The Ultimate Guide to CFIUS Compliance
The Committee on Foreign Investment in the United States (“CFIUS”) is an inter-agency committee of the federal government that has the power to review, analyze, and block transactions and investments that raise security issues or that result in the control of a U.S. business by a foreign person. CFIUS is authorized to initiate a review of virtually any foreign transaction or investment in a U.S. business that it deems to have an impact on U.S. national security interests. These reviews involve compliance with various laws and regulations and can be time-consuming. It is important that individuals and companies understand how to comply with the obligations mandated by CFIUS.
This guide, drafted by the senior defense attorneys at Oberheiden, P.C., offers a simple list and description of the most important aspects of CFIUS reviews. It compiles key areas of CFIUS compliance to help corporate executives and companies become proactive, maintain compliance, and reduce liability exposure. The guide is divided into three sub-topics: 1) history and overview of CFIUS; 2) terms relevant to businesses regarding CFIUS compliance; and 3) the CFIUS review process.
History and Overview of CFIUS
The History of CFIUS
In 1975, President Ford created CFIUS by Executive Order due to increased congressional pressure to regulate investments in U.S. assets by the Organization of the Petroleum Exporting Countries (“OPEC”). Originally operating as an advisory committee, CFIUS expanded with the 1988 Exon-Florio Amendment to the Omnibus Trade and Competitiveness Act to include more regulatory duties. For instance, under the Exon-Florio Amendment, the President could block certain foreign investments. In 2007, Congress codified CFIUS in the Foreign Investment National Security Act of 2007 (“FINSA”) in an effort to increase congressional oversight over the CFIUS compliance review process. Such revisions included an emphasis on increased transparency and enhanced CFIUS investigative powers.
The next regulatory movement occurred in 2018 with the passage of the National Defense Authorization Act (“NDAA”) for Fiscal Year 2019. The NDAA 2019 incorporated the Foreign Investment Risk Review Modernization Act (“FIRRMA”). FIRRMA massively reformed the process used by CFIUS to investigate foreign direct investment in U.S. companies. For instance, it broadened CFIUS’s jurisdiction to review certain covered transactions in the United States for national security threats. Prior to FIRRMA, CFIUS could only review proposed acquisitions that would lead to foreign control of a U.S. business and potentially threaten U.S. security.
After FIRRMA, CFIUS is authorized to review “other” investments that are considered non-controlling foreign investments in U.S. businesses relating to critical technologies, critical infrastructure, or sensitive personal data. In other words, certain transactions such as minority foreign direct investments that were once outside the scope of CFIUS’s authority can now be examined by CFIUS. FIRRMA also authorized CFIUS to review certain “greenfield” investments in real estate which were previously outside the scope of CFIUS review.
The Duties and Functions of CFIUS
CFIUS is a U.S. inter-agency body that is chaired by the Secretary of the Treasury. Its objective is to review proposed or pending foreign direct investments in U.S. businesses for national security threats. Examples of “covered” transactions that CFIUS reviews include mergers, acquisitions, takeovers, or other agreements that involve foreign control of a U.S. business. CFIUS has the power to block these foreign transactions or foreign investments that undermine U.S. security interests.
The Jurisdictional Authority of CFIUS
The Committee on Foreign Investment in the United States has virtually unlimited jurisdiction to review foreign investments and foreign transactions that may have an adverse effect on U.S. national security interests. FIRRMA and the new CFIUS final regulations that took effect in early 2020 provide broader jurisdiction to CFIUS for reviewing non-controlling transactions and investments by foreign individuals or foreign entities. Specifically, the final regulations and FIRRMA expand CFIUS’s jurisdiction to encompass U.S. businesses that deal with TID Businesses— critical technologies, critical infrastructure, and sensitive personal data of U.S. citizens—and certain real estate transactions.
Important Changes to CFIUS Reviews due to FIRRMA
Before FIRRMA became effective, the authority of CFIUS was limited to reviews of investments and transactions that resulted in foreign control of a U.S. business. After FIRRMA, foreign control of a U.S. business is no longer determinative to the decision to initiate a CFIUS review. In other words, FIRRMA vests with CFIUS the authority to review certain “non-controlling” transactions in TID Businesses. TID Businesses include the following three industries: (1) critical technology; (2) critical infrastructure; and (3) sensitive personal data.
