On January 17, 2020, the US Treasury Department's Office of Investment Security published the final version of new regulations implementing major changes to the process by which the Committee on Foreign Investment in the United States (CFIUS) conducts its reviews. The new rules take effect on February 13, 2020 (the "Effective Date"), except for transactions completed prior to the Effective Date, or as to which the parties have executed a binding written agreement on the material terms of the transaction, a party has made a public offer to buy shares of the US business, or a shareholder has solicited proxies in connection with an election of the US business's board of directors.

These new rules were mandated by the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA). The new rules revise and reissue Part 800 of Title 31 of the Code of Federal Regulations (CFR)—the primary CFIUS implementing regulations—to, among other changes, include new types of non-controlling investments within CFIUS's review jurisdiction, expand the scope of the mandatory declarations program initiated by the critical technologies pilot program, allow for voluntary declarations and exempt from review certain investments from Canada, Australia and the UK. The rules also add a new Part 802, addressing real estate transactions subject to review by CFIUS. These final rules largely track those proposed in September 2019 (see our alert here) with some notable changes regarding the mandatory declaration process and the identification of excepted foreign states.

Here, we present key takeaways from the final rules.

Final Part 800

1. Expanded application of CFIUS to non-controlling "covered investments"

CFIUS jurisdiction now extends to "covered investments"—or investments that do not afford a foreign investor control of a business but meet certain other criteria—with respect to certain US businesses. The pilot program for critical technologies, which first required mandatory declarations in connection with certain transactions involving sensitive US businesses, also introduced CFIUS jurisdiction over non-controlling investments in such US businesses. The jurisdiction over non-controlling investments will now extend to certain investments in other businesses, called TID (technology, infrastructure and data) US Businesses, that deal with "critical infrastructure" and "sensitive personal data."

"Covered investments" include those that allow a foreign person access to material, non-public technical information of the TID US Business; membership or observer rights on a governing body; or involvement in substantive decision-making on certain matters relating generally to the use and/or development of critical technologies, critical infrastructure and/or sensitive personal data (defined further below).

As under the pilot program, "critical technologies" include items and services controlled under the International Traffic in Arms Regulations (ITAR), certain items controlled under the Export Administration Regulations (EAR), nuclear items, select agents and toxins and emerging and foundational technologies (the control scheme for which, while required under the Export Control Reform Act of 2018 (ECRA), has yet to be promulgated). A business dealing with critical technologies qualifies as a TID US Business if it produces, designs, tests, manufactures, fabricates or develops one or more such technologies.

"Critical infrastructure" is defined to include "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems or assets would have a debilitating impact on national security." For an investment in critical infrastructure to be covered, the US business must perform specified functions or activities with respect to specified infrastructure. The functions and infrastructure types are set forth in an appendix to the new rule and include, for example, investments in any business that owns or operates (the function) internet exchange points that support public peering (the infrastructure).

"Sensitive personal data" is defined with respect to three elements: how it is maintained, the type of business that maintains it and what the data is. First, sensitive personal data must be identifiable. Encrypted data that cannot be decrypted by the US business is not identifiable, nor is aggregated or anonymized data that cannot be disaggregated or de-anonymized by either the US business or the foreign person.

Second, the business must target or tailor products or services to personnel and contractors of a US executive branch agency or military department with intelligence, national security or homeland security responsibilities; have maintained or collected sensitive personal data on more than one million individuals in the prior year; or have a demonstrated business objective to collect such data on more than one million persons and such data is a part of the business's primary products or services.

Third, the data must be within specified categories or types: data that could be used to analyze or determine an individual's financial distress or hardship; certain consumer credit data; certain insurance application data; data relating to an individual's physical, mental or psychological health; certain non-public electronic communications; geolocation data; biometric information; data stored for generating a state or federal identification card; information relating to an individual's security clearance or application for one; and certain genetic information. Genetic information only constitutes sensitive personal data, however, if it is the result of individual genetic testing. Accordingly, genetic data that is derived from US government databases and routinely provided to private parties for research is not sensitive personal data. Neither is data maintained or collected by a US business concerning its own employees, unless it pertains to security-cleared employees of US government contractors.

