After months of hearings and other deliberations, Congress passed, and President Trump signed into law on August 13, 2018, the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA). FIRRMA marks the first update to the Committee on Foreign Investment in the United States (CFIUS) in over a decade and will considerably expand the jurisdiction of the Committee and make other important changes to its rules. A text of the final version of FIRRMA (Sections 1701 to 1728 of the National Defense Authorization Act for Fiscal Year 2019 (NDAA)), is available here. The NDAA also includes comprehensive US export control reform legislation that (among other things) mandates increased US export controls over “emerging and foundational technologies” to address some of the US national security concerns that had led to calls for CFIUS reform. FIRRMA has gone through a number of revisions as it advanced in Congress and earlier versions of the bill are discussed in our previous International Law Advisories from June and January of this year.
The changes to CFIUS in FIRRMA are far-reaching. First, and most significantly, CFIUS's jurisdiction will expand to cover additional investments in US critical infrastructure and critical technology companies and US companies that deal with substantial amounts of US personal data, certain real estate transactions, and concessions at ports and airports. This change will not go into effect until CFIUS updates its regulations and defines a number of key terms. Second, a new "declaration" filing mechanism could simplify the review process for some transactions – if CFIUS shows a willingness to accept these filings. Third, CFIUS is no longer a wholly voluntary process, as some transactions will now require filing with CFIUS. Fourth, the timeline for CFIUS review will be lengthened, and CFIUS will be authorized to charge "filing fees" for the first time.
Expansion of CFIUS Jurisdiction
Prior to the passage of FIRRMA, CFIUS had the authority to review any transaction, by or with a foreign person, that could result in foreign control of a US business. Such transactions are known as “covered transactions.” FIRMMA expands CFIUS’s jurisdiction in three significant respects:
1. Real Estate Deals and Airport and Maritime Port Concessions
For the first time, some purchases or leases of US real estate will be subject to CFIUS review regardless of whether they are part of an acquisition of a US business. Similarly, concessions granted to foreign companies at US airports, marine ports, and military bases will be subject to CFIUS review. Specifically, FIRRMA extends CFIUS’s jurisdiction over real estate transactions to include any purchase or lease by, or concession to, a “foreign person” of real estate that is located in the United States and is either (1) part of an airport or maritime port, or (2) in “close proximity” to a US military installation or other sensitive US government facility and that could facilitate intelligence collection or foreign surveillance at that facility.
FIRRMA includes some provisions that will limit the scope of CFIUS’s review of these transactions. It will require CFIUS to promulgate regulations that define “close proximity” in order to ensure that it is limited to distances within which the relevant real estate could pose a national security risk. CFIUS is also required through regulation to limit the term “foreign person” for purposes of real estate transactions to “certain categories” of foreign persons where the connection between the foreign person and a foreign country or government affects US national security. In addition, real estate transactions related to single housing units will be excluded from CFIUS review. Transactions related to real estate in “urbanized areas” as defined by the Census Bureau will also be excluded, unless CFIUS implements regulations that require otherwise.
While expanding CFIUS’s jurisdiction to a broader class of real estate transactions is new, proximity to sensitive government or military installations is already a consideration CFIUS takes into account when considering covered transactions. Most notably, in 2014, the Obama Administration ordered Ralls Corp. to divest from a wind farm facility in close proximity to a US Department of Defense installation. While FIRRMA expands the scope of transactions subject to review, it reflects national security sensitivities that have long been part of the CFIUS process.
2. “Other Investments” in Businesses with Critical Infrastructure, Critical Technology, or Personal Data
FIRRMA will also extend CFIUS’s jurisdiction to a broad range of investments in critical technology and critical infrastructure companies, and in companies that maintain or collect sensitive personal information. Specifically, FIRRMA authorizes CFIUS review of “other investments” (beyond those that result in control of a US business) by a foreign person in any “unaffiliated United States business” that (1) “owns, operates, manufactures, supplies, or services critical infrastructure,” (2) “produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies,” or (3) “maintains or collects sensitive personal data of United States citizens that may be exploited in a manner that threatens national security.”
