarded). Likewise, the term "substantial interest" applies to a single foreign government, which includes both national and subnational governments and their respective departments and agencies. The final regulations also exclude the governments of excepted foreign states, and covered transactions by investment funds (if the fund is managed exclusively by a general partner, who is not a foreign person).
Practically, the final regulations require mandatory declarations (or else submission of a full voluntary filing) only in a narrow category of transactions. Nevertheless, deal parties that are owned or affiliated (even indirectly) with foreign governments should be aware of these requirements, as such ownership or affiliation can turn a voluntary filing process into a mandatory one.
While imposing filing requirements on some investors, the regulations also provide a mechanism to give certain transactions an expedited path to CFIUS clearance. Under the final regulations, parties are able to file voluntary short-form declarations in lieu of full voluntary notices (which require significant amounts of information). Using these declarations, parties to transactions with low national security risk profiles may be able to receive CFIUS clearance more quickly — after a 30-day review period (as opposed to a minimum 45 day review for a full filing) — and still receive "safe harbor" generally insulating such transactions from further CFIUS review. The final regulations make some changes to the content of the declarations. For example, for declarations involving the acquisition of a US business that produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies, the declaration must describe the items and their export control classification/category.
Pilot Program Regulations
The Pilot Program Regulations' requirement of mandatory declarations for transactions involving US businesses that produce, design, test, manufacture, fabricate, or develop critical technologies in certain industries has been incorporated into the final regulations. The existing Pilot Program Regulations, which took effect November 10, 2018, will remain in effect through February 12, 2020, and its terms will largely become effective as part of the final regulations on February 13, 2020.
Currently, the Pilot Program regulations identify US businesses subject to the mandatory declaration requirements by North American Industry Classification Systems ("NAICS") codes, which are generally self-identified. The final regulations indicate that Treasury intends to issue additional regulations that would change this requirement to one based on export control licensing requirements.
The final regulations carve out certain transactions from the original scope of the mandatory declaration requirement, including a covered transaction by investment funds managed exclusively by and ultimately controlled by US nationals, a covered control transaction by excepted investors, and covered transactions in which the foreign person's indirect investment in the TID US business is held solely and directly via certain foreign ownership, control of influence ("FOCI") mitigated entities.
Exceptions for investment funds
Consistent with FIRRMA, the final regulations exempt from the covered investment provisions any passive, indirect investments by foreign persons in TID US businesses via investment funds, where the foreign investors receive memberships (as limited partners) on the fund advisory board.
To be exempt, the investment fund must meet the following criteria:
- The fund must be exclusively managed by a US general partner;
- The fund's advisory board cannot approve, disapprove or control the fund's investment decisions, or decisions by the US general partner regarding the fund's portfolio companies; and
- The foreign limited partner:
- Does not and cannot control the investment fund (which includes the ability to approve, disapprove or control investment decisions, decisions of the US general partner related to entities in which the fund invests, or the selection/dismissal/ compensation of the US general partner);
- Does not have access to material nonpublic technical information of the TID US business; and
- Does not have membership or observer rights on the board of the TID US business, or any involvement (other than by voting shares) in the TID US business's substantive decisions.
Stipulation of covered transactions and foreign government transactions
The final regulations enable deal parties to stipulate that a transaction is a covered transaction and, as applicable, a foreign government-controlled transaction. Stipulations must be made either in a notice or a declaration. If the stipulation is made in a notice, CFIUS must provide comments on or accept the notice no later than 10 business days after the date of filing. Stipulations allow CFIUS to more quickly turn to reviewing the substance of the transaction. However, in making a stipulation, the parties acknowledge that CFIUS and the President are entitled to rely on such stipulation in determining whether the transaction is a covered transaction and/or a foreign government-controlled transaction. The parties also waive the right to challenge any such determination.
Real estate regulations
FIRRMA authorized CFIUS to review real estate transactions relating to air or maritime ports, to locations in close proximity to sensitive US military installations or facilities, or that could otherwise expose national security activities at such installations to surveillance by non-US actors.
The final regulations addressing real estate (available here) limit CFIUS jurisdiction to the purchase or lease of "covered real estate" that affords at least three of the following rights: the right to (i) physically access, (ii) exclude, (iii) improve or develop real property, or (iv) to attach fixed structures or objects. Covered real estate encompasses real estate that: is located within, or will function as part of, a "covered port"; is located within "close proximity" of certain military installations or other US government property, within the "extended range" of certain military installations, or in certain counties or geographic areas; or is any part of certain military installations. (Subsequent US Department of Transportation lists will identify the relevant airports and maritime ports.) While the meaning of "close proximity" to sensitive facilities has been the subject of some debate, the regulations limit such proximity to locations within one mile of the facility, with a lower security profile potentially attaching to foreign investments in real estate located within an "extended range" (between one to 99 miles) of the location.
Real estate transactions involving an "excepted real estate investor" from an "excepted foreign state" are excluded from the scope of these regulations. These regulations are similar to the excepted investor provisions discussed above.
The final regulations clarify that real estate transactions that are part of a "covered transaction" under the general part 800 regulations are excluded from the real estate regulations. Additionally, certain transactions in urban areas, the purchase, lease or concession of single housing units, and certain commercial office space transactions are excluded from the real estate regulations. CFIUS anticipates making a web-based tool available to assist the public in understanding the geographic coverage of the rule.
Still no CFIUS filing fees
FIRRMA authorized CFIUS to impose filing fees of up to 1% of deal value (capped at US $300,000), and to study the "feasibility and merits" of additional fees for priority review of CFIUS filing. In the final regulations, Treasury indicated that it will issue proposed regulations concerning filing fees at a later (but as yet unspecified) date. Thus, for now the CFIUS process remains free of any filing fees.
BIS Interim Rule on Geospatial Imagery
Pursuant to ECRA, BIS was charged with identifying and controlling "emerging and foundational technologies." As noted above, FIRRMA defines "critical technologies" to include emerging and foundational technologies.
The interim rule, which became effective on January 6, 2020, and is now subject to public comments through March 6, 2020, imposes export licensing requirements on software designed to automate the analysis of geospatial imagery under the Export Control Classification Number ("ECCN") 0Y521 series, specifically under ECCN 0D521. Briefly, 0Y521 series software is specially designed for training a "Deep Convolutional Neural Network" (commonly applied to analyzing visual imagery) to automate the analysis of geospatial imagery and point clouds (also known as digital surface models, a collection of data points defined by a coordinate system), enabling users to identify objects of interests (e.g., vehicles, houses). The Commerce Department, with the concurrence of the State and Defense Departments, concluded that the items warranted export controls "because the items may provide a significant military or intelligence advantage to the United States or because foreign policy reasons justify control." Items in this series are controlled for regional stability (RS) Column 1 reasons, and subject to a case-by-case license application review policy. The only license exception currently available is for certain exports, re-exports, and transfers (in-country) made by or co-signed to a US government department or agency.
According to the interim rule, the 0Y521 series is a temporary holding classification, which lasts for one year from the date of the publication of the final rule listing the item in Supplement No. 5 to part 744 (unless the classification is extended) and provided that the US government submits proposals to the appropriate multilateral regimes to obtain multilateral controls over the series. An item in this series, before the classification expires, may also be reclassified and moved under a different ECCN on the Commerce Control List ("CCL"). If the classification expires, and the item is not moved under another ECCN, the item is designated as "EAR99" (i.e., subject to the Export Administration Regulations ("EAR") but not listed on the CCL).
* * *
We continue to monitor developments in this area. Please contact the authors or your usual Herbert Smith Freehills contact for more information.