This definition aims to strike an appropriate balance between national security concerns and businesses' need to collect at least some data on individuals, including their own employees.

2. Australia, Canada and the UK identified as excepted foreign states; excepted investors defined

The expanded jurisdiction to review investments will be subject to certain exceptions for investments by "excepted investors," i.e., persons who are nationals exclusively of excepted foreign states (and the US) and investments by the foreign governments of "excepted foreign states." Only Australia, Canada and the UK have been identified as excepted foreign states at this time. This exception from coverage applies exclusively to covered investments, not covered control transactions, which will remain subject to review irrespective of the nationality of the foreign person involved.

For a business entity to be an "excepted investor," it and all of its parents must meet the following criteria:

  1. The entity must be organized under the laws of the US or the laws of an "excepted foreign state"
  2. The entity must have its "principal place of business," as defined below, in the US or an excepted foreign state
  3. 75 percent of the members or observers of its board of directors have to be US nationals or nationals of excepted foreign states
  4. Any foreign person who is an individual or is part of a group of foreign persons that holds in the aggregate 10 percent or more of the outstanding voting interest of; the rights to 10 percent or more of the profits in; in the event of dissolution, the right to 10 percent or more of the assets in; or otherwise exercises control over the entity, has to be a foreign national(s) exclusively of excepted foreign states, the foreign government(s) of excepted foreign state(s), or organized under the laws of and having their principal place of business in the US or in excepted foreign state(s)
  5. The "minimum excepted ownership"—set at a threshold of 80 percent—has to be held, individually or in the aggregate, by one or more persons each of whom is (a) either not a foreign person; (b) exclusively a national of one or more excepted foreign states; (c) the foreign government of an excepted foreign state; or (d) a foreign entity organized under the laws of an excepted foreign state with its principal place of business there

Australia, Canada and the UK will remain excepted for a period of two years, at which point this status will be reassessed. CFIUS intends to issue additional criteria by which other states can qualify as excepted foreign states.

An investor can also lose its excepted status. Disqualification criteria will include if an entity or any of its parents or subsidiaries have been the subject of certain enforcement actions by CFIUS, the Office of Foreign Assets Control (OFAC), the State Department, the Bureau of Industry and Security or the National Nuclear Security Administration; or if they have been convicted of a felony or entered a deferred prosecution or non-prosecution agreement with the Department of Justice with respect to a felony. Notably, if any of these disqualifying conditions occur within three years of completing a transaction excused from review on the basis of the investor's excepted status, CFIUS can seek to initiate review of the transaction.

3. Mandatory declarations expanded from pilot program

The mandatory filing requirements issued under the FIRRMA "critical technologies" pilot program previously in Part 801 are now incorporated into Part 800. US businesses within the pilot program remain subject to a mandatory declaration process under Part 800. Part 801 will remain in force only as to transactions completed prior to the Effective Date, or as to which the parties executed a binding written agreement as to the material terms of the transaction, a party made a public offer to buy shares of the US business or a shareholder solicited proxies in connection with an election of the US business's board of directors. 

For transactions involving critical technologies that occur after the Effective Date, the pilot program's requirement for a mandatory declaration is revised as follows: A mandatory declaration will now be required for investments that could result in foreign control of a TID US Business that provides, designs, tests, manufactures, fabricates or develops critical technologies used by the TID US Business in connection with its activity in one or more industries identified by its North American Industry Classification System (NAICS) code, or designed by the TID US Business specifically for use in one or more such industries. Notably, the Treasury Department intends to change this requirement in a separate rulemaking process from one based on NAICS codes to one based on the technologies' export control licensing requirement.

The mandatory declaration process will also cover a new category of transactions. Declarations will also be required for transactions in which a foreign person acquires a "substantial interest" in a TID US Business (defined as a voting interest of 25 percent or more) where a foreign government, except the foreign government of an excepted foreign state, owns a "substantial interest" (defined as a voting interest of 49 percent or more) in that foreign business. Where that foreign person holds an interest in an entity with a general partner or managing member (such as a limited partner in an investment fund), the foreign government will be considered to have a substantial interest only if it holds 49 percent or more of the voting interest in the general partner.

