COINS Act Codifies and Expands Outbound Investment Rules

On December 18, 2025, President Trump signed the National Defense Authorization Act for Fiscal Year 2026 ("NDAA") into law. The NDAA, often a vehicle for passing other national security-related legislation, included the Comprehensive Investment National Security Act (“COINS Act” or “the Act”), which codifies and expands the existing US Outbound Investment Security Program (“OISP”).

Currently, the OISP prohibits or requires the notification of certain investments by US persons involving entities linked to China and engaged in enumerated activities involving semiconductors and microelectronics, AI systems, and quantum information technologies. For additional information on the existing OISP rules see our prior blog post here.  

Below, we outline the key aspects of the COINS Act and how it is likely to expand or modify the current OISP.

Key Takeaways for Industry 

• The Act expands the list of “countries of concern” beyond China (including Hong Kong and Macau), adding Cuba, Iran, North Korea, Russia, and Venezuela. This expansion may have only a marginal impact on most US investors given the significant sanctions that already target the newly added jurisdictions.
• The Act expands the sensitive technology categories beyond the current categories of semiconductors and microelectronics, AI systems, and quantum information technologies to include high-performance computing and supercomputing and hypersonic systems. It also provides Treasury the authority to add new prohibited or notifiable technology categories in the future, if those technologies “enable the military, intelligence, surveillance, or cyber-enabled capabilities of a country of concern.”
• The Act makes several changes to the definition of “covered foreign person,” which could have a material impact on the types of persons subject to the OISP, but will depend in significant part on how Treasury drafts the implementing regulations.
• The Act directs Treasury to create a formal process for industry to obtain non-binding confidential private guidance or anonymized public guidance.
• The Act continues to provide significant discretion to the Secretary of the Treasury, meaning Treasury’s eventual rulemaking to implement the Act will be vitally important to understanding the precise contours of the new requirements.

Codification of Existing Rules

The COINS Act formally codifies much of the OISP, which was originally established by Executive Order 14105 in August 2023, relying on statutory authority in the International Emergency Economic Powers Act (“IEEPA”). The COINS Act is intended, in large part, to provide a discrete statutory basis for the OISP, rather than leaving it entirely to the discretion of the executive branch to implement via executive order.

With that said, the Act continues to provide significant latitude to the executive branch with respect to implementation and the drafting of regulations. In particular, the Secretary of the Treasury has 450 days to promulgate updated regulations implementing the Act (i.e., by March 13, 2027). Prior to that rulemaking the existing OISP regulations will remain in effect in their current form.

Expansion Of Existing Outbound Investment Security Program

The COINS Act broadens the scope of the current OISP beyond its original framework in several key respects. Below we summarize those changes.

Changes to Jurisdictional Coverage

The Act expands the list of “countries of concern” beyond China (including Hong Kong and Macau). The expanded list also includes Cuba, Iran, North Korea, Russia, and “Venezuela under the regime of Nicolas Maduro Moros.” As a practical matter, this expansion may have a limited impact given the significant US sanctions targeting those additional jurisdictions.

Changes to Technology Coverage

The law expands sensitive technology categories beyond semiconductors and microelectronics, AI systems, and quantum information technologies to include high-performance computing and supercomputing and hypersonic systems. It also provides Treasury the authority to add new prohibited or notifiable technology categories in the future, if those technologies “enable the military, intelligence, surveillance, or cyber-enabled capabilities of a country of concern.”

The COINS Act does not detail the specific technical and end-use parameters that should determine whether a transaction is prohibited or notifiable. Rather, the Act continues to delegate that decision-making authority to the Secretary of the Treasury who will be responsible for promulgating rules establishing those additional details. The precise scope of those forthcoming rules will be essential to understanding the breadth and impact of the COINS Act.

Changes to Covered Transaction Types

With respect to the types of transactions (e.g., equity investment, creation of a joint venture, etc.) covered under the COINS Act (referred to as “covered national security transactions”), the Act largely codifies, rather than materially expands, the existing core categories of “covered” outbound investment activity already subject to the OISP regulations.

In one notable change, the COINS Act defines a “covered national security transaction” to include a US person “knowingly directing” a foreign person’s transaction that would be either prohibited or notifiable if undertaken by a US person. Under the current OISP, the “knowingly directing” provision only addresses directing an otherwise prohibited transaction. It is unclear, however, what the impact of that definitional change will be. The likely outcome would seem to be a new requirement for a US person knowingly directing a notifiable transaction to file a notification with Treasury.

Importantly, the Act continues to cover certain greenfield and brownfield transactions. The Act also empowers Treasury to create additional categories of covered transaction types, as warranted.