FIRRMA also modified the structure of CFIUS by transforming it into a quasi-governmental agency that is equipped with its own staff, funding, and committee resources to review, investigate, and block certain transactions or investments that pose national security threats to the United States. Below are additional changes FIRRMA made to CFIUS:
- Gives CFIUS and the President a list of factors to consider when determining whether a given transaction poses a national security threat.
- Provides that CFIUS may conduct pilot programs to implement the authority granted under FIRRMA.
- Increases the importance of mitigation measures between parties by requiring that the parties implement compliance plans if they want the proposed or pending foreign transaction/investment to be approved.
- Gives CFIUS a longer time period to investigate and review a foreign transaction or investment for possible national security threats.
- Changes certain filing requirements from voluntary filings to mandatory filings.
- Allows some proposed foreign transactions/investments to be finalized with a declaration to CFIUS, while others must be finalized with the more extensive written notification (e.g., these latter situations are typically seen in countries that are deemed to be a special concern).
Terms Relevant to Businesses Regarding the CFIUS Review Process
Deciding Whether the Foreign Investment is a “Covered Transaction”
CFIUS’s objective is to review certain foreign transactions and foreign investments that pose national security threats to the United States. However, this authority has been greatly expanded over the past decade. Under FIRRMA and the CFIUS final regulations, CFIUS is now authorized to review “covered” non-controlling foreign investments in TID Businesses—critical technology, critical infrastructure, and sensitive personal data. Therefore, CFIUS can review both foreign transactions/investments that will lead to foreign control of a U.S. business as well as transactions that do not lead to foreign control but that otherwise affect the economic interests or integrity of the United States.
The U.S. federal government is wary of foreign transactions and foreign investments, including the use of government funds used for foreign research. This concern is heightened in certain industries such as technology, infrastructure, or industries dealing with sensitive U.S. data. Therefore, one important part of FIRRMA is that it granted CFIUS the authority to review non-controlling foreign investments in what is called “TID Businesses.” It is important to regulate and review foreign investments in these businesses because they are often the source of substantial harm to U.S. national security interests. TID Businesses stands for the following:
- Critical Technology: This industry sector involves businesses specializing in agents and toxins or emerging and foundational technologies. It also includes nuclear-related facilities and U.S. businesses that design, test, and develop critical technologies.
- Critical Infrastructure: This industry sector includes ports, water systems, or oil refineries. It also encompasses U.S. businesses that engage in substantial operations for their business such as operating or manufacturing assets in the critical infrastructure industry.
- Sensitive Personal Data: This industry sector is broad and includes businesses that store confidential, non-public information on U.S. citizens. It is important to regulate and review this category because its use by foreign persons and foreign entities can be devastating to U.S. national security interests.
CFIUS Filing Requirements
CFIUS is vested with the authority to review practically any foreign transaction or foreign investment in a U.S. company for possible national security threats. The parties to the transaction or investment may elect to file a notice for review where they believe the proposed deal falls within the purview of CFIUS. Filing this notice for CFIUS compliance review is not mandatory. It is voluntary. If a notice for review is not filed and CFIUS determines that it should have been so filed because the proposed deal raises national security concerns, then CFIUS is authorized to block or unwind the deal.
Exceptions to CFIUS Final Regulations
CFIUS’s final regulations include some notable exceptions such as those relating to excepted foreign countries and excepted investors. For instance, CFIUS decided that the foreign countries United Kingdom, Australia, and Canada shall be exempt from the requirements because they are U.S. allies with a history of transparency and intelligence sharing with the United States. Certain foreign investors may also be exempt in certain circumstances. For instance, in order to be an excepted investor, that foreign investor must satisfy one of the three conditions: (1) a national of an exempt country and not a national of a non-exempt country; (2) a foreign government of an exempt country; or (3) a foreign company or foreign entity of the exempt country.