The “other investments” covered by this provision are very broad – they include any investment that provides (1) access to “material non-public technical information,” (2) membership or other board of director rights, or (3) other involvement in certain substantive decision-making by the company.
The definitions of “critical infrastructure” and “critical technologies” track the current definitions used by CFIUS for those terms, with one key expansion – “critical technologies” also includes “emerging and foundational technologies” that (as discussed below) will now be subject to US export controls. As is true with real estate transactions, CFIUS will be required to limit the term “foreign person” for purposes of this category of transactions to “certain categories” of foreign persons where the connection between the foreign person and a foreign country or government affects US national security.
CFIUS has long identified critical infrastructure and critical technology companies as US investment targets that pose particular vulnerabilities. CFIUS’s interest in companies that handle large amounts of sensitive US personal data is of more recent vintage. FIRRMA significantly expands CFIUS’s jurisdiction over non-controlling foreign investments in these industries and areas.
3. Addressing other “Gaps” in the Committee’s Existing Authorities
FIRRMA will also explicitly extend CFIUS’s jurisdiction in two areas that are natural offshoots of CFIUS’s existing jurisdiction:
- Any changes in the rights of a pre-existing foreign investor that could result in foreign control of a US business or meet the definition of “other investment” (defined above)
- Transactions “designed or intended to evade or circumvent” the Committee’s jurisdiction
CFIUS will be required to issue implementing regulations on transactions that “evade or circumvent” CFIUS. One question is the extent to which these regulations will cover transactions that are designed legitimately to avoid CFIUS’s jurisdiction. Even after FIRRMA, CFIUS does not have jurisdiction over all, or even most, foreign investments in the United States. Particularly in light of uncertainties in the current CFIUS process, many foreign investors do not want to make investments that could be subject to CFIUS jurisdiction, and they seek transactions that avoid CFIUS’s jurisdiction (for example, by not taking a controlling interest in a US business). It remains to be seen when CFIUS will consider such transactions as designed or intended to “evade or circumvent” CFIUS.
Abbreviated “Declarations” in Lieu of Longer “Notices”
Under current rules, parties to covered transactions who seek CFIUS review must file lengthy written notices with CFIUS (frequently dozens of pages or longer) with detailed information about each company and its product lines, business operations, and personnel. FIRRMA creates an alternative, more streamlined process, by which parties to covered transactions can choose to submit “a declaration with basic information regarding the transaction” instead of a longer traditional written notice. While the requirements for such a declaration will be determined by CFIUS regulations, the declaration “would not generally exceed five pages in length.”
Not later than 30 days after receiving such a declaration, CFIUS must take one of several actions. The Committee could complete its review on the basis of the short-form “declaration,” it could request that the parties file a longer written notice, or it could unilaterally initiate a full-scale review of the transaction.
The creation of this more streamlined declaration process could prove to be a useful innovation that will allow CFIUS to “triage” its caseload and conduct a summary review of transactions that raise little concern. At this point, however, it is not clear whether this new procedure will prove to be a viable alternative to a full “written notice.” CFIUS will retain the authority to require a full written notification in every case, and it is possible that CFIUS will conclude that it requires a full notification in most cases – which could result in increased review time and cost for parties that elect to file a declaration.
FIRRMA mandates, for the first time, that CFIUS filings will become mandatory for certain transactions. This has not been true of CFIUS filings to date. Although there are already significant incentives to notify CFIUS of covered transactions, and significant risks when parties do not submit a notice, from its outset the CFIUS process has been voluntary. Under FIRRMA, parties will be required to notify CFIUS of transactions in which a “foreign person in which a foreign government has, directly or indirectly, a substantial interest” acquires a “substantial interest” in a critical technology or critical infrastructure company, or a company that handles large amounts of sensitive US person personal data.
CFIUS will be required to issue regulations defining “substantial interest” for purposes of this requirement. FIRRMA directs that transactions that do not meet the definition of “other investments” (discussed above) and those in which the interest of the foreign person is less than a 10% voting interest shall not be considered to meet the “substantial interest” definition. CFIUS can waive this mandatory declaration requirement if the Committee determines the investments are not directed by the foreign government and the investor has a history of cooperation with the Committee.
The Committee may by regulation also require declarations for other types of covered transactions.
