Facing FIRRMA: Treasury Releases Final CFIUS Regulations
The Situation: The U.S. Department of the Treasury ("Treasury Department") released final regulations implementing the Foreign Investment Risk Review Modernization Act of 2018 ("FIRRMA"), which, among other things, effectuate the expanded jurisdiction for the Committee on Foreign Investment in the United States ("CFIUS" or "Committee").
The Result: The final regulations, which will become effective on February 13, 2020: (i) incorporate several revisions to the earlier proposed regulations based on feedback received during the public comment period; (ii) provide an initial list of foreign states eligible for excepted foreign state status; and (iii) signal key areas where subsequent regulations are likely to follow in the coming months, including those aimed at modifying the scope of covered investments in critical technologies.
Looking Ahead: U.S. businesses and foreign investors should carefully review the final regulations to evaluate whether contemplated investments may be subject to the Committee's expanded jurisdiction or even require a mandatory notification to CFIUS.
On January 13, 2020, the Treasury Department issued two sets of final regulations. The first set of regulations relate to CFIUS's expanded jurisdiction over certain types of investments, including noncontrolling investments, in certain types of U.S. businesses. The second set of regulations relate to CFIUS's expanded jurisdiction over certain foreign investments in certain U.S. real estate.
The Treasury Department's final regulations include revisions based on public feedback the Treasury Department received regarding the proposed regulations issued in 2018, which we discussed here and here. The Treasury Department also published a separate fact sheet and frequently asked questions ("FAQ").
Continuity and Clarification: How the Final Regulations Relate to and Build Upon the September 2018 Proposed Regulations
The first set of the final regulations implement FIRRMA's expansion of the Committee's jurisdiction to now cover certain noncontrolling investments, whether direct or indirect, by a foreign person in certain types of U.S. businesses, including those that (i) produce, design, test, manufacture, fabricate, or develop one or more critical technologies; (ii) own, operate, manufacture, supply, or service critical infrastructure; or (iii) maintain or collect sensitive personal data of U.S. citizens that may be exploited in a manner that threatens national security. These companies are referred to in the final regulations as "TID U.S. businesses," which is an acronym for technology, infrastructure and data.
Sensitive Personal Data
The final regulations incorporate several revisions to the proposed regulations in response to concerns over the scope of CFIUS' jurisdiction over investments in U.S. businesses that maintain or collect sensitive personal data. In particular, while the proposed regulations generally required that each category of sensitive personal data be "identifiable data," or able to be used to distinguish or trace an individual's identity, to fall within the Committee's jurisdiction, it considered genetic testing data covered regardless of whether such data was identifiable. The final regulations now treat genetic testing data like all other categories of data, requiring that genetic testing data be identifiable to be within CFIUS' jurisdiction. The final regulations further limit the scope of genetic testing data by carving out from CFIUS' jurisdiction any such data that is "derived from databases maintained by the U.S. government and routinely provided to private parties for the purposes of research."
The final regulations also confirm CFIUS' jurisdiction over U.S. businesses that maintain or collect sensitive personal data on one million or more individuals within one year of completing the contemplated transaction or notifying the Committee. In a set of clarifying examples, the final regulations confirm that a U.S. business will satisfy the one million U.S. persons jurisdictional threshold if that business has met collected or maintained sensitive personal data at any time in the 12 months prior to the filing date of the CFIUS notice. Notably, parties must take into account data of U.S. persons collected prior to the relevant 12-month period, but that is retained by the U.S. business pursuant to a data retention policy during the relevant time period.
U.S. businesses that have a "demonstrated business objective" to maintain or collect sensitive personal data on more than one million individuals will also be subject to the Committee's jurisdiction under the final regulations if that data is an "integrated part" of the U.S. business's primary products or services. The final regulations indicate that CFIUS may consider investor pitch materials, including company projections concerning potential individual subscribers, when determining whether a U.S. business has demonstrated such a business objective.