CFIUS and China
Foreign direct investment into the United States by China or companies controlled or owned by China poses a significantly high threat to the national security interests of the United States. In fact, China’s growing presence in U.S. technology industries and the resulting consequences were driving factors behind FIRRMA’s enactment. And this continues to play out in practice, as China is repeatedly charged with violations of U.S. privacy and intellectual property statutes. The situation is only exacerbated by the ongoing trade war between the United States and China. As a response, the federal government has become more involved in reviewing Chinese investments, especially with respect to U.S. TID Businesses. Specifically, CFIUS has utilized its enhanced jurisdiction and power under FIRRMA to investigate and review foreign investments/transactions involving China and Chinese-controlled entities.
The CFIUS Review Process
Overview of the Steps Involved in a CFIUS Review
The CFIUS compliance review process can be a complicated and protracted process. The steps involved can differ based on the type of foreign investment or foreign transaction or whether a routine or sensitive matter is at issue. The parties to the foreign deal must decide whether to file a notice of review with CFIUS if they believe the deal is a “covered” investment. They will typically file a voluntary CFIUS Notice which details the proposed transaction and a description of the transaction. If the parties decide not to notify CFIUS, CFIUS may still decide that the foreign deal is subject to review. In these cases, CFIUS will initiate the review process to assess the potential national security threats. In both cases, the review process by CFIUS may take several weeks.
CFIUS then conducts a 30-day review and prepares a risk assessment report to determine whether to clear the transaction or continue assessing it. If CFIUS decides to continue its investigation, it will commence a 45-day investigation. Once the assessment is completed, CFIUS will make a formal recommendation to the President regarding whether the transaction should be cleared or blocked. The President is given an additional 15 days to either approve the proposed foreign transaction/investment or block it. Sometimes, mitigation measures may be imposed on the parties as a condition in order for the foreign transaction or foreign investment to be approved. A typical mitigation measure is the implementation of a robust compliance program.
Possible Outcomes of the CFIUS Review Process
The CFIUS compliance review process could have one of three possible outcomes: (1) cleared transaction without mitigation; (2) cleared transaction with mitigation; or (3) blocked transaction.
- : This circumstance occurs when CFIUS concludes that the proposed deal does not threaten the national security interests of the United States. It could also occur when CFIUS opens its own review and is unable to conclude that the proposed deal poses a national security threat. In either case, CFIUS will issue a no-action letter that approves the deal for the parties.
- : This circumstance occurs when CFIUS determines that the proposed deal cannot be approved in its entirety unless and until some form of mitigation measures are imposed. These mitigation measures may include implementing internal controls, greater monitoring procedures, regular audits, and/or compliance checks. However, other mitigation measures may be more demanding and entail asset divesture, restructuring the transaction, or rescinding certain government contracts. If the proposed deal is approved with the mitigation measures, CFIUS will issue a no-action letter that clears the deal with the mitigation measures imposed. If not, the proposed deal will be blocked.
- : This circumstance occurs when CFIUS or the President reaches the conclusion that the proposed foreign investment or foreign transaction poses too great of risk to U.S. national security to be approved. It may also be concluded that the proposed deal threatens TID Businesses—industries involving critical technology, critical infrastructure, or sensitive personal data. Therefore, the proposed deal is blocked or, in some cases, is forced to unwind.
Review of Real Estate Transactions
Pre-FIRRMA laws prevented CFIUS from reviewing certain “greenfield” investments in real estate such as undeveloped land. Since FIRRMA, CFIUS is now authorized to review real estate transactions located on covered ports, involving missile fields, within close proximity to government facilities, within specified military installments, or specified areas within the territorial seas of the United States. In other words, CFIUS can review certain proposed or pending sales, leases, or concessions of real estate involving a foreign person where that transaction gives the foreign person certain property rights.
Warning Signs of a Potential CFIUS Review
CFIUS does not rely on a pre-determined list of factors when deciding whether to review a proposed foreign transaction. Nevertheless, there are certain activities or conduct that make it more likely that the proposed deal would be reviewed:
- Large acquisitions that lead to foreign control in a U.S. TID Business.
- A loan or other financial agreement that grants financial rights in a foreign party.
- Foreign investments or foreign transactions that vest significant interest of a U.S. TID Business—critical technology, critical infrastructure, or sensitive personal data—in a foreign party.
- Transactions that confer substantial debt or equity rights to foreign parties.
- Foreign investments or foreign transactions that involved material, classified government contracts.
- Foreign deals involving the military, military bases, government facilities, or defense contracts.