Timing for Reviews and Investigations
FIRRMA formally extends the time period for CFIUS review in two ways. Prior to FIRRMA’s passage, notices accepted by CFIUS entered a 30-day “review” phase, which could be extended into an additional 45-day investigation phase for transactions that CFIUS determined merited further examination. FIRRMA extends the initial review phase to 45 days, and it permits the Committee chairperson to extend the 45-day investigation phase for one 15-day period in “extraordinary circumstances.” The legislation does not appear to prohibit the practice of withdrawing and re-filing a notice, which has become increasingly common in complex cases where additional time is needed, particularly in situations where complex mitigation agreements need to be negotiated.
Prior to FIRRMA there were no filing fees for submitting a notice to CFIUS. FIRRMA authorizes the Committee to assess and collect a filing fee, not to exceed an amount equal to the lesser of one percent of the value of the transaction or $300,000 (adjusted annually for inflation).
FIRRMA itself does not create any restrictions explicitly targeted at China. However, the administration has already announced its intent to use FIRRMA to increase scrutiny of Chinese investments in the United States. A number of the features of FIRRMA discussed above (such as the expanded jurisdiction of CFIUS over transactions involving certain “foreign persons” to be defined by regulation) could be implemented by the Executive Branch in a manner that could disproportionately impact Chinese investments.
Additionally, the “sense of Congress” section of FIRRMA notes that CFIUS should consider “whether a covered transaction involves a country of special concern that has a demonstrated or declared strategic goal of acquiring a type of critical technology or critical infrastructure that would affect United States leadership in areas related to national security.” While the sense of Congress provisions are not operative law, the above language appears to be clearly targeted at China and intended to signal to the Committee that closer scrutiny of Chinese investments is warranted.
The NDAA also includes comprehensive export control reform legislation, the Export Control Reform Act of 2018 (ECRA), to replace the Export Administration Act of 1979, which lapsed in 1994 and has been “kept alive” through the International Emergency Economic Powers Act (IEEPA). The export control reform legislation, as well as additional anti-boycott reform legislation, was originally introduced under the House version of the bill.
The most important provisions of ECRA with regard to foreign investment are the provisions establishing a mechanism to identify and control the export of “emerging and foundational technologies,” meaning technologies “essential” to US national security and which are not presently controlled. Previous versions of FIRRMA also sought to empower CFIUS to review certain outbound investments and other transactions potentially involving the transfer of export controlled or other sensitive technology. Those provisions did not make it into the final bill. However, CFIUS and ECRA are linked in that emerging and foundational technologies identified and controlled under the ECRA mechanism will be considered critical technologies under the CFIUS regime.
Open Investment Policy
The sense of Congress section of FIRRMA states that “maintaining the commitment of the United States to an open investment policy encourages other countries to reciprocate and helps open new foreign markets for United States businesses.” Thus, FIRRMA reaffirms Congress’s commitment to open investment and directs that CFIUS continue to view transactions on the basis of US national security considerations. This no doubt will be considered “weak tea” to some in light of the administration’s broad and expansive approach to “national security” in other areas of international economic law.
The Path Ahead
The effective dates for various provisions within FIRRMA range considerably. Certain provisions, such as those related to the timing for reviews, took effect immediately upon passage. Other provisions – such as CFIUS’s expanded jurisdiction over real estate transactions and critical technology, critical infrastructure, and personal data company investments – do not take effect until 30 days after the issuance of updated regulations, the details of which will be critical to many of the modifications of the CFIUS process. We will continue to monitor developments and provide updates as that process unfolds.
 Material nonpublic technical information means information that (1) “provides knowledge, know-how, or understanding, not available in the public domain, of the design, location, or operation of critical infrastructure” or (2) “is not available in the public domain, and is necessary to design, fabricate, develop, test, produce, or manufacture critical technologies, including processes, techniques, or methods.” The bill specifies that “financial information regarding the performance of a United States business” does not constitute material nonpublic technical information.
 Certain US-managed investment funds with foreign limited partners serving on the fund advisory board, or similar body, may be exempt from the definition of “other investment” if such advisory board cannot control the fund and meets other statutorily defined criteria.