4. Exemptions from the mandatory declaration requirements

Certain types of transactions otherwise within the above two categories, however, will not require a mandatory declaration.

As to transactions that would otherwise require a declaration because they involve certain critical technologies, the following categories of persons and transactions will be exempt:

  • Covered control transactions involving "excepted investors," as defined above
  • Entities subject to certain "foreign ownership, control or influence" (FOCI) mitigation measures pursuant to National Industrial Security Program regulations, or operating under a valid facility security clearance
  • Investments in companies that are TID US Businesses exclusively because they are involved in certain types of controlled encryption technology
  • Investment funds managed exclusively and controlled ultimately by US nationals
  • Certain persons who lose their status as "excepted investors" for the disqualifying criteria described above

As to transactions that would otherwise require a declaration because they involve foreign governments other than excepted foreign states, no declaration will be required for a covered transaction by an investment fund managed exclusively by a general partner who is not a foreign person and whose advisory board meets certain other enumerated criteria.

Additionally, as applicable to both categories above, covered control transactions involving certain air carriers are exempt.

Importantly, however, these exemptions do not remove the above transactions from CFIUS review altogether. Rather, they excuse participants from the requirement to file a declaration.

5. Voluntary declarations now permitted

Parties to covered transactions that are not required to file a mandatory declaration will now have the option of filing a declaration instead of a notice, an option that was unavailable prior to FIRRMA. Such declarations are intended to be more concise than a full notice. CFIUS will also have 30 days—as opposed to 45 days—from receipt of a complete declaration to take certain actions. These will include concluding all action with respect to the transaction on the basis of the declaration; declining to conclude action on the basis of the declaration and inviting the parties to submit a notice; requesting that the parties file a notice in cases where CFIUS believes the transaction may raise national security considerations; or initiating a unilateral review of the transaction.

6. Principal place of business defined for purposes of determining foreign person and excepted investor status

As relevant to determining whether a business entity is a foreign person or an excepted investor, an entity's principal place of business will now be defined as "the primary location where [its] management directs, controls, or coordinates the entity's activities, or, in the case of an investment fund, where the fund's activities and investments are primarily directed, controlled, or coordinated by or on behalf of the general partner, managing member, or equivalent." If an entity's most recent filing to the US, a state or a foreign government indicates a non-US principal place of business, this representation will control, absent a showing of changed circumstances. Accordingly, an offshore investment fund managed by US persons in the US does not fall within the definition of a foreign entity.

This definition is issued as an interim rule, and may be amended after a 30-day comment period.

7. Potentially expanded definition of "US business"

A "US business" will be defined as "any entity, irrespective of the nationality of the persons that control it, engaged in interstate commerce in the United States." Although this definition raised concern that any business touching the US may be subject to CFIUS jurisdiction, even when it has no physical presence in the United States, CFIUS has clarified that "[t]he proposed definition tracks the language of FIRRMA and is not intended to suggest that the extent of a business's activities in interstate commerce in the United States is irrelevant to the Committee's analysis of national security risk." Additionally, examples accompanying this definition suggest that businesses not physically present in the US will generally not be subject to CFIUS review. For instance, a foreign company operating entirely from outside the US but that sells goods and services to unaffiliated companies in the US will not be considered a "US business" absent other relevant facts, even under the revised definition.

8. Special rules for investment funds

The FIRRMA pilot program introduced a clarification regarding certain investment-fund investments in pilot program US businesses. This clarification will now apply to any investment in a TID US Business. Accordingly, certain investments by a foreign person that occur indirectly through a fund that is managed exclusively by a general partner or managing member that is not a foreign person will not be a covered investment. For the exclusion to apply, the foreign limited partner must also not have certain control rights as to the fund or fund manager, or any of the non-control rights in the US business (including access to material non-public technical information) that would otherwise render a non-controlling investment in the US business "covered."