The final regulations also retain several important aspects of the Treasury Department's pilot program concerning critical technologies, including the mandatory declaration requirement. However, the Treasury Department has indicated that it is considering whether to modify the scope of the mandatory declaration requirement from one based on North American Industry Classification System ("NAICS") codes to one based on export control licensing requirements.
The final regulations also include some examples to clarify the scope of the pilot program. For instance, in one example, the final regulations clarify that an investment in a U.S. business that manufactures a critical technology for "commercial off-the-shelf use" by businesses in various industries, including some identified as pilot program industries, would not require a mandatory declaration under the final regulations. While such an investment would still be a covered investment subject to the Committee's jurisdiction, the investment would not require a mandatory filing because the U.S. business would not have produced, designed, tested, manufactured, fabricated, or developed the critical technology specifically for use in or more pilot program industries.
The final regulations also except certain transactions previously considered subject to the mandatory declaration requirement. These newly excepted transactions include investments involving:
- Excepted foreign investors;
- Investors subject to an agreement to mitigate foreign ownership, control, or influence ("FOCI") and that operate under a valid facility security clearance pursuant to the National Industrial Security Program regulations;
- Certain encryption critical technologies that are eligible for export, reexport, or transfer (in country) pursuant to License Exception ENC of the Export Administration Regulations ("EAR"); and
- Investment funds that, among other things, are managed exclusively by a general partner, managing member, or equivalent that is not a foreign person or is ultimately controlled by a U.S. person.
The final regulations establish a mandatory filing requirement for investments involving foreign government investors that hold a "substantial interest" (i.e., a 49% interest) in a foreign person that is acquiring at least a 25% interest in a TID U.S. business under the contemplated transaction. The final regulations clarify that the substantial interest test only considers the interests of a single foreign government apart from any other foreign government interests. The final regulations also clarify that a single foreign government includes both the national and subnational governments and their respective departments, agencies, and instrumentalities. Thus, a transaction involving multiple investors with ownership interests traceable to a single foreign government, such as through the combination of a foreign government ministry, corporate entity, or sovereign wealth fund, should consider whether the foreign government's aggregate interest may trigger mandatory notification to the Committee. With respect to fund investments, the final regulations limit the substantial interest test to include only a foreign government's interest in a general partner, irrespective of the foreign government's interest in one or more limited partners.
With respect to foreign investments in U.S. real estate, the second set of final regulations largely retain the proposed regulations' expanded jurisdiction over "the purchase or lease by, or a concession to, a foreign person of private or public real estate" that is either:
- Within, or will function as part of, a covered port;
- Within close proximity (i.e., one mile) of certain specified U.S. military installations;
- Within an "extended range" (i.e., between one mile and 100 miles) of certain other enumerated military installations; and
- Within certain geographic areas associated with missile field and off-shore ranges.
The final regulations maintain the exceptions for real estate located in certain urbanized areas or clusters and single housing units. Whereas the proposed regulations provided an exception for retail trade, accommodation, and food services establishments covered by certain NAICS codes, the final regulations expand this exception to except from the Committee's jurisdiction any lease or concession of real estate that may be used only for purposes of engaging in the retail sale of consumer goods or services to the public without reference to applicable NAICS codes. The final regulations also except from CFIUS' jurisdiction transactions involving foreign air carriers that the U.S. Department of Homeland Security's Transportation Security Administration maintains oversight of through an accepted security program.
The Treasury Department also indicated that it would work to make available a web-based tool to allow the public to interact with and understand the geographic coverage of the final regulations relating to covered and excepted real estate transactions.
Other Changes From Proposed Regulations
The final regulations contain several other notable changes from, and clarifications to, the proposed regulations and include a number of additional examples illustrating and clarifying these changes.