Changes to Covered Foreign Person Definition

The COINS Act takes a different approach from the existing OISP rules with respect to persons considered “covered foreign persons.” The current OISP rules capture (1) “persons of a country of concern” engaged in certain “covered activities” or (2) persons with enumerated interests in a person from which they derive more than 50 percent of certain financial metrics.

The COINS Act takes a different approach by eliminating the “person of a country of concern” definition and eliminating the covered foreign person prong tied to financial metrics derived from affiliated entities. Instead, the definition includes four distinct categories of persons, including a person that:

• (A) is incorporated in, has a principal place of business in, or is organized under the laws of a country of concern;
• (B) is a member of the Central Committee of the Chinese Communist Party or is a member of the political leadership of a country of concern;
• (C) is subject to the direction or control of a country of concern, as defined by regulation, an entity described in subparagraph (A) or (B), or the state or the government of a country of concern (including any political subdivision, agency, or instrumentality thereof); or
• (D) is owned in the aggregate, directly or indirectly, 50 percent or more by a country of concern, an entity described in subparagraph (A) or (B), or the state or the government of a country of concern (including any political subdivision, agency, or instrumentality thereof).

While certain of those categories are relatively clear and align with the existing OISP rules, there are some material differences. For example, the OISP rules treat an individual citizen or permanent resident of a country of concern as being a “person of a country of concern.” The COINS Act does not have language explicitly applying to individuals but does contain a more amorphous reference to persons “subject to the direction or control” of a country of concern, which could seemingly capture a similar group of actors, but may not overlap entirely with the current rules. This is another area where the precise regulations promulgated by Treasury will be crucial to understanding the scope of the restrictions. 

Changes to Exceptions and Exemptions

The COINS Act also contains a variety of “exceptions and clarifications” carving certain activities out of the scope of the Act, including:

• Transactions determined by Treasury to be “de minimis;”
• Transactions determined by Treasury to be “in the national interest of the United States;”
• Transactions involving certain publicly traded securities;
• Certain transactions by limited partners or their equivalent in investment funds and other pooled investment vehicles;
• Transactions in which US persons purchase the “totality of the interest in the entity held by the covered foreign person”; and
• Certain intra-company transfers.

Many of these categories overlap with the existing rules but others do not. For example, despite calls from industry during the rulemaking process, Treasury had expressly declined to create a de minimis exception to its rules. It remains to be seen, however, how those rules are ultimately written as many of the exceptions could be scoped more broadly or narrowly depending on how Treasury seeks to implement them.

Mechanisms to Provide Additional Industry Guidance

The COINS Act adds two practical compliance tools that do not exist under the OISP today:

• Treasury must create an advisory opinion process for market participants to request non-binding feedback on whether a transaction would constitute a covered national security transaction. The feedback can be provided on a confidential basis or as anonymized guidance to the public.
• Treasury is authorized, but not required, to establish a publicly accessible, non-exhaustive database identifying covered foreign persons engaged in activities involving prohibited or notifiable technologies.

Both of these items were suggested by industry, and rejected by Treasury, during the drafting of the current OISP rules. The database, however, is purely optional for Treasury and, therefore, the agency could ultimately decline to create one. If a database is established, the Secretary of Treasury, in consultation with the Secretary of Commerce, may establish a mechanism for identified covered foreign persons to petition for removal from the database.

Creation of Non-Notified Process

The Act directs Treasury to establish a “non-notified” process to identify covered national security transactions not notified to Treasury or that violated a prohibition under the rules. Treasury has already been engaged in this type of monitoring activity, but the Act directs the creation of a more formal process and provides Treasury with funding and staffing resources to carry out those functions.

Authorization of Sanctions Against Covered Foreign Persons

In addition to the investment restrictions that form the backbone of the Act, Subtitle B of the Act authorizes, but does not require, the President to impose sanctions on covered foreign persons “to the extent necessary to prohibit any United States person from investing in or purchasing significant amounts of equity or debt instruments” of the covered foreign person.

Conclusion

Investors in the US and abroad should carefully consider the likely impact of the COINS Act and amendments to the OISP rules on their business activities and begin preparing for potentially significant changes. Additionally, interested parties should consider submitting comments to Treasury during the notice and comment rulemaking process as the agency develops implementing regulations, as required under the Act. Feedback from industry submitted via the notice and comment process had a substantial impact on the current OISP rules, and it seems likely that industry will, once again, have an opportunity to shape the new regulations as Treasury undertakes the rulemaking process.

For additional information regarding the COINS Act or assistance with a matter regarding the OISP regulations, please contact a member of Steptoe’s National Security & Cross-Border Transactions team.