9. Continuing review jurisdiction over incremental acquisitions of investment interests

Historically, where CFIUS concluded review of a covered transaction under Part 800, i.e., a transaction in which a foreign person acquired control of a US business, incremental investments or acquisition of additional rights by that person have not been considered covered transactions subject to CFIUS review. That rule remains in effect as to covered control transactions. In the case of covered investments, however, additional investment by a foreign person following a concluded CFIUS review may constitute a new covered transaction subject to further review.

10. Covered transactions in bankruptcy are expressly subject to review

A covered control transaction or a covered investment that arises under a bankruptcy proceeding or other form of default on debt will be a covered transaction subject to CFIUS review.

Final Part 802

11. "Covered real estate transactions" subject to CFIUS review

In addition to those applicable to "covered investments," FIRRMA also introduced new rules on "covered real estate transactions," to be codified at 31 CFR Part 802. Accordingly, CFIUS jurisdiction will now cover certain kinds of transactions involving the purchase, leasing or concession to a foreign person of certain private or public real estate in the US, depending on the property's location. Prior to FIRRMA, CFIUS had jurisdiction only to review an acquisition of real estate if it was part of a transaction that could result in control by a foreign person of a US business, which effectively did not include greenfield investments. CFIUS jurisdiction will now extend to certain types of real estate transactions, even where they do not involve a US business.

12. "Covered real estate" defined

Two general categories of real estate will now be subject to review. The first includes real estate that is, is located within, or will function as part of an airport or maritime port. The second includes real estate that is within certain specified distances from various military installations and other properties of the US government that have national security significance. Facilities with greater sensitivity have a larger zone around them within which covered real estate may fall. The final rule identifies the types of facilities that are subject to these various covered zones and also specifies particular facilities or geographic areas to which the various covered zones would apply in a four-part Appendix to Part 802.

The smallest covered zone in which "covered real estate" may fall in relation to a facility is "close proximity," or one mile from the boundary of the facility. Certain military installations are subject to an "extended range," defined as 99 miles from the outer boundary of "close proximity," or up to 12 nautical miles from the coastline where the extended range falls offshore. In the case of certain military installations (which largely—but not exclusively—fall in very rural areas), entire counties, towns or portions thereof are within the covered zone. Finally, the covered zone of numerous Navy offshore operating areas and ranges extends 12 nautical miles from the coastline.

13. "Covered real estate transactions" defined

Transactions that involve covered real estate will be subject to CFIUS review if they involve (1) "any purchase or lease by, or concession to, a foreign person of covered real estate, that affords the foreign person at least three of the property rights listed in" the regulations; (2) a change in the rights of a foreign person with respect to covered real estate, if that change could result in the foreign person having at least three property rights listed in the regulations; or (3) any other transaction that is intended to evade CFIUS rules as they relate to real estate.

Applicable property rights include the right to physically access, exclude others, improve or develop, or attach structures or objects to the real estate. At least three of these four rights must exist for the transaction to be covered.

14. Certain real estate, transactions and investors excepted from Part 802

Part 802, like Part 800, contains provisions that will except investments by certain categories of investors associated with "excepted foreign states" from review. Excepted foreign states for purposes of Part 802 will be the same as under Part 800, namely, Australia, Canada and the UK.

Part 802 will also except certain types of real estate from the definition of "covered real estate." These exceptions include purchases, leases or concessions involving real estate within an urbanized area or urban cluster; single-housing units; land owned by or held in trust for certain Native American groups; and, under certain conditions pertaining to aggregate foreign ownership or tenancy, office spaces within a multi-unit commercial office building. They also include leases or concessions (but not sales) of real estate that falls within airports or maritime ports and is exclusively usable for retail trade, accommodation or food service establishments. Furthermore, to avoid multiple filing requirements, a real estate transaction that is also a covered transaction under Part 800 will be excepted from Part 802.

15. Optional declarations are available for covered real estate transactions

Parties to a covered real estate transaction may file a declaration, but there will be no mandatory declaration provision in Part 802.

16. Still no fees

FIRRMA authorizes CFIUS to assess fees in connection with filings. The new regulations do not contain any provision for fees, but the committee has stated it intends to publish separate proposed regulations addressing filing fees in the future.

Dentons' Federal Regulatory and Compliance team continues to monitor the FIRRMA rulemaking process.

About Dentons

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.