Excepted foreign states. The proposed regulations introduced a process through which CFIUS would identify certain foreign states with sufficient investment protections in place to allow for the excepting of foreign investors with substantial connections to those foreign states from the Committee's jurisdiction over noncontrolling investments. In the final regulations, the Committee identified Australia, Canada, and the United Kingdom of Great Britain and Northern Ireland in its initial list of foreign states eligible for excepted foreign state status, which will be effective for a two-year period starting February 13, 2020. The Treasury Department clarified that CFIUS identified these countries due to "aspects of their robust intelligence-sharing and defense industrial base integration mechanisms with the United States" and indicated that CFIUS intentionally identified a limited number of foreign states due to the "potentially significant implications for U.S. national security." However, CFIUS may seek to expand this list in the future based on the specific criteria that CFIUS considers in making such determinations, which will separately be posted on the Treasury Department's website.
Excepted foreign investor. While controlling investments made by an excepted foreign investor will still be subject to the Committee’s jurisdiction, such transactions will not require the filing of a mandatory declaration. In addition, excepted foreign investors will be removed from the Committee's jurisdiction over noncontrolling covered investments in a TID U.S. business altogether. The final regulations revise the excepted foreign investor eligibility requirements to allow up to 25% of board representation of the investor to be comprised of foreign nationals from countries that are not excepted foreign states. The final regulations also permit foreign nationals of a nonexcepted foreign state to have up to a 10% ownership interest in an excepted foreign investor. Notably, the Treasury Department rejected public comments requesting that the Committee adopt a stand-alone category for excepting individual investors, or "trusted investors," from the Committee's jurisdiction irrespective of whether that investor has substantial connection to an excepted foreign state.
Principal place of business. Whereas the proposed regulations used the term "principal place of business" without referencing a specific definition, the final regulations propose a definition for the term that will become effective along with the final regulations on February 13, 2020. The proposed definition, which is subject to a 30-day public comment period, currently defines a company's principal place of business as "the primary location where an entity's management directs, controls, or coordinates the entity's activities, or, in the case of an investment fund, where the fund's activities and investments are primarily directed, controlled, or coordinated by or on behalf of a general partner, managing member, or equivalent." Once implemented in a final rule, the definition will be helpful for, among other things, determining whether a foreign investor has a substantial connection to an excepted foreign state.
Additional Rules on the Horizon
While the final regulations implement most of FIRRMA's provisions, some aspects of the Committee's jurisdiction and review process remain subject to future regulations. For example, as discussed above, the Treasury Department indicated it could shift the mandatory declaration requirement concerning critical technologies from an inquiry into applicable NAICS codes to instead an inquiry into applicable export control licensing requirements. Also, the definition of critical technologies is subject, in part, to a separate set of rules to be promulgated by the U.S. Department of Commerce Bureau of Industry and Security ("BIS"). Those rules will relate to "emerging and foundational technologies," which we previously discussed here.
FIRRMA also authorizes CFIUS to assess and collect fees associated with the parties' submission of a written notice, but the final regulations do not impose such filing fees. The Treasury Department indicated in its published FAQ sheet that it intends to publish a separate proposed rule regarding such fees at a later date.
More generally, the Treasury Department also indicated that "[g]iven the specificity of certain provisions" of the final regulations, it "anticipates that it will periodically review, and when necessary amend," the final regulations to appropriately respond to changes in technology and data use, as well as changes to the national security landscape.
Three Key Takeaways
- The Treasury Department's final regulations implement FIRRMA's provisions expanding the Committee's jurisdiction to review certain noncontrolling foreign investments in certain U.S. businesses and certain foreign investments in U.S. real estate, while incorporating several revisions based on public feedback on the Treasury Department's proposed regulations.
- The final regulations modify the circumstances in which foreign investors are obligated to file a mandatory declaration as well, except certain foreign investors and foreign investors with substantial ties to identified foreign states from the Committee's expanded jurisdiction over noncontrolling investments in TID businesses.
- The Treasury Department has identified several areas in which foreign investors and U.S. businesses' obligations could be affected by future regulations and rules, including the scope of critical technologies and criteria for determining eligibility for excepted foreign state status.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.